7.8
高危
该样本未表现出任何异常!
重新分析
更多

fcdd51969033252b1301f2a06b9a515dc2ed56310906428b882e5c29211d2408

172b81fe3eb9fe6127c30f5aa1d9fd61.exe

分析耗时

75s

最近分析

文件大小

226.3KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1620149102.350374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620149110.288499
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620149105.538499
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620149103.585499
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1620119623.319952
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02ac0000
success 0 0
1620119623.319952
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 233472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02ad0000
success 0 0
1620119623.319952
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02b10000
success 0 0
1620119623.350952
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 233472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03890000
success 0 0
1620119623.350952
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 135168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x038d0000
success 0 0
1620149103.491499
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 155648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002f0000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\172b81fe3eb9fe6127c30f5aa1d9fd61.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\172b81fe3eb9fe6127c30f5aa1d9fd61.exe
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1620119623.678952
NtAllocateVirtualMemory
process_identifier: 472
region_size: 151552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000016c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620149102.632374
NtProtectVirtualMemory
process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000a0
base_address: 0x00cb0000
success 0 0
Potential code injection by writing to the memory of another process (5 个事件)
Time & API Arguments Status Return Repeated
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜T´¦°@P@@ CODEЖ˜ `DATA¨5°6œ@ÀBSS±ðÒÀ.idataÒ@À.reloc Ô@P.rsrc@î@PPð@P
process_handle: 0x0000016c
base_address: 0x00400000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer:
process_handle: 0x0000016c
base_address: 0x00421000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer: z•C
process_handle: 0x0000016c
base_address: 0x00424000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer: @
process_handle: 0x0000016c
base_address: 0x7efde008
success 1 0
1620149102.632374
WriteProcessMemory
process_identifier: 2272
buffer: U‰åƒìVWSè[ëd¡0‹@ ‹@‹p€x‹uõèGetProcAddressVèy‰ƒ{è LoadLibraryAVÿ“{‰ƒèUnmapViewOfFileVÿ“{‰ƒƒè VirtualAllocVÿ“{‰ƒ‡è VirtualFreeVÿ“{‰ƒ‹èOpenFileMappingAVÿ“{‰ƒèMapViewOfFileVÿ“{‰ƒ“è CloseHandleVÿ“{‰ƒ—ƒ›Pjjÿ“‰EìjjjjPÿ““…Àtf‰Eð‰Æp<‹NP‰Mü‹4‰uø‰Æ΋v‰uôñƒÁQj@h0Qjÿ“‡Y‰Ç‹uðó¤PèŒPÿuðÿ“ƒÿuìÿ“—X‰Ç}üƒÇWEøÿÐÉøÿÿÿÿÉÃU‰åVWS‹} ƒÉÿ1Àò®÷ыuv<‹VxU‹Z ]‹;}‹u Qó¦t YƒÃ@;BuéëY‹M‰ÎJ$A·†B‹ðë1À[_^ÉÂU‰å`‹}<‹¤‹‡ …Àt<E‹_4+]…Ût/…Ét+‹0‹x)ùƒï…ÿtîÑïƒÀ·…Òt €æUò)@@OuêëÑaÉÂFE3EF337_section
process_handle: 0x000000a0
base_address: 0x00cb0efa
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜T´¦°@P@@ CODEЖ˜ `DATA¨5°6œ@ÀBSS±ðÒÀ.idataÒ@À.reloc Ô@P.rsrc@î@PPð@P
process_handle: 0x0000016c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2772 called NtSetContextThread to modify thread in remote process 472
Time & API Arguments Status Return Repeated
1620119623.678952
NtSetContextThread
thread_handle: 0x00000168
registers.eip: 4302516
registers.esp: 1638384
registers.edi: 0
registers.eax: 4302516
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 472
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (4 个事件)
Process injection Process 2772 resumed a thread in remote process 472
Process injection Process 472 resumed a thread in remote process 2272
Time & API Arguments Status Return Repeated
1620119624.037952
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 472
success 0 0
1620149102.866374
NtResumeThread
thread_handle: 0x0000009c
suspend_count: 1
process_identifier: 2272
success 0 0
Executed a process and injected code into it, probably while unpacking (23 个事件)
Time & API Arguments Status Return Repeated
1620119623.678952
CreateProcessInternalW
thread_identifier: 784
thread_handle: 0x00000168
process_identifier: 472
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\172b81fe3eb9fe6127c30f5aa1d9fd61.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000016c
inherit_handles: 0
success 1 0
1620119623.678952
NtGetContextThread
thread_handle: 0x00000168
success 0 0
1620119623.678952
NtUnmapViewOfSection
process_identifier: 472
region_size: 214466560
process_handle: 0x0000016c
base_address: 0x6aec8b55
failed 3221225497 0
1620119623.678952
NtUnmapViewOfSection
process_identifier: 472
region_size: 214466560
process_handle: 0x0000016c
base_address: 0x6aec8b55
failed 3221225497 0
1620119623.678952
NtUnmapViewOfSection
process_identifier: 472
region_size: 214466560
process_handle: 0x0000016c
base_address: 0x6aec8b55
failed 3221225497 0
1620119623.678952
NtUnmapViewOfSection
process_identifier: 472
region_size: 4096
process_handle: 0x0000016c
base_address: 0x00400000
success 0 0
1620119623.678952
NtUnmapViewOfSection
process_identifier: 472
region_size: 2004156416
process_handle: 0x0000016c
base_address: 0x00400000
failed 3221225497 0
1620119623.678952
NtAllocateVirtualMemory
process_identifier: 472
region_size: 151552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000016c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜T´¦°@P@@ CODEЖ˜ `DATA¨5°6œ@ÀBSS±ðÒÀ.idataÒ@À.reloc Ô@P.rsrc@î@PPð@P
process_handle: 0x0000016c
base_address: 0x00400000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer:
process_handle: 0x0000016c
base_address: 0x00401000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer:
process_handle: 0x0000016c
base_address: 0x0041b000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer:
process_handle: 0x0000016c
base_address: 0x0041f000
failed 0 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer:
process_handle: 0x0000016c
base_address: 0x00421000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer:
process_handle: 0x0000016c
base_address: 0x00422000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer: z•C
process_handle: 0x0000016c
base_address: 0x00424000
success 1 0
1620119623.678952
WriteProcessMemory
process_identifier: 472
buffer: @
process_handle: 0x0000016c
base_address: 0x7efde008
success 1 0
1620119623.678952
NtSetContextThread
thread_handle: 0x00000168
registers.eip: 4302516
registers.esp: 1638384
registers.edi: 0
registers.eax: 4302516
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 472
success 0 0
1620119624.037952
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 472
success 0 0
1620149102.632374
CreateProcessInternalW
thread_identifier: 192
thread_handle: 0x0000009c
process_identifier: 2272
current_directory:
filepath:
track: 1
command_line: explorer.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000a0
inherit_handles: 0
success 1 0
1620149102.632374
NtGetContextThread
thread_handle: 0x0000009c
success 0 0
1620149102.632374
WriteProcessMemory
process_identifier: 2272
buffer: U‰åƒìVWSè[ëd¡0‹@ ‹@‹p€x‹uõèGetProcAddressVèy‰ƒ{è LoadLibraryAVÿ“{‰ƒèUnmapViewOfFileVÿ“{‰ƒƒè VirtualAllocVÿ“{‰ƒ‡è VirtualFreeVÿ“{‰ƒ‹èOpenFileMappingAVÿ“{‰ƒèMapViewOfFileVÿ“{‰ƒ“è CloseHandleVÿ“{‰ƒ—ƒ›Pjjÿ“‰EìjjjjPÿ““…Àtf‰Eð‰Æp<‹NP‰Mü‹4‰uø‰Æ΋v‰uôñƒÁQj@h0Qjÿ“‡Y‰Ç‹uðó¤PèŒPÿuðÿ“ƒÿuìÿ“—X‰Ç}üƒÇWEøÿÐÉøÿÿÿÿÉÃU‰åVWS‹} ƒÉÿ1Àò®÷ыuv<‹VxU‹Z ]‹;}‹u Qó¦t YƒÃ@;BuéëY‹M‰ÎJ$A·†B‹ðë1À[_^ÉÂU‰å`‹}<‹¤‹‡ …Àt<E‹_4+]…Ût/…Ét+‹0‹x)ùƒï…ÿtîÑïƒÀ·…Òt €æUò)@@OuêëÑaÉÂFE3EF337_section
process_handle: 0x000000a0
base_address: 0x00cb0efa
success 1 0
1620149102.866374
NtResumeThread
thread_handle: 0x0000009c
suspend_count: 1
process_identifier: 2272
success 0 0
1620149103.600499
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2272
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2013-10-30 16:01:24

Imports

Library MFC42u.DLL:
0x406044
0x406048
0x40604c
0x406050
0x406054
0x406058
0x40605c
0x406060
0x406064
0x406068
0x40606c
0x406070
0x406074
0x406078
0x40607c
0x406080
0x406084
0x406088
0x40608c
0x406090
0x406094
0x406098
0x40609c
0x4060a0
0x4060a4
0x4060a8
0x4060ac
0x4060b0
0x4060b4
0x4060b8
0x4060bc
0x4060c0
0x4060c4
0x4060c8
0x4060cc
0x4060d0
0x4060d4
0x4060d8
0x4060dc
0x4060e0
0x4060e4
0x4060e8
0x4060ec
0x4060f0
0x4060f4
0x4060f8
0x4060fc
0x406100
0x406104
0x406108
0x40610c
0x406110
0x406114
0x406118
0x40611c
0x406120
0x406124
0x406128
0x40612c
0x406130
0x406134
0x406138
0x40613c
0x406140
0x406144
0x406148
0x40614c
0x406150
0x406154
0x406158
0x40615c
0x406160
0x406164
0x406168
0x40616c
0x406170
0x406174
0x406178
0x40617c
0x406180
0x406184
0x406188
0x40618c
0x406190
0x406194
0x406198
0x40619c
0x4061a0
0x4061a4
0x4061a8
0x4061ac
0x4061b0
0x4061b4
0x4061b8
0x4061bc
0x4061c0
0x4061c4
0x4061c8
0x4061cc
0x4061d0
0x4061d4
0x4061d8
0x4061dc
0x4061e0
0x4061e4
0x4061e8
0x4061ec
0x4061f0
0x4061f4
0x4061f8
0x4061fc
0x406200
0x406204
0x406208
0x40620c
0x406210
0x406214
0x406218
0x40621c
0x406220
0x406224
0x406228
0x40622c
0x406230
0x406234
0x406238
0x40623c
0x406240
0x406244
0x406248
0x40624c
0x406250
0x406254
0x406258
0x40625c
0x406260
0x406264
0x406268
0x40626c
0x406270
0x406274
0x406278
0x40627c
0x406280
0x406284
0x406288
0x40628c
0x406290
0x406294
0x406298
0x40629c
0x4062a0
0x4062a4
0x4062a8
0x4062ac
0x4062b0
0x4062b4
0x4062b8
0x4062bc
0x4062c0
0x4062c4
0x4062c8
0x4062cc
0x4062d0
0x4062d4
0x4062d8
0x4062dc
0x4062e0
0x4062e4
0x4062e8
0x4062ec
0x4062f0
0x4062f4
0x4062f8
0x4062fc
0x406300
0x406304
0x406308
0x40630c
0x406310
0x406314
0x406318
0x40631c
0x406320
0x406324
0x406328
0x40632c
0x406330
0x406334
0x406338
0x40633c
0x406340
0x406344
0x406348
0x40634c
0x406350
0x406354
0x406358
0x40635c
0x406360
0x406364
0x406368
0x40636c
0x406370
0x406374
0x406378
0x40637c
0x406380
0x406384
0x406388
0x40638c
0x406390
0x406394
0x406398
0x40639c
0x4063a0
0x4063a4
0x4063a8
0x4063ac
0x4063b0
0x4063b4
0x4063b8
0x4063bc
0x4063c0
0x4063c4
0x4063c8
0x4063cc
0x4063d0
0x4063d4
0x4063d8
0x4063dc
0x4063e0
0x4063e4
0x4063e8
0x4063ec
0x4063f0
0x4063f4
0x4063f8
0x4063fc
0x406400
0x406404
0x406408
0x40640c
0x406410
0x406414
0x406418
0x40641c
0x406420
0x406424
0x406428
0x40642c
0x406430
0x406434
0x406438
0x40643c
0x406440
0x406444
0x406448
0x40644c
0x406450
0x406454
0x406458
0x40645c
0x406460
0x406464
0x406468
0x40646c
0x406470
0x406474
0x406478
0x40647c
0x406480
0x406484
0x406488
0x40648c
0x406490
0x406494
0x406498
0x40649c
0x4064a0
0x4064a4
0x4064a8
0x4064ac
0x4064b0
0x4064b4
0x4064b8
0x4064bc
0x4064c0
0x4064c4
0x4064c8
0x4064cc
0x4064d0
0x4064d4
0x4064d8
0x4064dc
0x4064e0
0x4064e4
0x4064e8
0x4064ec
0x4064f0
0x4064f4
0x4064f8
0x4064fc
0x406500
0x406504
0x406508
0x40650c
0x406510
0x406514
0x406518
0x40651c
0x406520
0x406524
0x406528
0x40652c
0x406530
0x406534
0x406538
0x40653c
0x406540
0x406544
0x406548
0x40654c
0x406550
0x406554
0x406558
0x40655c
0x406560
0x406564
0x406568
0x40656c
0x406570
0x406574
0x406578
0x40657c
0x406580
0x406584
0x406588
0x40658c
0x406590
0x406594
0x406598
0x40659c
0x4065a0
0x4065a4
0x4065a8
0x4065ac
0x4065b0
0x4065b4
0x4065b8
0x4065bc
0x4065c0
0x4065c4
0x4065c8
0x4065cc
0x4065d0
0x4065d4
0x4065d8
0x4065dc
0x4065e0
0x4065e4
0x4065e8
0x4065ec
0x4065f0
0x4065f4
0x4065f8
0x4065fc
0x406600
0x406604
0x406608
0x40660c
0x406610
0x406614
0x406618
0x40661c
0x406620
0x406624
0x406628
0x40662c
0x406630
0x406634
0x406638
0x40663c
0x406640
0x406644
0x406648
0x40664c
0x406650
0x406654
0x406658
0x40665c
0x406660
Library MSVCRT.dll:
0x406668 _except_handler3
0x40666c __dllonexit
0x406670 _onexit
0x406674 _controlfp
0x406678 __p__fmode
0x40667c __p__commode
0x406680 _adjust_fdiv
0x406684 __setusermatherr
0x406688 _initterm
0x40668c __wgetmainargs
0x406690 _wcmdln
0x406694 exit
0x406698 _XcptFilter
0x40669c _exit
0x4066a0 __CxxFrameHandler
0x4066a4 fclose
0x4066a8 __set_app_type
0x4066ac fread
0x4066b0 malloc
0x4066b4 rewind
0x4066b8 ftell
0x4066bc fseek
0x4066c0 fopen
Library KERNEL32.dll:
0x40601c GetModuleFileNameA
0x406024 VirtualAlloc
0x406028 SetHandleCount
0x406034 GetModuleHandleW
0x406038 GetStartupInfoW
0x40603c GetThreadTimes
Library USER32.dll:
0x4066c8 EnableWindow
0x4066cc UpdateWindow
0x4066d0 HideCaret
0x4066d4 IsIconic
0x4066d8 RegisterClassW
0x4066dc MessageBoxW
0x4066e0 ToUnicodeEx
0x4066e4 SetKeyboardState
0x4066e8 IsZoomed
Library GDI32.dll:
0x40600c GetCharWidthA
0x406010 CreatePalette
0x406014 RealizePalette
Library ADVAPI32.dll:
0x406000 RegEnumKeyW
0x406004 GetUserNameW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.