SmartHawk

3.2

中危

61 个模型检测该样本为恶意！

重新分析

下载样本

0cf36731f5b8651d53fc651607c3fccac24b631c08dca4493d8e07d2fbff1db3

2209710b3ba686e5cbd8716df05c5174.exe

分析耗时

130s

最近分析

文件大小

167.0KB

静态报毒动态报毒 AI SCORE=81 ANDROM ATRAPS BSCOPE CLOUD CONFIDENCE FILECODER FMQTEA GDSDA GEN2 GEN4 GENERICRXHI HERMES HIGH CONFIDENCE HMRH INJECT3 INVADER KQX@AASNFEB MALICIOUS PE MALWARE@#3KVMGNS0YWTEO MODERATE QVM10 RANSOMWARE RANSOMX RYUK RYUK3 SCORE SPFZ SUSGEN UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXHI-XN!2209710B3BA6	20200516	6.0.6.653
Alibaba	Ransom:Win32/Androm.32000894	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RansomX-gen [Ransom]	20200516	18.4.3895.0
Kingsoft		20200516	2013.8.14.323
Tencent	Win32.Trojan.Atraps.Hmrh	20200516	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Checks if process is being debugged by a debugger (20 个事件)

Time & API	Arguments	Status	Return	Repeated
1619271507.603251 IsDebuggerPresent		failed	0	0
1619271512.619251 IsDebuggerPresent		failed	0	0
1619271517.681251 IsDebuggerPresent		failed	0	0
1619271522.728251 IsDebuggerPresent		failed	0	0
1619271527.744251 IsDebuggerPresent		failed	0	0
1619271532.760251 IsDebuggerPresent		failed	0	0
1619271537.853251 IsDebuggerPresent		failed	0	0
1619271542.931251 IsDebuggerPresent		failed	0	0
1619271547.994251 IsDebuggerPresent		failed	0	0
1619271553.010251 IsDebuggerPresent		failed	0	0
1619271558.103251 IsDebuggerPresent		failed	0	0
1619271563.197251 IsDebuggerPresent		failed	0	0
1619271568.494251 IsDebuggerPresent		failed	0	0
1619271573.697251 IsDebuggerPresent		failed	0	0
1619271578.900251 IsDebuggerPresent		failed	0	0
1619271584.088251 IsDebuggerPresent		failed	0	0
1619271589.181251 IsDebuggerPresent		failed	0	0
1619271594.306251 IsDebuggerPresent		failed	0	0
1619271599.353251 IsDebuggerPresent		failed	0	0
1619271604.525251 IsDebuggerPresent		failed	0	0

Command line console output was observed (18 个事件)

Time & API	Arguments	Status	Return
1619271504.135001 WriteConsoleW	buffer: Print Spooler 服务正在停止 console_handle: 0x00000007	success	1
1619271506.650001 WriteConsoleW	buffer: Print Spooler 服务已成功停止。 console_handle: 0x00000007	success	1
1619271505.056001 WriteConsoleW	buffer: 下面的服务依赖于 Windows Audio Endpoint Builder 服务。停止 Windows Audio Endpoint Builder 服务也会停止这些服务。 console_handle: 0x00000007	success	1
1619271505.072001 WriteConsoleW	buffer: Windows Audio console_handle: 0x00000007	success	1
1619271505.103001 WriteConsoleW	buffer: Windows Audio 服务正在停止 console_handle: 0x00000007	success	1
1619271507.650001 WriteConsoleW	buffer: Windows Audio 服务已成功停止。 console_handle: 0x00000007	success	1
1619271507.713001 WriteConsoleW	buffer: Windows Audio Endpoint Builder 服务正在停止 console_handle: 0x00000007	success	1
1619271510.213001 WriteConsoleW	buffer: Windows Audio Endpoint Builder 服务已成功停止。 console_handle: 0x00000007	success	1
1619271505.291126 WriteConsoleW	buffer: 这项服务无法接受请求的“暂停”、“继续”或“停止”操作。 console_handle: 0x0000000b	success	1
1619271505.306126 WriteConsoleW	buffer: 请键入 NET HELPMSG 2191 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1619271516.322001 WriteConsoleW	buffer: 这项服务无法接受请求的“暂停”、“继续”或“停止”操作。 console_handle: 0x0000000b	success	1
1619271516.322001 WriteConsoleW	buffer: 请键入 NET HELPMSG 2191 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1619271556.071626 WriteConsoleW	buffer: 这项服务无法接受请求的“暂停”、“继续”或“停止”操作。 console_handle: 0x0000000b	success	1
1619271556.071626 WriteConsoleW	buffer: 请键入 NET HELPMSG 2191 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1619271572.212499 WriteConsoleW	buffer: 这项服务无法接受请求的“暂停”、“继续”或“停止”操作。 console_handle: 0x0000000b	success	1
1619271572.212499 WriteConsoleW	buffer: 请键入 NET HELPMSG 2191 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1619271607.743626 WriteConsoleW	buffer: 这项服务无法接受请求的“暂停”、“继续”或“停止”操作。 console_handle: 0x0000000b	success	1
1619271607.743626 WriteConsoleW	buffer: 请键入 NET HELPMSG 2191 以获得更多的帮助。 console_handle: 0x0000000b	success	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.gfids

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619271508.727499 __exception__	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdc5a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf173c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7feffdc62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdfdb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feffdc21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feffc7d8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7feffc81bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7feffc81b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7feffc817eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7feffc81417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7feffc794fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7feffc79428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7feffc79b49 CoRegisterMessageFilter+0x153b CoUninitialize-0x3341 ole32+0x1dfd3 @ 0x7feffc6dfd3 CoRegisterMessageFilter+0x11c0 CoUninitialize-0x36bc ole32+0x1dc58 @ 0x7feffc6dc58 CoRegisterMessageFilter+0xb97 CoUninitialize-0x3ce5 ole32+0x1d62f @ 0x7feffc6d62f CoRegisterMessageFilter+0x13fe CoUninitialize-0x347e ole32+0x1de96 @ 0x7feffc6de96 ObjectStublessClient32+0x73c2 CoDisconnectContext-0x9cb6 ole32+0x4aec2 @ 0x7feffc9aec2 CoUninitialize+0x1010 CoInitializeEx-0x70c ole32+0x22324 @ 0x7feffc72324 CoRegisterMessageFilter+0x3c30 CoUninitialize-0xc4c ole32+0x206c8 @ 0x7feffc706c8 CoRegisterMessageFilter+0x3c01 CoUninitialize-0xc7b ole32+0x20699 @ 0x7feffc70699 CoDisableCallCancellation+0x3fc ObjectStublessClient24-0xe4 ole32+0xe7ac @ 0x7feffc5e7ac CoUninitialize+0xa6 CoInitializeEx-0x1676 ole32+0x213ba @ 0x7feffc713ba New_ole32_CoUninitialize+0x57 New_ole32_OleConvertOLESTREAMToIStorage-0x53 @ 0x7563774b mobsync+0x6840 @ 0xfff86840 mobsync+0x70ae @ 0xfff870ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521 registers.r14: 0 registers.r9: 0 registers.rcx: 1040000 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rdi: 0 registers.r11: 1041760 registers.r8: 0 registers.rdx: 1 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 1046816 registers.rax: 2009481090 registers.r13: 0 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 42141 exception.address: 0x7fefdc5a49d	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619271508.727499
__exception__

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdc5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf173c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7feffdc62ba
Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdfdb949
CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feffdc21d0
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feffc7d8a2
ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7feffc81bb3
ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7feffc81b22
CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7feffc817eb
CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7feffc81417
CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7feffc794fa
CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7feffc79428
CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7feffc79b49
CoRegisterMessageFilter+0x153b CoUninitialize-0x3341 ole32+0x1dfd3 @ 0x7feffc6dfd3
CoRegisterMessageFilter+0x11c0 CoUninitialize-0x36bc ole32+0x1dc58 @ 0x7feffc6dc58
CoRegisterMessageFilter+0xb97 CoUninitialize-0x3ce5 ole32+0x1d62f @ 0x7feffc6d62f
CoRegisterMessageFilter+0x13fe CoUninitialize-0x347e ole32+0x1de96 @ 0x7feffc6de96
ObjectStublessClient32+0x73c2 CoDisconnectContext-0x9cb6 ole32+0x4aec2 @ 0x7feffc9aec2
CoUninitialize+0x1010 CoInitializeEx-0x70c ole32+0x22324 @ 0x7feffc72324
CoRegisterMessageFilter+0x3c30 CoUninitialize-0xc4c ole32+0x206c8 @ 0x7feffc706c8
CoRegisterMessageFilter+0x3c01 CoUninitialize-0xc7b ole32+0x20699 @ 0x7feffc70699
CoDisableCallCancellation+0x3fc ObjectStublessClient24-0xe4 ole32+0xe7ac @ 0x7feffc5e7ac
CoUninitialize+0xa6 CoInitializeEx-0x1676 ole32+0x213ba @ 0x7feffc713ba
New_ole32_CoUninitialize+0x57 New_ole32_OleConvertOLESTREAMToIStorage-0x53 @ 0x7563774b
mobsync+0x6840 @ 0xfff86840
mobsync+0x70ae @ 0xfff870ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 1040000
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rdi: 0
registers.r11: 1041760
registers.r8: 0
registers.rdx: 1
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 1046816
registers.rax: 2009481090
registers.r13: 0
exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80010012
exception.offset: 42141
exception.address: 0x7fefdc5a49d

success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to stop active services (3 个事件)

Time & API	Arguments	Status	Return
1619271504.103001 ControlService	service_handle: 0x0054d3b0 service_name: SPOOLER control_code: 1	success	1
1619271505.088001 ControlService	service_handle: 0x0041d6c8 service_name: AudioSrv control_code: 1	success	1
1619271507.681001 ControlService	service_handle: 0x0041d3d0 service_name: AUDIOENDPOINTBUILDER control_code: 1	success	1

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)

MicroWorld-eScan	Generic.Ransom.Ryuk3.7506A00E
FireEye	Generic.mg.2209710b3ba686e5
Qihoo-360	Generic/HEUR/QVM10.2.1379.Malware.Gen
McAfee	GenericRXHI-XN!2209710B3BA6
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 005437b71 )
Alibaba	Ransom:Win32/Androm.32000894
K7GW	Trojan ( 005437b71 )
Cybereason	malicious.b3ba68
Arcabit	Generic.Ransom.Ryuk3.7506A00E
Invincea	heuristic
Symantec	Ransom.Hermes!gen2
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Ransomware.Ryuk-6688842-0
Kaspersky	HEUR:Backdoor.Win32.Androm.gen
BitDefender	Generic.Ransom.Ryuk3.7506A00E
NANO-Antivirus	Trojan.Win32.Invader.fmqtea
AegisLab	Trojan.Win32.Generic.4!c
Avast	Win32:RansomX-gen [Ransom]
Rising	Ransom.Ryuk!8.10431 (CLOUD)
Ad-Aware	Generic.Ransom.Ryuk3.7506A00E
Emsisoft	Generic.Ransom.Ryuk3.7506A00E (B)
Comodo	Malware@#3kvmgns0ywteo
F-Secure	Trojan.TR/ATRAPS.Gen4
DrWeb	Trojan.Inject3.36531
Zillya	Trojan.Invader.Win32.2321
TrendMicro	Ransom.Win32.RYUK.SM
McAfee-GW-Edition	GenericRXHI-XN!2209710B3BA6
Trapmine	malicious.moderate.ml.score
Sophos	Troj/Ransom-FAF
SentinelOne	DFI - Malicious PE
Cyren	W32/Trojan.SPFZ-4620
Jiangmin	Trojan.Invader.byz
Webroot	W32.Trojan.Gen
Avira	TR/ATRAPS.Gen4
Antiy-AVL	Trojan/Win32.Invader
Microsoft	Ransom:Win32/Ryuk.AA
Endgame	malicious (high confidence)
ViRobot	Trojan.Win32.Ryuk.171008
ZoneAlarm	HEUR:Backdoor.Win32.Androm.gen
GData	Generic.Ransom.Ryuk3.7506A00E
AhnLab-V3	Trojan/Win32.Frs.C3002021
Acronis	suspicious
ALYac	Trojan.Ransom.Ryuk
MAX	malware (ai score=81)
VBA32	BScope.TrojanRansom.Agent
ESET-NOD32	a variant of Win32/Filecoder.Ryuk.B

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-02-28 04:36:51

Imports

Library KERNEL32.dll:

• 0x3001402c GetModuleHandleA

• 0x30014030 OpenProcess

• 0x30014034 CreateToolhelp32Snapshot

• 0x30014038 Sleep

• 0x3001403c GetLastError

• 0x30014040 Process32NextW

• 0x30014044 GetCurrentThread

• 0x30014048 LoadLibraryA

• 0x3001404c GlobalAlloc

• 0x30014050 DeleteFileW

• 0x30014054 Process32FirstW

• 0x30014058 GetVersionExW

• 0x3001405c CloseHandle

• 0x30014060 CreateThread

• 0x30014064 HeapAlloc

• 0x30014068 GetWindowsDirectoryW

• 0x3001406c GetProcAddress

• 0x30014070 VirtualAllocEx

• 0x30014074 LocalFree

• 0x30014078 GetProcessHeap

• 0x3001407c FreeLibrary

• 0x30014080 CreateRemoteThread

• 0x30014084 VirtualFreeEx

• 0x30014088 CreateFileW

• 0x3001408c GetModuleFileNameW

• 0x30014090 VirtualAlloc

• 0x30014094 GetCurrentProcess

• 0x30014098 GetCommandLineW

• 0x3001409c VirtualFree

• 0x300140a0 SetLastError

• 0x300140a4 HeapFree

• 0x300140a8 GlobalFree

• 0x300140ac DecodePointer

• 0x300140b0 WriteConsoleW

• 0x300140b4 QueryPerformanceCounter

• 0x300140b8 GetCurrentProcessId

• 0x300140bc GetCurrentThreadId

• 0x300140c0 GetSystemTimeAsFileTime

• 0x300140c4 InitializeSListHead

• 0x300140c8 IsDebuggerPresent

• 0x300140cc UnhandledExceptionFilter

• 0x300140d0 SetUnhandledExceptionFilter

• 0x300140d4 GetStartupInfoW

• 0x300140d8 IsProcessorFeaturePresent

• 0x300140dc GetModuleHandleW

• 0x300140e0 TerminateProcess

• 0x300140e4 RaiseException

• 0x300140e8 InitializeCriticalSectionAndSpinCount

• 0x300140ec TlsAlloc

• 0x300140f0 TlsGetValue

• 0x300140f4 TlsSetValue

• 0x300140f8 TlsFree

• 0x300140fc LoadLibraryExW

• 0x30014100 RtlUnwind

• 0x30014104 EnterCriticalSection

• 0x30014108 LeaveCriticalSection

• 0x3001410c DeleteCriticalSection

• 0x30014110 ExitProcess

• 0x30014114 GetModuleHandleExW

• 0x30014118 GetStdHandle

• 0x3001411c WriteFile

• 0x30014120 MultiByteToWideChar

• 0x30014124 WideCharToMultiByte

• 0x30014128 GetACP

• 0x3001412c LCMapStringW

• 0x30014130 GetStringTypeW

• 0x30014134 GetFileType

• 0x30014138 FindClose

• 0x3001413c FindFirstFileExW

• 0x30014140 FindNextFileW

• 0x30014144 IsValidCodePage

• 0x30014148 GetOEMCP

• 0x3001414c GetCPInfo

• 0x30014150 GetCommandLineA

• 0x30014154 GetEnvironmentStringsW

• 0x30014158 FreeEnvironmentStringsW

• 0x3001415c SetStdHandle

• 0x30014160 FlushFileBuffers

• 0x30014164 GetConsoleCP

• 0x30014168 GetConsoleMode

• 0x3001416c HeapSize

• 0x30014170 HeapReAlloc

• 0x30014174 SetFilePointerEx

• 0x30014178 WriteProcessMemory

Library ADVAPI32.dll:

• 0x30014000 SystemFunction036

• 0x30014004 LookupPrivilegeValueW

• 0x30014008 AdjustTokenPrivileges

• 0x3001400c OpenSCManagerW

• 0x30014010 ImpersonateSelf

• 0x30014014 OpenProcessToken

• 0x30014018 EnumServicesStatusW

• 0x3001401c OpenThreadToken

• 0x30014020 LookupAccountSidW

• 0x30014024 GetTokenInformation

Library SHELL32.dll:

• 0x30014180 ShellExecuteW

• 0x30014184 CommandLineToArgvW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.