SmartHawk

8.8

极危

34 个模型检测该样本为恶意！

重新分析

下载样本

76806141b82da93347f0fa01791eedfce010edac78a2b9c0a7c66ca98f5e7309

17b3c345920ee4f40f34135e83749f6d.exe

分析耗时

76s

最近分析

文件大小

446.0KB

静态报毒动态报毒 ARTEMIS ATTRIBUTE AV@88NQYJ AZORULT CLOUD CONFIDENCE DLJK FAKECSRSS GENETIC GENKRYPTIK GUGF HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK MALICIOUS MNLK MULDROP4 MXGXJ OUTBREAK QVM10 R278428 SCORE UNSAFE USXVPFQ19 W0C1L1 WACATAC 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Generic.grp	20190627	6.0.6.653
Baidu		20190318	1.0.0.2
Alibaba		20190527	0.3.0.5
Tencent		20190627	1.0.0.1
Kingsoft		20190627	2013.8.14.323
Avast	Win32:Trojan-gen	20190627	18.4.3895.0
CrowdStrike	win/malicious_confidence_90% (W)	20190212	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620142481.115627 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1620142481.130627 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119621.583436 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 个事件)

pdb_path

C:\dinuzo83 donahacigay\yidicik18 tezi.pdb1355129461\bin\kifikinuj.pdb¢¡¨-F

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620142481.084627 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119621.505436 NtProtectVirtualMemory	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 139264 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x005db000	success	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620142482.412627 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	216.170.114.55

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119621.755436 NtAllocateVirtualMemory	process_identifier: 1564 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000007c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119621.755436 WriteProcessMemory	process_identifier: 1564 buffer: @ process_handle: 0x0000007c base_address: 0x7efde008	success	1	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1620142484.990627 RegSetValueExA	key_handle: 0x00000360 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620142484.990627 RegSetValueExA	key_handle: 0x00000360 value: à© ò@× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620142485.005627 RegSetValueExA	key_handle: 0x00000360 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620142485.005627 RegSetValueExW	key_handle: 0x00000360 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620142485.005627 RegSetValueExA	key_handle: 0x00000378 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620142485.005627 RegSetValueExA	key_handle: 0x00000378 value: à© ò@× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620142485.005627 RegSetValueExA	key_handle: 0x00000378 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620142485.037627 RegSetValueExW	key_handle: 0x0000035c value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2292 called NtSetContextThread to modify thread in remote process 1564
1620119621.755436 NtSetContextThread	thread_handle: 0x00000078 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1564	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2292 resumed a thread in remote process 1564
1620119622.192436 NtResumeThread	thread_handle: 0x00000078 suspend_count: 1 process_identifier: 1564	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

216.170.114.55:80

Executed a process and injected code into it, probably while unpacking (8 个事件)

Time & API	Arguments	Status	Return
1620119621.755436 CreateProcessInternalW	thread_identifier: 912 thread_handle: 0x00000078 process_identifier: 1564 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\17b3c345920ee4f40f34135e83749f6d.exe track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\17b3c345920ee4f40f34135e83749f6d.exe" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\17b3c345920ee4f40f34135e83749f6d.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000007c inherit_handles: 0	success	1
1620119621.755436 NtGetContextThread	thread_handle: 0x00000078	success	0
1620119621.755436 NtUnmapViewOfSection	process_identifier: 1564 region_size: 4096 process_handle: 0x0000007c base_address: 0x00400000	success	0
1620119621.755436 NtAllocateVirtualMemory	process_identifier: 1564 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000007c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1620119621.755436 WriteProcessMemory	process_identifier: 1564 buffer: @ process_handle: 0x0000007c base_address: 0x7efde008	success	1
1620119621.755436 NtSetContextThread	thread_handle: 0x00000078 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1564	success	0
1620119622.192436 NtResumeThread	thread_handle: 0x00000078 suspend_count: 1 process_identifier: 1564	success	0
1620142481.099627 NtResumeThread	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1564	success	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 个事件)

FireEye	Generic.mg.17b3c345920ee4f4
McAfee	RDN/Generic.grp
Cylance	Unsafe
AegisLab	Trojan.Win32.Generic.mnLK
Invincea	heuristic
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win32.Azorult.wjq
ViRobot	Trojan.Win32.Z.Wacatac.456704
Comodo	TrojWare.Win32.Fakecsrss.AV@88nqyj
F-Secure	Trojan.TR/Crypt.Agent.mxgxj
DrWeb	Trojan.MulDrop4.25343
TrendMicro	Trojan.Win32.WACATAC.USXVPFQ19
McAfee-GW-Edition	Artemis!Trojan
Avira	TR/Crypt.Agent.mxgxj
Fortinet	W32/GenKryptik.DLJK!tr
Endgame	malicious (high confidence)
ZoneAlarm	Trojan-PSW.Win32.Azorult.wjq
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Malware/Win32.Generic.R278428
Acronis	suspicious
Malwarebytes	Trojan.MalPack.GS.Generic
Panda	Trj/Genetic.gen
ESET-NOD32	a variant of Win32/Kryptik.GUGF
TrendMicro-HouseCall	Trojan.Win32.WACATAC.USXVPFQ19
Rising	Trojan.Kryptik!8.8 (CLOUD)
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_71%
GData	Win32.Trojan-Stealer.Azorult.W0C1L1
AVG	Win32:Trojan-gen
Avast	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	HEUR/QVM10.1.22E3.Malware.Gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2018-12-28 06:09:40

Imports

Library KERNEL32.dll:

• 0x429000 HeapReAlloc

• 0x429004 SetLocaleInfoA

• 0x429008 WritePrivateProfileStructA

• 0x42900c GetDriveTypeW

• 0x429010 GetDefaultCommConfigW

• 0x429014 WaitNamedPipeA

• 0x429018 WaitForSingleObject

• 0x42901c GetModuleHandleW

• 0x429020 GetTickCount

• 0x429024 ReadConsoleW

• 0x429028 EnumTimeFormatsA

• 0x42902c GetSystemDirectoryW

• 0x429030 GetFirmwareEnvironmentVariableA

• 0x429034 GlobalFindAtomA

• 0x429038 TerminateThread

• 0x42903c Sleep

• 0x429040 AssignProcessToJobObject

• 0x429044 FormatMessageW

• 0x429048 IsProcessorFeaturePresent

• 0x42904c GetOverlappedResult

• 0x429050 CreateMailslotW

• 0x429054 GetStringTypeExA

• 0x429058 EnumSystemLocalesA

• 0x42905c GetProfileIntA

• 0x429060 GetLongPathNameW

• 0x429064 GetProcAddress

• 0x429068 DefineDosDeviceW

• 0x42906c ReadFileEx

• 0x429070 LoadLibraryA

• 0x429074 LocalAlloc

• 0x429078 WritePrivateProfileStringA

• 0x42907c MoveFileA

• 0x429080 GetProfileStringA

• 0x429084 HeapLock

• 0x429088 GetCurrentConsoleFont

• 0x42908c GetTapeParameters

• 0x429090 GetVolumePathNamesForVolumeNameA

• 0x429094 FindFirstVolumeMountPointA

• 0x429098 WriteProfileStringW

• 0x42909c OpenEventW

• 0x4290a0 ExpandEnvironmentStringsW

• 0x4290a4 WriteConsoleW

• 0x4290a8 SetFilePointerEx

• 0x4290ac SetStdHandle

• 0x4290b0 CloseHandle

• 0x4290b4 ReadFile

• 0x4290b8 EncodePointer

• 0x4290bc DecodePointer

• 0x4290c0 GetLastError

• 0x4290c4 ExitProcess

• 0x4290c8 GetModuleHandleExW

• 0x4290cc AreFileApisANSI

• 0x4290d0 MultiByteToWideChar

• 0x4290d4 WideCharToMultiByte

• 0x4290d8 GetCommandLineA

• 0x4290dc RaiseException

• 0x4290e0 RtlUnwind

• 0x4290e4 IsDebuggerPresent

• 0x4290e8 EnterCriticalSection

• 0x4290ec LeaveCriticalSection

• 0x4290f0 GetStdHandle

• 0x4290f4 GetFileType

• 0x4290f8 DeleteCriticalSection

• 0x4290fc GetStartupInfoW

• 0x429100 HeapSize

• 0x429104 HeapFree

• 0x429108 FatalAppExitA

• 0x42910c UnhandledExceptionFilter

• 0x429110 SetUnhandledExceptionFilter

• 0x429114 SetLastError

• 0x429118 InitializeCriticalSectionAndSpinCount

• 0x42911c CreateEventW

• 0x429120 GetCurrentProcess

• 0x429124 TerminateProcess

• 0x429128 TlsAlloc

• 0x42912c TlsGetValue

• 0x429130 TlsSetValue

• 0x429134 TlsFree

• 0x429138 CreateSemaphoreW

• 0x42913c WriteFile

• 0x429140 GetModuleFileNameW

• 0x429144 SetConsoleCtrlHandler

• 0x429148 FreeLibrary

• 0x42914c LoadLibraryExW

• 0x429150 IsValidCodePage

• 0x429154 GetACP

• 0x429158 GetOEMCP

• 0x42915c GetCPInfo

• 0x429160 HeapAlloc

• 0x429164 GetCurrentThread

• 0x429168 GetCurrentThreadId

• 0x42916c GetProcessHeap

• 0x429170 GetModuleFileNameA

• 0x429174 QueryPerformanceCounter

• 0x429178 GetCurrentProcessId

• 0x42917c GetSystemTimeAsFileTime

• 0x429180 GetEnvironmentStringsW

• 0x429184 FreeEnvironmentStringsW

• 0x429188 GetDateFormatW

• 0x42918c GetTimeFormatW

• 0x429190 CompareStringW

• 0x429194 LCMapStringW

• 0x429198 GetLocaleInfoW

• 0x42919c IsValidLocale

• 0x4291a0 GetUserDefaultLCID

• 0x4291a4 EnumSystemLocalesW

• 0x4291a8 OutputDebugStringW

• 0x4291ac GetStringTypeW

• 0x4291b0 FlushFileBuffers

• 0x4291b4 GetConsoleCP

• 0x4291b8 GetConsoleMode

• 0x4291bc CreateFileW

Library USER32.dll:

• 0x4291c4 GetScrollBarInfo

• 0x4291c8 ChangeDisplaySettingsExA

• 0x4291cc GetUserObjectInformationW

• 0x4291d0 GetKeyState

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.