SmartHawk

9.0

极危

54 个模型检测该样本为恶意！

重新分析

下载样本

28c7f2fc1f4d1aa90c1ef851e95d35afe1ef061d2becf88143bc7f83325ccb04

24f02ce439ca41c864dbc3acb17d9522.exe

分析耗时

40s

最近分析

文件大小

583.5KB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=80 ALI1000139 ASJY ATTRIBUTE BTHE6I CONFIDENCE ELDORADO GENCIRC GENERICKD GENERICRXKD HIGH CONFIDENCE HIGHCONFIDENCE HIJXNB IGENT JEZQ KCLOUD KRYPTIK KTSE NANOCORE NEGASTEAL NOON PWSX R + TROJ R332236 SCORE SE64YE SIGGEN9 STARTER TSCOPE UNSAFE WLCR YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKD-NL!24F02CE439CA	20201228	6.0.6.653
Alibaba	Trojan:Win32/starter.ali1000139	20190527	0.3.0.5
Avast	Win32:PWSX-gen [Trj]	20201228	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Undef.(kcloud)	20201228	2017.9.26.565
Tencent	Malware.Win32.Gencirc.1141a638	20201228	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619271159.126875 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (25 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269223.807662 IsDebuggerPresent		failed	0	0
1619269226.369662 IsDebuggerPresent		failed	0	0
1619269226.853662 IsDebuggerPresent		failed	0	0
1619269227.369662 IsDebuggerPresent		failed	0	0
1619269227.853662 IsDebuggerPresent		failed	0	0
1619269228.369662 IsDebuggerPresent		failed	0	0
1619269228.853662 IsDebuggerPresent		failed	0	0
1619269229.369662 IsDebuggerPresent		failed	0	0
1619269229.853662 IsDebuggerPresent		failed	0	0
1619269230.369662 IsDebuggerPresent		failed	0	0
1619269230.853662 IsDebuggerPresent		failed	0	0
1619269231.369662 IsDebuggerPresent		failed	0	0
1619269231.853662 IsDebuggerPresent		failed	0	0
1619269232.369662 IsDebuggerPresent		failed	0	0
1619269232.853662 IsDebuggerPresent		failed	0	0
1619269233.369662 IsDebuggerPresent		failed	0	0
1619269233.853662 IsDebuggerPresent		failed	0	0
1619269234.369662 IsDebuggerPresent		failed	0	0
1619269234.853662 IsDebuggerPresent		failed	0	0
1619269235.369662 IsDebuggerPresent		failed	0	0
1619269235.853662 IsDebuggerPresent		failed	0	0
1619269236.369662 IsDebuggerPresent		failed	0	0
1619269236.853662 IsDebuggerPresent		failed	0	0
1619269237.369662 IsDebuggerPresent		failed	0	0
1619269237.853662 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619271159.689875 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\TodfFgXAgL"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269225.822662 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 75 个事件)

Time & API	Arguments	Status	Return
1619269222.791662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00ad0000	success	0
1619269222.791662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c40000	success	0
1619269223.650662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success	0
1619269223.807662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0045a000	success	0
1619269223.807662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success	0
1619269223.807662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00452000	success	0
1619269224.135662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00462000	success	0
1619269224.213662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00463000	success	0
1619269224.228662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049b000	success	0
1619269224.228662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00497000	success	0
1619269224.244662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046c000	success	0
1619269224.619662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00464000	success	0
1619269224.619662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00465000	success	0
1619269224.650662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00466000	success	0
1619269224.666662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00580000	success	0
1619269224.760662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00467000	success	0
1619269224.791662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047a000	success	0
1619269224.791662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success	0
1619269224.791662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success	0
1619269224.822662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0045b000	success	0
1619269224.853662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00476000	success	0
1619269224.932662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00581000	success	0
1619269225.228662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00468000	success	0
1619269225.275662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00be0000	success	0
1619269225.307662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00482000	success	0
1619269225.307662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048c000	success	0
1619269225.416662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success	0
1619269225.432662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00584000	success	0
1619269225.494662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00585000	success	0
1619269225.525662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00469000	success	0
1619269225.603662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00495000	success	0
1619269225.682662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c41000	success	0
1619269225.869662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04860000	success	0
1619269225.885662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00586000	success	0
1619269225.885662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04861000	success	0
1619269225.885662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00587000	success	0
1619269225.900662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00588000	success	0
1619269225.900662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00589000	success	0
1619269225.900662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success	0
1619269225.932662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058b000	success	0
1619269225.963662 NtAllocateVirtualMemory	process_identifier: 2636 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058c000	success	0
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04810178	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x048101a0	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x048101c8	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0485a84e	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0485a842	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04810208	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0484b750	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0484b770	failed	3221225550
1619269226.088662 NtProtectVirtualMemory	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0484b778	failed	3221225550

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TodfFgXAgL" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7DE5.tmp"
cmdline	schtasks.exe /Create /TN "Updates\TodfFgXAgL" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7DE5.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269234.213662 ShellExecuteExW	parameters: /Create /TN "Updates\TodfFgXAgL" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7DE5.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

6.885754685760726

section

{'size_of_data': '0x00091400', 'virtual_address': '0x00002000', 'entropy': 6.885754685760726, 'name': '.text', 'virtual_size': '0x00091334'}

description

A section with a high entropy has been found

entropy

0.9965694682675815

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269226.150662 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619269236.807662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1804 process_handle: 0x000003c8	failed
1619269236.807662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1804 process_handle: 0x000003c8	success
1619269237.135662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1712 process_handle: 0x000003d0	failed
1619269237.135662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1712 process_handle: 0x000003d0	success
1619269237.385662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2824 process_handle: 0x000003d8	failed
1619269237.385662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2824 process_handle: 0x000003d8	success
1619269237.603662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2448 process_handle: 0x000003e0	failed
1619269237.603662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2448 process_handle: 0x000003e0	success
1619269237.885662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2032 process_handle: 0x000003e8	failed
1619269237.885662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2032 process_handle: 0x000003e8	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TodfFgXAgL" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7DE5.tmp"
cmdline	schtasks.exe /Create /TN "Updates\TodfFgXAgL" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7DE5.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619269236.557662 NtAllocateVirtualMemory	process_identifier: 1804 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269236.916662 NtAllocateVirtualMemory	process_identifier: 1712 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269237.213662 NtAllocateVirtualMemory	process_identifier: 2824 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269237.463662 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269237.713662 NtAllocateVirtualMemory	process_identifier: 2032 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7DE5.tmp

Manipulates memory of a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 manipulating memory of non-child process 1804
Process injection	Process 2636 manipulating memory of non-child process 1712
Process injection	Process 2636 manipulating memory of non-child process 2824
Process injection	Process 2636 manipulating memory of non-child process 2448
Process injection	Process 2636 manipulating memory of non-child process 2032
1619269236.557662 NtAllocateVirtualMemory	process_identifier: 1804 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269236.916662 NtAllocateVirtualMemory	process_identifier: 1712 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269237.213662 NtAllocateVirtualMemory	process_identifier: 2824 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269237.463662 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269237.713662 NtAllocateVirtualMemory	process_identifier: 2032 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (20 个事件)

Time & API	Arguments	Status	Return
1619269223.807662 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2636	success	0
1619269223.900662 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2636	success	0
1619269226.275662 NtResumeThread	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2636	success	0
1619269226.291662 NtResumeThread	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2636	success	0
1619269234.213662 CreateProcessInternalW	thread_identifier: 2616 thread_handle: 0x00000378 process_identifier: 2316 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TodfFgXAgL" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7DE5.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000003b0 inherit_handles: 0	success	1
1619269236.557662 CreateProcessInternalW	thread_identifier: 708 thread_handle: 0x0000036c process_identifier: 1804 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003c0 inherit_handles: 0	success	1
1619269236.557662 NtGetContextThread	thread_handle: 0x0000036c	success	0
1619269236.557662 NtAllocateVirtualMemory	process_identifier: 1804 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269236.916662 CreateProcessInternalW	thread_identifier: 1688 thread_handle: 0x000003c8 process_identifier: 1712 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003c4 inherit_handles: 0	success	1
1619269236.916662 NtGetContextThread	thread_handle: 0x000003c8	success	0
1619269236.916662 NtAllocateVirtualMemory	process_identifier: 1712 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269237.213662 CreateProcessInternalW	thread_identifier: 1824 thread_handle: 0x000003d0 process_identifier: 2824 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003cc inherit_handles: 0	success	1
1619269237.213662 NtGetContextThread	thread_handle: 0x000003d0	success	0
1619269237.213662 NtAllocateVirtualMemory	process_identifier: 2824 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269237.463662 CreateProcessInternalW	thread_identifier: 1816 thread_handle: 0x000003d8 process_identifier: 2448 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003d4 inherit_handles: 0	success	1
1619269237.463662 NtGetContextThread	thread_handle: 0x000003d8	success	0
1619269237.463662 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269237.713662 CreateProcessInternalW	thread_identifier: 2040 thread_handle: 0x000003e0 process_identifier: 2032 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\24f02ce439ca41c864dbc3acb17d9522.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003dc inherit_handles: 0	success	1
1619269237.713662 NtGetContextThread	thread_handle: 0x000003e0	success	0
1619269237.713662 NtAllocateVirtualMemory	process_identifier: 2032 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen9.35715
MicroWorld-eScan	Trojan.GenericKD.42962522
FireEye	Generic.mg.24f02ce439ca41c8
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Qihoo-360	Trojan.Generic
McAfee	GenericRXKD-NL!24F02CE439CA
Cylance	Unsafe
K7AntiVirus	Trojan ( 005643c01 )
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 005643c01 )
Arcabit	Trojan.Generic.D28F8E5A
Cyren	W32/MSIL_Agent.BFP.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.42962522
NANO-Antivirus	Trojan.Win32.Kryptik.hijxnb
Paloalto	generic.ml
Rising	Spyware.Noon!8.E7C9 (KTSE)
Ad-Aware	Trojan.GenericKD.42962522
Sophos	Mal/Generic-R + Troj/MSIL-ONO
F-Secure	Trojan.TR/Agent.jezq
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.WLCR
McAfee-GW-Edition	BehavesLike.Win32.Generic.hh
Emsisoft	Trojan.GenericKD.42962522 (B)
Jiangmin	TrojanSpy.MSIL.asjy
Webroot	W32.Trojan.Gen
Avira	TR/Agent.jezq
MAX	malware (ai score=80)
Antiy-AVL	Trojan[Spy]/MSIL.Noon
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/NanoCore.VN!MTB
AegisLab	Trojan.MSIL.Noon.l!c
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Win32.Trojan-Stealer.AgentTesla.SE64YE
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Noon.R332236
ALYac	Trojan.GenericKD.42962522
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL.Generic
Zoner	Trojan.Win32.90866
ESET-NOD32	MSIL/Autorun.Spy.Agent.DF
TrendMicro-HouseCall	TrojanSpy.MSIL.NEGASTEAL.WLCR
Tencent	Malware.Win32.Gencirc.1141a638
Yandex	Trojan.Igent.bTHE6I.24
Ikarus	Trojan.Inject
eGambit	Unsafe.AI_Score_99%

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-09 16:01:50

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51966	239.255.255.250	1900
192.168.56.101	53238	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	65005	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.