12.6
0-day
50 个模型检测该样本为恶意!
重新分析
更多

c190a5ad07413d85b0bd7da6c74b8cff0e46a10bdb15775d4b700b2de957ccd1

2296a77e8200e57b5680f9d422f2dcec.exe

分析耗时

92s

最近分析

文件大小

723.5KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=87 BT5EQ3 CONFIDENCE CRYPTINJECT ELDORADO ENVP FAREIT GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HOMXCR HQBU IGENT KRYPTIK MALICIOUS PE MALWARE@#3SMGI5H9ETNBA MASSLOGGER MORTYSTEALER NOON OLRTR PACKEDNET PASSWORDSTEALER PWSX R + TROJ R06BC0RG920 R343529 SCORE UNSAFE YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FWJ!2296A77E8200 20200915 6.0.6.653
Alibaba TrojanSpy:Win32/CryptInject.85d9ee52 20190527 0.3.0.5
Avast Win32:PWSX-gen [Trj] 20200917 18.4.3895.0
Tencent Msil.Trojan-spy.Noon.Hqbu 20200917 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200917 2013.8.14.323
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619285424.28125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619269226.688205
IsDebuggerPresent
failed 0 0
1619269226.688205
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619285424.81225
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\XozvKiJ"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619269226.719205
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619285428.968625
__exception__
stacktrace: 
2296a77e8200e57b5680f9d422f2dcec+0x3556 @ 0x403556
2296a77e8200e57b5680f9d422f2dcec+0x111a0 @ 0x4111a0
2296a77e8200e57b5680f9d422f2dcec+0x13321 @ 0x413321
2296a77e8200e57b5680f9d422f2dcec+0x5abc @ 0x405abc
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2945120
registers.edi: 2945260
registers.eax: 2945144
registers.ebp: 2945160
registers.edx: 43974656
registers.ebx: 2945400
registers.esi: 2945416
registers.ecx: 0
exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x76373118
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (48 个事件)
Time & API Arguments Status Return Repeated
1619269226.141205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003f0000
success 0 0
1619269226.141205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00430000
success 0 0
1619269226.516205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619269226.516205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e0000
success 0 0
1619269226.610205
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619269226.688205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a70000
success 0 0
1619269226.688205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a90000
success 0 0
1619269226.703205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049a000
success 0 0
1619269226.703205
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619269226.703205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00492000
success 0 0
1619269226.875205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b2000
success 0 0
1619269226.953205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d5000
success 0 0
1619269226.953205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004db000
success 0 0
1619269226.953205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d7000
success 0 0
1619269227.047205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b3000
success 0 0
1619269227.078205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004bc000
success 0 0
1619269227.125205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba0000
success 0 0
1619269227.438205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b4000
success 0 0
1619269227.453205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b6000
success 0 0
1619269227.625205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ca000
success 0 0
1619269227.625205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619269227.766205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c6000
success 0 0
1619269227.797205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba1000
success 0 0
1619269227.985205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b7000
success 0 0
1619269261.297205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049c000
success 0 0
1619269261.297205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba3000
success 0 0
1619269261.375205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b8000
success 0 0
1619269261.407205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b9000
success 0 0
1619269261.422205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a70000
success 0 0
1619269261.438205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a91000
success 0 0
1619269261.453205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a92000
success 0 0
1619269261.453205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a93000
success 0 0
1619269261.453205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a94000
success 0 0
1619269261.453205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a96000
success 0 0
1619269261.500205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba4000
success 0 0
1619269261.500205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a98000
success 0 0
1619269261.500205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a9c000
success 0 0
1619269261.500205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aad000
success 0 0
1619269261.516205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aae000
success 0 0
1619269261.516205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba5000
success 0 0
1619269261.516205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a71000
success 0 0
1619269261.578205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba6000
success 0 0
1619269261.625205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a72000
success 0 0
1619269261.625205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba7000
success 0 0
1619269264.516205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ba8000
success 0 0
1619269264.625205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004bd000
success 0 0
1619269264.625205
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a73000
success 0 0
1619285460.765375
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004180000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XozvKiJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE039.tmp"
cmdline schtasks.exe /Create /TN "Updates\XozvKiJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE039.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619269262.188205
ShellExecuteExW
parameters: /Create /TN "Updates\XozvKiJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE039.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.287455394187721 section {'size_of_data': '0x000b4200', 'virtual_address': '0x00002000', 'entropy': 7.287455394187721, 'name': '.text', 'virtual_size': '0x000b4034'} description A section with a high entropy has been found
entropy 0.9965421853388658 description Overall entropy of this PE file is high
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XozvKiJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE039.tmp"
cmdline schtasks.exe /Create /TN "Updates\XozvKiJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE039.tmp"
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 104.123.204.161
host 158.69.115.206
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619269264.625205
NtAllocateVirtualMemory
process_identifier: 2648
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000378
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE039.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x00000378
base_address: 0x00400000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
process_handle: 0x00000378
base_address: 0x00419000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: 2¯=mÎZî@@הΗIûÏ{‹°JO"چº®¿Š=MŒÀÞª¢ÖÌòVˆ¾í` æâõúŠ‘s˜î`Ñ}Ô®ëèQP« äöÊÛn ª%òç%µO(ö>"ÔΨ—µ)Ú_×é®Eí<‰ˆö"…49\ž!ˆ´w•·DÜkìH¦ß'(
process_handle: 0x00000378
base_address: 0x00553000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: @
process_handle: 0x00000378
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x00000378
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 912 called NtSetContextThread to modify thread in remote process 2648
Time & API Arguments Status Return Repeated
1619269264.625205
NtSetContextThread
thread_handle: 0x00000330
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217405
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2648
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 912 resumed a thread in remote process 2648
Time & API Arguments Status Return Repeated
1619269264.907205
NtResumeThread
thread_handle: 0x00000330
suspend_count: 1
process_identifier: 2648
success 0 0
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 158.69.115.206:5200
Executed a process and injected code into it, probably while unpacking (17 个事件)
Time & API Arguments Status Return Repeated
1619269226.688205
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 912
success 0 0
1619269226.703205
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 912
success 0 0
1619269226.750205
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 912
success 0 0
1619269262.188205
CreateProcessInternalW
thread_identifier: 2128
thread_handle: 0x0000033c
process_identifier: 2656
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XozvKiJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE039.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000374
inherit_handles: 0
success 1 0
1619269264.610205
CreateProcessInternalW
thread_identifier: 2652
thread_handle: 0x00000330
process_identifier: 2648
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2296a77e8200e57b5680f9d422f2dcec.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2296a77e8200e57b5680f9d422f2dcec.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000378
inherit_handles: 0
success 1 0
1619269264.625205
NtGetContextThread
thread_handle: 0x00000330
success 0 0
1619269264.625205
NtAllocateVirtualMemory
process_identifier: 2648
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000378
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x00000378
base_address: 0x00400000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer:
process_handle: 0x00000378
base_address: 0x00401000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer:
process_handle: 0x00000378
base_address: 0x00414000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
process_handle: 0x00000378
base_address: 0x00419000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer:
process_handle: 0x00000378
base_address: 0x0054f000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer:
process_handle: 0x00000378
base_address: 0x00552000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: 2¯=mÎZî@@הΗIûÏ{‹°JO"چº®¿Š=MŒÀÞª¢ÖÌòVˆ¾í` æâõúŠ‘s˜î`Ñ}Ô®ëèQP« äöÊÛn ª%òç%µO(ö>"ÔΨ—µ)Ú_×é®Eí<‰ˆö"…49\ž!ˆ´w•·DÜkìH¦ß'(
process_handle: 0x00000378
base_address: 0x00553000
success 1 0
1619269264.625205
WriteProcessMemory
process_identifier: 2648
buffer: @
process_handle: 0x00000378
base_address: 0x7efde008
success 1 0
1619269264.625205
NtSetContextThread
thread_handle: 0x00000330
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217405
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2648
success 0 0
1619269264.907205
NtResumeThread
thread_handle: 0x00000330
suspend_count: 1
process_identifier: 2648
success 0 0
File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.PackedNET.372
MicroWorld-eScan Trojan.GenericKD.34137863
FireEye Trojan.GenericKD.34137863
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FWJ!2296A77E8200
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2114379
Sangfor Malware
K7AntiVirus Trojan ( 0056a4281 )
Alibaba TrojanSpy:Win32/CryptInject.85d9ee52
K7GW Trojan ( 0056a4281 )
Arcabit Trojan.Generic.D208E707
TrendMicro TROJ_GEN.R06BC0RG920
Cyren W32/MSIL_Kryptik.BAZ.gen!Eldorado
Symantec Trojan Horse
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Cynet Malicious (score: 85)
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Trojan.GenericKD.34137863
NANO-Antivirus Trojan.Win32.Noon.homxcr
Paloalto generic.ml
AegisLab Trojan.MSIL.Noon.l!c
Tencent Msil.Trojan-spy.Noon.Hqbu
Ad-Aware Trojan.GenericKD.34137863
Comodo Malware@#3smgi5h9etnba
F-Secure Trojan.TR/AD.MortyStealer.olrtr
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-R + Troj/MSIL-PHN
Sophos Troj/MSIL-PHN
SentinelOne DFI - Malicious PE
Webroot W32.Trojan.Gen
Avira TR/AD.MortyStealer.olrtr
Antiy-AVL Trojan[Spy]/MSIL.Noon
Microsoft Trojan:MSIL/Masslogger.VN!MTB
ZoneAlarm HEUR:Trojan-Spy.MSIL.Noon.gen
GData Trojan.GenericKD.34137863
AhnLab-V3 Trojan/Win32.AgentTesla.R343529
MAX malware (ai score=87)
Malwarebytes Spyware.PasswordStealer
ESET-NOD32 a variant of MSIL/Kryptik.WTP
TrendMicro-HouseCall TROJ_GEN.R06BC0RG920
Yandex Trojan.Igent.bT5EQ3.33
Ikarus Trojan.MSIL.Inject
Fortinet MSIL/GenKryptik.ENVP!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_60% (W)
Qihoo-360 Generic/Trojan.Spy.beb
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-08 11:58:50

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
104.123.204.161 443 192.168.56.101 49185

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.