9.4
极危
21 个模型检测该样本为恶意!
重新分析
更多

380a4e4a513f170846c9d9f1f278c1f79fa17ba3e4f0ffbefad8dc2eb87f3b50

20e08eb4172a51acfc23f0b95b1ac6f6.exe

分析耗时

126s

最近分析

文件大小

8.0MB
静态报毒 动态报毒 ATTRIBUTE CONFIDENCE GENERIC ML PUA HIGHCONFIDENCE ICLOADER IGUBY MALICIOUS PE MALWARE@#2ZB7VVFZENU24 REDCAP SDHA SIGGEN9 STARTUN 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Startun.a696684d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20201026 2013.8.14.323
Tencent 20201026 1.0.0.1
CrowdStrike win/malicious_confidence_60% (D) 20190702 1.0
静态指标
Queries for the computername (9 个事件)
Time & API Arguments Status Return Repeated
1619278087.967375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619278121.608375
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619278121.608375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619278122.796125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619278122.827125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619278126.358125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619278141.04625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619278145.81125
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619278145.81125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619278068.702375
IsDebuggerPresent
failed 0 0
1619278139.10825
IsDebuggerPresent
failed 0 0
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619278065.2805
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619278121.530375
__exception__
stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c9374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x7682f777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x75ca419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x75d2011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7682c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x767298ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x7672b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x7672b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x7672b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x7672a66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x76705d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x76705ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x76705d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x76738f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x76738ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x7672bac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x767388e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x752b5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x74401bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 87421564
registers.edi: 1987312144
registers.eax: 87421564
registers.ebp: 87421644
registers.edx: 0
registers.ebx: 85907668
registers.esi: 2147944117
registers.ecx: 0
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706b5
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619278145.74925
__exception__
stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c9374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x7682f777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x75ca419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x75d2011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7682c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x767298ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x7672b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x7672b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x7672b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x7672a66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x76705d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x76705ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x76705d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x76738f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x76738ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x7672bac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x767388e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x752b5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x74401bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 78115956
registers.edi: 1987312144
registers.eax: 78115956
registers.ebp: 78116036
registers.edx: 2147944122
registers.ebx: 8147628
registers.esi: 2147944122
registers.ecx: 0
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (1 个事件)
request GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCEB%2B%2B2yqbNshvPMhaJJv70uw%3D
Allocates read-write-execute memory (usually to unpack itself) (48 个事件)
Time & API Arguments Status Return Repeated
1619278068.0775
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74ff5000
success 0 0
1619278068.639375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x748b1000
success 0 0
1619278068.671375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619278068.749375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x750c1000
success 0 0
1619278068.796375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74271000
success 0 0
1619278068.796375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74261000
success 0 0
1619278068.796375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x741e1000
success 0 0
1619278068.967375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c41000
success 0 0
1619278069.046375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74201000
success 0 0
1619278069.233375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x741a1000
success 0 0
1619278069.233375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74181000
success 0 0
1619278069.264375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74141000
success 0 0
1619278069.608375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74101000
success 0 0
1619278069.608375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1619278069.639375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x740f1000
success 0 0
1619278069.671375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74091000
success 0 0
1619278069.671375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74041000
success 0 0
1619278069.671375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1619278069.671375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1619278069.702375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74031000
success 0 0
1619278069.717375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ff1000
success 0 0
1619278069.749375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73fb1000
success 0 0
1619278074.999375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f21000
success 0 0
1619278087.217375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73eb1000
success 0 0
1619278087.249375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ea1000
success 0 0
1619278087.827375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e41000
success 0 0
1619278087.827375
NtAllocateVirtualMemory
process_identifier: 364
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x054e0000
success 0 0
1619278087.827375
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05630000
success 0 0
1619278087.842375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73dd1000
success 0 0
1619278087.842375
NtAllocateVirtualMemory
process_identifier: 364
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x05670000
success 0 0
1619278087.842375
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05830000
success 0 0
1619278088.124375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73d71000
success 0 0
1619278088.124375
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
1619278138.639125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000006e80000
success 0 0
1619278138.84225
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x748b1000
success 0 0
1619278138.99925
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619278139.32725
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x750c1000
success 0 0
1619278139.63925
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74271000
success 0 0
1619278139.63925
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74261000
success 0 0
1619278139.63925
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x741e1000
success 0 0
1619278140.74925
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e31000
success 0 0
1619278140.78025
NtAllocateVirtualMemory
process_identifier: 3976
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619278140.79625
NtAllocateVirtualMemory
process_identifier: 3976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04660000
success 0 0
1619278140.84225
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c11000
success 0 0
1619278140.85825
NtAllocateVirtualMemory
process_identifier: 3976
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x047c0000
success 0 0
1619278140.85825
NtAllocateVirtualMemory
process_identifier: 3976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04880000
success 0 0
1619278141.24925
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x740e1000
success 0 0
1619278141.24925
NtProtectVirtualMemory
process_identifier: 3976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 个事件)
Time & API Arguments Status Return Repeated
1619278068.936375
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19593695232
total_number_of_free_bytes: 19593695232
total_number_of_bytes: 34252779520
success 1 0
1619278068.936375
GetDiskFreeSpaceW
root_path: C:\
sectors_per_cluster: 8
number_of_free_clusters: 4783617
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1619278088.483375
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19459444736
total_number_of_free_bytes: 19459444736
total_number_of_bytes: 34252779520
success 1 0
1619278088.483375
GetDiskFreeSpaceW
root_path: C:\
sectors_per_cluster: 8
number_of_free_clusters: 4750841
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1619278139.92125
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19387719680
total_number_of_free_bytes: 19387719680
total_number_of_bytes: 34252779520
success 1 0
1619278139.92125
GetDiskFreeSpaceW
root_path: C:\
sectors_per_cluster: 8
number_of_free_clusters: 4733330
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
Creates executable files on the filesystem (5 个事件)
file C:\Bonjour64.msi
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsx628E.tmp\System.dll
file C:\Setup64.msi
file C:\Bonjour.msi
file C:\Setup.msi
Creates a shortcut to an executable file (11 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\MSI80DE.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsx628E.tmp\System.dll
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619278069.749375
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (40 个事件)
Time & API Arguments Status Return Repeated
1619278068.811375
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeMachineAccountPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619278087.592375
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278087.608375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619278087.608375
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1619278087.608375
LookupPrivilegeValueW
system_name:
privilege_name: SeEnableDelegationPrivilege
success 1 0
1619278087.608375
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1619278087.608375
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
1619278123.999125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278124.030125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278124.421125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278124.436125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278124.624125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278125.077125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278125.374125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278126.092125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278139.71725
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeMachineAccountPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619278140.32725
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619278140.34225
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619278140.34225
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619278140.34225
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1619278140.34225
LookupPrivilegeValueW
system_name:
privilege_name: SeEnableDelegationPrivilege
success 1 0
1619278140.34225
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1619278140.35825
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 567785e12758037755debd158770af3f0373a8eb
buffer Buffer with sha1: fa97e3e50f2289b71229458b27cabb9fc71a9b8d
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619278151.671125
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x00000000ff35ae10
module_address: 0x00000000ff2b0000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 1442231 0
File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 个事件)
FireEye Generic.mg.20e08eb4172a51ac
CAT-QuickHeal Trojan.Startun
Sangfor Malware
Alibaba Trojan:Win32/Startun.a696684d
Cybereason malicious.e2b1b1
Cyren W32/Trojan.SDHA-2662
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Startun.gen
Comodo Malware@#2zb7vvfzenu24
DrWeb Trojan.Siggen9.29955
Invincea Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win32.ICLoader.wc
Avira TR/Redcap.iguby
AegisLab Trojan.Win32.Startun.4!c
ZoneAlarm HEUR:Trojan.Win32.Startun.gen
VBA32 Trojan.Startun
SentinelOne DFI - Malicious PE
AVG Win32:Malware-gen
CrowdStrike win/malicious_confidence_60% (D)
Qihoo-360 Win32/Trojan.b67
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.160.110:443
dead_host 8.8.4.4:443
dead_host 172.217.160.77:443
dead_host 117.18.237.29:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-12-16 08:50:59

Imports

Library KERNEL32.dll:
0x408074 SetFileAttributesW
0x408078 Sleep
0x40807c GetTickCount
0x408080 GetFileSize
0x408084 GetModuleFileNameW
0x408088 GetCurrentProcess
0x40808c CopyFileW
0x408094 GetFileAttributesW
0x40809c GetTempPathW
0x4080a0 GetCommandLineW
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrlenW
0x4080b0 lstrcpynW
0x4080b4 GetDiskFreeSpaceW
0x4080b8 ExitProcess
0x4080bc MoveFileW
0x4080c0 CreateThread
0x4080c4 GetLastError
0x4080c8 CreateDirectoryW
0x4080cc CreateProcessW
0x4080d0 RemoveDirectoryW
0x4080d4 lstrcmpiA
0x4080d8 CreateFileW
0x4080dc GetTempFileNameW
0x4080e0 WriteFile
0x4080e4 lstrcpyA
0x4080e8 MoveFileExW
0x4080ec lstrcatW
0x4080f0 GetSystemDirectoryW
0x4080f4 GetProcAddress
0x4080f8 GetModuleHandleA
0x4080fc GetExitCodeProcess
0x408100 WaitForSingleObject
0x408104 lstrcmpiW
0x408108 lstrcmpW
0x40810c GetFullPathNameW
0x408110 GetShortPathNameW
0x408114 SearchPathW
0x408118 CompareFileTime
0x40811c SetFileTime
0x408120 CloseHandle
0x408128 GlobalFree
0x40812c GlobalLock
0x408130 GlobalUnlock
0x408134 GlobalAlloc
0x408138 DeleteFileW
0x40813c FindFirstFileW
0x408140 FindNextFileW
0x408144 FindClose
0x408148 SetFilePointer
0x40814c ReadFile
0x408150 MulDiv
0x408154 lstrlenA
0x408158 WideCharToMultiByte
0x40815c MultiByteToWideChar
0x408164 FreeLibrary
0x40816c GetModuleHandleW
0x408170 LoadLibraryExW
Library USER32.dll:
0x408194 GetWindowRect
0x408198 GetSystemMenu
0x40819c SetClassLongW
0x4081a0 IsWindowEnabled
0x4081a4 SetWindowPos
0x4081a8 GetSysColor
0x4081ac GetWindowLongW
0x4081b0 SetCursor
0x4081b4 LoadCursorW
0x4081b8 CheckDlgButton
0x4081bc GetMessagePos
0x4081c0 CallWindowProcW
0x4081c4 IsWindowVisible
0x4081c8 CloseClipboard
0x4081cc SetClipboardData
0x4081d0 EmptyClipboard
0x4081d4 OpenClipboard
0x4081d8 TrackPopupMenu
0x4081dc ScreenToClient
0x4081e0 EnableMenuItem
0x4081e4 GetDlgItem
0x4081e8 SetDlgItemTextW
0x4081ec GetDlgItemTextW
0x4081f0 MessageBoxIndirectW
0x4081f4 CharPrevW
0x4081f8 CharNextA
0x4081fc wsprintfA
0x408200 DispatchMessageW
0x408204 PeekMessageW
0x408208 GetDC
0x40820c ReleaseDC
0x408210 EnableWindow
0x408214 InvalidateRect
0x408218 SendMessageW
0x40821c DefWindowProcW
0x408220 BeginPaint
0x408224 GetClientRect
0x408228 FillRect
0x408230 EndDialog
0x408234 RegisterClassW
0x408238 DialogBoxParamW
0x40823c CreateWindowExW
0x408240 GetClassInfoW
0x408244 DestroyWindow
0x408248 CharNextW
0x40824c ExitWindowsEx
0x408250 SetWindowTextW
0x408254 LoadImageW
0x408258 SetTimer
0x40825c ShowWindow
0x408260 PostQuitMessage
0x408264 wsprintfW
0x408268 SetWindowLongW
0x40826c FindWindowExW
0x408270 IsWindow
0x408274 CreatePopupMenu
0x408278 AppendMenuW
0x40827c GetSystemMetrics
0x408280 DrawTextW
0x408284 EndPaint
0x408288 CreateDialogParamW
0x40828c SendMessageTimeoutW
0x408290 SetForegroundWindow
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectW
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
Library SHELL32.dll:
0x408178 ShellExecuteExW
0x408184 SHGetFileInfoW
0x408188 SHFileOperationW
0x40818c SHBrowseForFolderW
Library ADVAPI32.dll:
0x408004 RegCreateKeyExW
0x408008 RegOpenKeyExW
0x40800c SetFileSecurityW
0x408010 OpenProcessToken
0x408018 RegEnumValueW
0x40801c RegDeleteKeyW
0x408020 RegDeleteValueW
0x408024 RegCloseKey
0x408028 RegSetValueExW
0x40802c RegQueryValueExW
0x408030 RegEnumKeyW
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040
0x408044 ImageList_Destroy
Library ole32.dll:
0x408298 OleUninitialize
0x40829c OleInitialize
0x4082a0 CoTaskMemFree
0x4082a4 CoCreateInstance

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49219 184.31.184.149 go.microsoft.com 443
192.168.56.101 49217 203.208.41.34 clientservices.googleapis.com 443
192.168.56.101 49223 218.13.190.4 download.microsoft.com 443
192.168.56.101 49183 23.46.123.27 ocsp.verisign.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50320 114.114.114.114 53
192.168.56.101 50433 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57089 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 59789 114.114.114.114 53
192.168.56.101 61522 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62144 114.114.114.114 53
192.168.56.101 64118 114.114.114.114 53
192.168.56.101 64565 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123

HTTP & HTTPS Requests

URI Data
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCEB%2B%2B2yqbNshvPMhaJJv70uw%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCEB%2B%2B2yqbNshvPMhaJJv70uw%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.