SmartHawk

8.2

高危

53 个模型检测该样本为恶意！

重新分析

下载样本

1e06e2d461dfc86492a4b3ff670f9ed28e2b6e8cda30f818b862949c14ba60fb

1c984828147d4bd4c03543e8497b5dd9.exe

分析耗时

79s

最近分析

文件大小

636.0KB

静态报毒动态报毒 AGENSLA AI SCORE=88 ATTRIBUTE CONFIDENCE EAXS ELDORADO FAREIT FORMBOOK GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HTEFZW KRYPTIK MALICIOUS PE NM0@AQGBEJ NOON PWSX QQPASS QQROB R349402 SCORE SIGGEN2 SMSIB SUSGEN TROJANPSW TROJANPWS TSCOPE UNSAFE USXVPHS20 ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FYV!1C984828147D	20200902	6.0.6.653
Alibaba	TrojanPSW:MSIL/Formbook.6a17e4b8	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200902	18.4.3895.0
Tencent	Msil.Trojan-qqpass.Qqrob.Eaxs	20200902	1.0.0.1
Kingsoft		20200902	2013.8.14.323
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1620125917.551626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620125919.207626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620125921.488626 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (6 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119616.722241 IsDebuggerPresent		failed	0	0
1620119616.722241 IsDebuggerPresent		failed	0	0
1620119662.706241 IsDebuggerPresent		failed	0	0
1620119663.206241 IsDebuggerPresent		failed	0	0
1620125904.520626 IsDebuggerPresent		failed	0	0
1620125904.520626 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119616.800241 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620125921.035626 __exception__	stacktrace: 0x25061e5 0x2505688 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2158836 registers.edi: 40633016 registers.eax: 0 registers.ebp: 2158884 registers.edx: 8 registers.ebx: 0 registers.esi: 73080954 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 69 c6 77 9f c8 45 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2509957	success	0	0

Time & API

Arguments

Status

Return

Repeated

1620125921.035626
__exception__

stacktrace:

0x25061e5
0x2505688
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2158836
registers.edi: 40633016
registers.eax: 0
registers.ebp: 2158884
registers.edx: 8
registers.ebx: 0
registers.esi: 73080954
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 69 c6 77 9f c8 45
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x2509957

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 165 个事件)

Time & API	Arguments	Status	Return
1620119615.925241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x004c0000	success	0
1620119615.925241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d0000	success	0
1620119616.425241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00910000	success	0
1620119616.425241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009a0000	success	0
1620119616.550241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1620119616.722241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a60000	success	0
1620119616.722241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b60000	success	0
1620119616.737241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005aa000	success	0
1620119616.753241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1620119616.753241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a2000	success	0
1620119617.190241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b2000	success	0
1620119617.268241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00915000	success	0
1620119617.268241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0091b000	success	0
1620119617.268241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00917000	success	0
1620119617.362241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b3000	success	0
1620119617.393241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005bc000	success	0
1620119617.472241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba0000	success	0
1620119617.472241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b4000	success	0
1620119618.081241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b5000	success	0
1620119618.081241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b6000	success	0
1620119618.268241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c40000	success	0
1620119618.268241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ba000	success	0
1620119618.393241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b7000	success	0
1620119618.409241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba1000	success	0
1620119651.472241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba3000	success	0
1620119651.909241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ac000	success	0
1620119651.987241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ca000	success	0
1620119651.987241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c7000	success	0
1620119652.003241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c6000	success	0
1620119652.003241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba4000	success	0
1620119652.018241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b8000	success	0
1620119652.034241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba5000	success	0
1620119652.159241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 454656 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05410400	failed	3221225550
1620119661.800241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba6000	success	0
1620119661.815241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b9000	success	0
1620119661.815241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba7000	success	0
1620119661.815241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba8000	success	0
1620119662.237241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba9000	success	0
1620119662.253241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00baa000	success	0
1620119662.393241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bab000	success	0
1620119662.425241 NtAllocateVirtualMemory	process_identifier: 472 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bac000	success	0
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05410178	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054101a0	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054101c8	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x054101f0	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05410218	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0547fd3e	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0547fd32	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0547f400	failed	3221225550
1620119662.440241 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0547fd4c	failed	3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.928923772890565

section

{'size_of_data': '0x0009e400', 'virtual_address': '0x00002000', 'entropy': 7.928923772890565, 'name': '.text', 'virtual_size': '0x0009e3c4'}

description

A section with a high entropy has been found

entropy

0.996066089693155

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119652.143241 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1620125916.832626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119663.097241 NtAllocateVirtualMemory	process_identifier: 1812 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006ed4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1620119663.097241 WriteProcessMemory	process_identifier: 1812 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELád9_àì® @ `@T W @ H.text´ê ì `.rsrc î@@.reloc@ò@B process_handle: 0x00006ed4 base_address: 0x00400000	success	1
1620119663.112241 WriteProcessMemory	process_identifier: 1812 buffer: 0HX ¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameWczopHJmPDJfgxghZnBtWOyWbTaMXyGlFRxs.exe(LegalCopyright \|)OriginalFilenameWczopHJmPDJfgxghZnBtWOyWbTaMXyGlFRxs.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00006ed4 base_address: 0x00462000	success	1
1620119663.112241 WriteProcessMemory	process_identifier: 1812 buffer: °: process_handle: 0x00006ed4 base_address: 0x00464000	success	1
1620119663.112241 WriteProcessMemory	process_identifier: 1812 buffer: @ process_handle: 0x00006ed4 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620119663.097241 WriteProcessMemory	process_identifier: 1812 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELád9_àì® @ `@T W @ H.text´ê ì `.rsrc î@@.reloc@ò@B process_handle: 0x00006ed4 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 called NtSetContextThread to modify thread in remote process 1812
1620119663.112241 NtSetContextThread	thread_handle: 0x00010734 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4590254 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1812	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 resumed a thread in remote process 1812
1620119663.440241 NtResumeThread	thread_handle: 0x00010734 suspend_count: 1 process_identifier: 1812	success	0	0

Executed a process and injected code into it, probably while unpacking (25 个事件)

Time & API	Arguments	Status	Return
1620119616.722241 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 472	success	0
1620119616.768241 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 472	success	0
1620119616.847241 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 472	success	0
1620119662.690241 NtResumeThread	thread_handle: 0x0000946c suspend_count: 1 process_identifier: 472	success	0
1620119662.706241 NtResumeThread	thread_handle: 0x0000a94c suspend_count: 1 process_identifier: 472	success	0
1620119663.081241 CreateProcessInternalW	thread_identifier: 3044 thread_handle: 0x00010734 process_identifier: 1812 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\1c984828147d4bd4c03543e8497b5dd9.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\1c984828147d4bd4c03543e8497b5dd9.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00006ed4 inherit_handles: 0	success	1
1620119663.097241 NtGetContextThread	thread_handle: 0x00010734	success	0
1620119663.097241 NtAllocateVirtualMemory	process_identifier: 1812 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006ed4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1620119663.097241 WriteProcessMemory	process_identifier: 1812 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELád9_àì® @ `@T W @ H.text´ê ì `.rsrc î@@.reloc@ò@B process_handle: 0x00006ed4 base_address: 0x00400000	success	1
1620119663.112241 WriteProcessMemory	process_identifier: 1812 buffer: process_handle: 0x00006ed4 base_address: 0x00402000	success	1
1620119663.112241 WriteProcessMemory	process_identifier: 1812 buffer: 0HX ¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameWczopHJmPDJfgxghZnBtWOyWbTaMXyGlFRxs.exe(LegalCopyright \|)OriginalFilenameWczopHJmPDJfgxghZnBtWOyWbTaMXyGlFRxs.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00006ed4 base_address: 0x00462000	success	1
1620119663.112241 WriteProcessMemory	process_identifier: 1812 buffer: °: process_handle: 0x00006ed4 base_address: 0x00464000	success	1
1620119663.112241 WriteProcessMemory	process_identifier: 1812 buffer: @ process_handle: 0x00006ed4 base_address: 0x7efde008	success	1
1620119663.112241 NtSetContextThread	thread_handle: 0x00010734 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4590254 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1812	success	0
1620119663.440241 NtResumeThread	thread_handle: 0x00010734 suspend_count: 1 process_identifier: 1812	success	0
1620119663.440241 NtResumeThread	thread_handle: 0x0000accc suspend_count: 1 process_identifier: 472	success	0
1620119663.456241 NtGetContextThread	thread_handle: 0x0000accc	success	0
1620119663.456241 NtGetContextThread	thread_handle: 0x0000accc	success	0
1620119663.456241 NtResumeThread	thread_handle: 0x0000accc suspend_count: 1 process_identifier: 472	success	0
1620125904.520626 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1812	success	0
1620125904.520626 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 1812	success	0
1620125904.551626 NtResumeThread	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1812	success	0
1620125918.926626 NtResumeThread	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 1812	success	0
1620125919.035626 NtResumeThread	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 1812	success	0
1620125921.301626 NtResumeThread	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 1812	success	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34433496
FireEye	Trojan.GenericKD.34433496
CAT-QuickHeal	Trojanpws.Msil
McAfee	Fareit-FYV!1C984828147D
Malwarebytes	Trojan.Crypt.MSIL
Zillya	Trojan.Kryptik.Win32.2422046
Sangfor	Malware
K7AntiVirus	Trojan ( 0056d6321 )
Alibaba	TrojanPSW:MSIL/Formbook.6a17e4b8
K7GW	Trojan ( 0056d6321 )
Cybereason	malicious.8bd204
Arcabit	Trojan.Generic.D20D69D8
Invincea	Mal/Generic-S
BitDefenderTheta	Gen:NN.ZemsilF.34216.Nm0@aqgBEJ
Cyren	W32/MSIL_Kryptik.BLT.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.34433496
NANO-Antivirus	Trojan.Win32.Agensla.htefzw
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Kryptik.651264.UJ
Tencent	Msil.Trojan-qqpass.Qqrob.Eaxs
Ad-Aware	Trojan.GenericKD.34433496
F-Secure	Trojan.TR/Kryptik.smsib
DrWeb	Trojan.PWS.Siggen2.54008
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.MSIL.NOON.USXVPHS20
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Avira	TR/Kryptik.smsib
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Microsoft	Trojan:MSIL/Formbook.MK!MTB
AegisLab	Trojan.MSIL.Agensla.i!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.34433496
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Kryptik.R349402
VBA32	TScope.Trojan.MSIL
ALYac	Trojan.GenericKD.34433496
MAX	malware (ai score=88)
Cylance	Unsafe
ESET-NOD32	a variant of MSIL/Kryptik.XMH
TrendMicro-HouseCall	TrojanSpy.MSIL.NOON.USXVPHS20
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.XMH!tr
AVG	Win32:PWSX-gen [Trj]

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2076-04-23 21:37:29

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.