SmartHawk

10.4

0-day

49 个模型检测该样本为恶意！

重新分析

下载样本

daccd93e099119d1c54b6d855d0a9db24e1ebd8eea974badb1ff6d8f0e01865f

1eee2f6e8d98a4229fa3d0100ca02f40.exe

分析耗时

76s

最近分析

文件大小

618.5KB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=100 CONFIDENCE EDOW ELDORADO FAREIT GDSDA GENERICKD HIGH CONFIDENCE HRBOYQ IGENERIC KRYPTIK MALICIOUS PE MALWARE@#3ZJ6XZJFBMR2 MALWAREX MM0@AAQJYUD PACKEDNET QGOK QVM03 RDQGK SCORE SUSGEN TSCOPE UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXH!1EEE2F6E8D98	20201023	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.f8c23bbe	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20201023	18.4.3895.0
Tencent	Msil.Trojan.Agent.Edow	20201023	1.0.0.1
Kingsoft		20201023	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275223.297875 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (23 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275166.09525 IsDebuggerPresent		failed	0	0
1619275166.11125 IsDebuggerPresent		failed	0	0
1619275217.33025 IsDebuggerPresent		failed	0	0
1619275217.83025 IsDebuggerPresent		failed	0	0
1619275218.33025 IsDebuggerPresent		failed	0	0
1619275218.83025 IsDebuggerPresent		failed	0	0
1619275219.33025 IsDebuggerPresent		failed	0	0
1619275219.83025 IsDebuggerPresent		failed	0	0
1619275220.33025 IsDebuggerPresent		failed	0	0
1619275220.83025 IsDebuggerPresent		failed	0	0
1619275221.33025 IsDebuggerPresent		failed	0	0
1619275221.83025 IsDebuggerPresent		failed	0	0
1619275222.33025 IsDebuggerPresent		failed	0	0
1619275222.83025 IsDebuggerPresent		failed	0	0
1619275223.33025 IsDebuggerPresent		failed	0	0
1619275223.83025 IsDebuggerPresent		failed	0	0
1619275224.33025 IsDebuggerPresent		failed	0	0
1619275224.83025 IsDebuggerPresent		failed	0	0
1619275225.33025 IsDebuggerPresent		failed	0	0
1619275225.84525 IsDebuggerPresent		failed	0	0
1619275226.33025 IsDebuggerPresent		failed	0	0
1619275227.298 IsDebuggerPresent		failed	0	0
1619275227.298 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275223.985875 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\JYOSRpg"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275166.15825 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 114 个事件)

Time & API	Arguments	Status	Return
1619275165.28325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00410000	success	0
1619275165.28325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00430000	success	0
1619275165.68925 NtAllocateVirtualMemory	process_identifier: 648 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01f70000	success	0
1619275165.68925 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02160000	success	0
1619275165.87625 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success	0
1619275166.09525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00620000	success	0
1619275166.09525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00660000	success	0
1619275166.11125 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ca000	success	0
1619275166.11125 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success	0
1619275166.11125 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c2000	success	0
1619275166.43925 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d2000	success	0
1619275166.59525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f5000	success	0
1619275166.59525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fb000	success	0
1619275166.59525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f7000	success	0
1619275166.75125 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d3000	success	0
1619275166.84525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005dc000	success	0
1619275167.72025 NtAllocateVirtualMemory	process_identifier: 648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d4000	success	0
1619275167.73625 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d6000	success	0
1619275168.03325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a80000	success	0
1619275168.28325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ea000	success	0
1619275168.28325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e7000	success	0
1619275168.76725 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e6000	success	0
1619275168.76725 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005da000	success	0
1619275168.84525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d7000	success	0
1619275168.87625 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d8000	success	0
1619275168.98625 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a81000	success	0
1619275169.01725 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d9000	success	0
1619275169.08025 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04200000	success	0
1619275169.12625 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a82000	success	0
1619275169.12625 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04201000	success	0
1619275169.14225 NtAllocateVirtualMemory	process_identifier: 648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a83000	success	0
1619275169.15825 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a85000	success	0
1619275210.17325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04202000	success	0
1619275210.17325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a86000	success	0
1619275210.18925 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02161000	success	0
1619275210.25125 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a87000	success	0
1619275210.40825 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005cc000	success	0
1619275210.42325 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a88000	success	0
1619275210.47025 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a89000	success	0
1619275210.50125 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04203000	success	0
1619275210.50125 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005dd000	success	0
1619275210.51725 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a8a000	success	0
1619275210.61125 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 272384 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x061a0400	failed	3221225550
1619275216.84525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a8b000	success	0
1619275216.84525 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04204000	success	0
1619275216.86125 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a8c000	success	0
1619275216.90825 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a8d000	success	0
1619275217.04825 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a8e000	success	0
1619275217.04825 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a8f000	success	0
1619275217.12625 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04fd0000	success	0

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\JYOSRpg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3936.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JYOSRpg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3936.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275223.03325 ShellExecuteExW	parameters: /Create /TN "Updates\JYOSRpg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3936.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.925377849392513

section

{'size_of_data': '0x00066000', 'virtual_address': '0x00002000', 'entropy': 7.925377849392513, 'name': '.text', 'virtual_size': '0x00065eac'}

description

A section with a high entropy has been found

entropy

0.6601941747572816

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275210.59525 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\JYOSRpg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3936.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JYOSRpg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3936.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275226.62625 NtAllocateVirtualMemory	process_identifier: 1316 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f24 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3936.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619275226.62625 WriteProcessMemory	process_identifier: 1316 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7i%_àVt @ À@8tS¨ H.textT V `.rsrc¨X@@.reloc ^@B process_handle: 0x00010f24 base_address: 0x00400000	success	1
1619275226.64225 WriteProcessMemory	process_identifier: 1316 buffer: P8h ¼ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.4.8TInternalNamevzRktygsyBubbHqlXIReu.exe,LegalCopyrightHi0LegalTrademarksHi\OriginalFilenamevzRktygsyBubbHqlXIReu.exe(ProductNameHi0ProductVersion1.4.88Assembly Version1.4.8.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00010f24 base_address: 0x00448000	success	1
1619275226.64225 WriteProcessMemory	process_identifier: 1316 buffer: p4 process_handle: 0x00010f24 base_address: 0x0044a000	success	1
1619275226.64225 WriteProcessMemory	process_identifier: 1316 buffer: @ process_handle: 0x00010f24 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619275226.62625 WriteProcessMemory	process_identifier: 1316 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7i%_àVt @ À@8tS¨ H.textT V `.rsrc¨X@@.reloc ^@B process_handle: 0x00010f24 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 648 called NtSetContextThread to modify thread in remote process 1316
1619275226.64225 NtSetContextThread	thread_handle: 0x00010ef8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486286 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1316	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.24.14:443

Executed a process and injected code into it, probably while unpacking (18 个事件)

Time & API	Arguments	Status	Return
1619275166.11125 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 648	success	0
1619275166.12625 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 648	success	0
1619275166.18925 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 648	success	0
1619275217.29825 NtResumeThread	thread_handle: 0x00010e84 suspend_count: 1 process_identifier: 648	success	0
1619275217.31425 NtResumeThread	thread_handle: 0x0000b644 suspend_count: 1 process_identifier: 648	success	0
1619275223.03325 CreateProcessInternalW	thread_identifier: 1704 thread_handle: 0x0000eeb0 process_identifier: 1376 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JYOSRpg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3936.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00010f1c inherit_handles: 0	success	1
1619275226.61125 CreateProcessInternalW	thread_identifier: 3000 thread_handle: 0x00010ef8 process_identifier: 1316 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00010f24 inherit_handles: 0	success	1
1619275226.61125 NtGetContextThread	thread_handle: 0x00010ef8	success	0
1619275226.62625 NtAllocateVirtualMemory	process_identifier: 1316 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f24 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619275226.62625 WriteProcessMemory	process_identifier: 1316 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7i%_àVt @ À@8tS¨ H.textT V `.rsrc¨X@@.reloc ^@B process_handle: 0x00010f24 base_address: 0x00400000	success	1
1619275226.62625 WriteProcessMemory	process_identifier: 1316 buffer: process_handle: 0x00010f24 base_address: 0x00402000	success	1
1619275226.64225 WriteProcessMemory	process_identifier: 1316 buffer: P8h ¼ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.4.8TInternalNamevzRktygsyBubbHqlXIReu.exe,LegalCopyrightHi0LegalTrademarksHi\OriginalFilenamevzRktygsyBubbHqlXIReu.exe(ProductNameHi0ProductVersion1.4.88Assembly Version1.4.8.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00010f24 base_address: 0x00448000	success	1
1619275226.64225 WriteProcessMemory	process_identifier: 1316 buffer: p4 process_handle: 0x00010f24 base_address: 0x0044a000	success	1
1619275226.64225 WriteProcessMemory	process_identifier: 1316 buffer: @ process_handle: 0x00010f24 base_address: 0x7efde008	success	1
1619275226.64225 NtSetContextThread	thread_handle: 0x00010ef8 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486286 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1316	success	0
1619275227.298 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1316	success	0
1619275227.298 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 1316	success	0
1619275227.345 NtResumeThread	thread_handle: 0x00000174 suspend_count: 1 process_identifier: 1316	success	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34314956
FireEye	Generic.mg.1eee2f6e8d98a422
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Fareit-FXH!1EEE2F6E8D98
Cylance	Unsafe
AegisLab	Trojan.Win32.Malicious.4!c
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c2671 )
Alibaba	Trojan:MSIL/AgentTesla.f8c23bbe
K7GW	Trojan ( 0056c2671 )
Cybereason	malicious.40284f
Arcabit	Trojan.Generic.D20B9ACC
Cyren	W32/MSIL_Kryptik.BLA.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Agent.gen
BitDefender	Trojan.GenericKD.34314956
NANO-Antivirus	Trojan.Win32.PackedNET.hrboyq
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan.Agent.Edow
Ad-Aware	Trojan.GenericKD.34314956
Comodo	Malware@#3zj6xzjfbmr2
DrWeb	Trojan.PackedNET.405
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.MSIL.qgok
Avira	TR/Kryptik.rdqgk
eGambit	Unsafe.AI_Score_98%
MAX	malware (ai score=100)
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Agent.gen
GData	Trojan.GenericKD.34314956
AhnLab-V3	Malware/Win32.RL_Generic.C4177931
BitDefenderTheta	Gen:NN.ZemsilF.34570.Mm0@aaqJyud
ALYac	Trojan.GenericKD.34314956
VBA32	TScope.Trojan.MSIL
ESET-NOD32	a variant of MSIL/Kryptik.XHB
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.104688448.susgen
Fortinet	W32/Agent.XHB!tr
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Generic/HEUR/QVM03.0.19E3.Malware.Gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-08 11:37:07

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com
clients2.google.com		172.217.24.14
dns.msftncsi.com		131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	63497	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60215	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50537	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.