12.2
0-day
54 个模型检测该样本为恶意!
重新分析
更多

5bc6d14d3ea91f0ab53ff5c98e79db44e431cd2567225e0fbe6cf97b25a5eacf

25e972b46dc6a1356b1fd216a4df0107.exe

分析耗时

110s

最近分析

文件大小

439.0KB
静态报毒 动态报毒 100% AGENSLA AI SCORE=82 APDM ARXZI CONFIDENCE CRYPTINJECT EQMX FAREIT GDSDA GFABEP8I3F8 HIGH CONFIDENCE HSIAJW HTCR KRYPTIK LPLM MALICIOUS PE MALREP MALWARE@#1Q98YHZXSQWSO MSILPERSEUS PACKEDNET PWSX QQPASS QQROB R348320 SCORE SUSGEN THIBDBO TROJANPSW TSCOPE UNSAFE YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVT!25E972B46DC6 20201024 6.0.6.653
Alibaba TrojanPSW:MSIL/CryptInject.5e9e262c 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201024 18.4.3895.0
Tencent Msil.Trojan-qqpass.Qqrob.Htcr 20201024 1.0.0.1
Kingsoft 20201024 2013.8.14.323
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619293310.715001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (12 个事件)
Time & API Arguments Status Return Repeated
1619269228.344567
IsDebuggerPresent
failed 0 0
1619269228.344567
IsDebuggerPresent
failed 0 0
1619269278.751567
IsDebuggerPresent
failed 0 0
1619269279.282567
IsDebuggerPresent
failed 0 0
1619269279.782567
IsDebuggerPresent
failed 0 0
1619269280.282567
IsDebuggerPresent
failed 0 0
1619269280.782567
IsDebuggerPresent
failed 0 0
1619269281.282567
IsDebuggerPresent
failed 0 0
1619269281.798567
IsDebuggerPresent
failed 0 0
1619269282.282567
IsDebuggerPresent
failed 0 0
1619293314.043249
IsDebuggerPresent
failed 0 0
1619293314.043249
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619293311.309001
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\kaEgfozi"。
console_handle: 0x00000007
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\Users\Administrator\Desktop\Client\Temp\kHUHAQduPu\src\obj\Debug\Gjl.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619269228.391567
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 125 个事件)
Time & API Arguments Status Return Repeated
1619269227.532567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x002c0000
success 0 0
1619269227.532567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00310000
success 0 0
1619269227.969567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619269227.969567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f0000
success 0 0
1619269228.126567
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619269228.344567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619269228.344567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619269228.344567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0036a000
success 0 0
1619269228.344567
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619269228.344567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00362000
success 0 0
1619269228.594567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619269228.813567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00555000
success 0 0
1619269228.829567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055b000
success 0 0
1619269228.829567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619269228.985567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00533000
success 0 0
1619269229.048567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053c000
success 0 0
1619269229.423567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00534000
success 0 0
1619269229.423567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00536000
success 0 0
1619269229.516567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab0000
success 0 0
1619269229.594567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054a000
success 0 0
1619269229.594567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619269229.751567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab1000
success 0 0
1619269229.907567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00537000
success 0 0
1619269229.938567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00538000
success 0 0
1619269230.063567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab2000
success 0 0
1619269230.063567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00539000
success 0 0
1619269230.126567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00546000
success 0 0
1619269230.157567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02220000
success 0 0
1619269230.188567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab3000
success 0 0
1619269230.204567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02221000
success 0 0
1619269230.219567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab4000
success 0 0
1619269271.751567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab7000
success 0 0
1619269271.923567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0036c000
success 0 0
1619269271.938567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab8000
success 0 0
1619269272.016567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02222000
success 0 0
1619269272.016567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053d000
success 0 0
1619269272.016567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab9000
success 0 0
1619269272.016567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aba000
success 0 0
1619269272.126567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02223000
success 0 0
1619269272.126567
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 271360
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05500400
failed 3221225550 0
1619269278.204567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00abb000
success 0 0
1619269278.219567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00abc000
success 0 0
1619269278.266567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00abd000
success 0 0
1619269278.344567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00abe000
success 0 0
1619269278.360567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00abf000
success 0 0
1619269278.563567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02224000
success 0 0
1619269278.563567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ee0000
success 0 0
1619269278.594567
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ee1000
success 0 0
1619269278.594567
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05500178
failed 3221225550 0
1619269278.594567
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055001a0
failed 3221225550 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\kaEgfozi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1B10.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kaEgfozi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1B10.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619269279.438567
ShellExecuteExW
parameters: /Create /TN "Updates\kaEgfozi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1B10.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.807249883096091 section {'size_of_data': '0x0006d200', 'virtual_address': '0x00002000', 'entropy': 7.807249883096091, 'name': '.text', 'virtual_size': '0x0006d084'} description A section with a high entropy has been found
entropy 0.9954389965792474 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619269272.110567
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619293326.278249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619269282.298567
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 648
process_handle: 0x0000ff10
failed 0 0
1619269282.298567
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 648
process_handle: 0x0000ff10
success 0 0
1619293356.106249
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2636
process_handle: 0x00000230
failed 0 0
1619293356.106249
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2636
process_handle: 0x00000230
failed 3221225738 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\kaEgfozi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1B10.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kaEgfozi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1B10.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 121.12.53.35
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619269282.001567
NtAllocateVirtualMemory
process_identifier: 648
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00002bc8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619269282.376567
NtAllocateVirtualMemory
process_identifier: 340
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000030c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1B10.tmp
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 2636 manipulating memory of non-child process 648
Time & API Arguments Status Return Repeated
1619269282.001567
NtAllocateVirtualMemory
process_identifier: 648
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00002bc8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619269282.376567
WriteProcessMemory
process_identifier: 340
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELŒ]_à  Po €@ À@…ÌnO€H   H.text$O P `.rsrcH€R@@.reloc  X@B
process_handle: 0x000030c8
base_address: 0x00400000
success 1 0
1619269282.391567
WriteProcessMemory
process_identifier: 340
buffer:  €P€8€€h€ €¼\ƒê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t*InternalNameHQlzUkapoqCUDFDwRwOPBhsJPtufLkscxXVWz.exe(LegalCopyright |*OriginalFilenameHQlzUkapoqCUDFDwRwOPBhsJPtufLkscxXVWz.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000030c8
base_address: 0x00448000
success 1 0
1619269282.391567
WriteProcessMemory
process_identifier: 340
buffer: ` ?
process_handle: 0x000030c8
base_address: 0x0044a000
success 1 0
1619269282.391567
WriteProcessMemory
process_identifier: 340
buffer: @
process_handle: 0x000030c8
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619269282.376567
WriteProcessMemory
process_identifier: 340
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELŒ]_à  Po €@ À@…ÌnO€H   H.text$O P `.rsrcH€R@@.reloc  X@B
process_handle: 0x000030c8
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2636 called NtSetContextThread to modify thread in remote process 340
Time & API Arguments Status Return Repeated
1619269282.391567
NtSetContextThread
thread_handle: 0x0000ff10
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4484894
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 340
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2636 resumed a thread in remote process 340
Time & API Arguments Status Return Repeated
1619269282.626567
NtResumeThread
thread_handle: 0x0000ff10
suspend_count: 1
process_identifier: 340
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
Executed a process and injected code into it, probably while unpacking (25 个事件)
Time & API Arguments Status Return Repeated
1619269228.344567
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2636
success 0 0
1619269228.360567
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2636
success 0 0
1619269228.407567
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2636
success 0 0
1619269278.704567
NtResumeThread
thread_handle: 0x00009c04
suspend_count: 1
process_identifier: 2636
success 0 0
1619269278.735567
NtResumeThread
thread_handle: 0x00005e2c
suspend_count: 1
process_identifier: 2636
success 0 0
1619269278.766567
NtGetContextThread
thread_handle: 0x00005e2c
success 0 0
1619269278.766567
NtGetContextThread
thread_handle: 0x00005e2c
success 0 0
1619269278.766567
NtResumeThread
thread_handle: 0x00005e2c
suspend_count: 1
process_identifier: 2636
success 0 0
1619269279.438567
CreateProcessInternalW
thread_identifier: 428
thread_handle: 0x0000506c
process_identifier: 2448
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kaEgfozi" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1B10.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000e178
inherit_handles: 0
success 1 0
1619269282.001567
CreateProcessInternalW
thread_identifier: 2940
thread_handle: 0x0000e46c
process_identifier: 648
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\25e972b46dc6a1356b1fd216a4df0107.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\25e972b46dc6a1356b1fd216a4df0107.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00002bc8
inherit_handles: 0
success 1 0
1619269282.001567
NtGetContextThread
thread_handle: 0x0000e46c
success 0 0
1619269282.001567
NtAllocateVirtualMemory
process_identifier: 648
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00002bc8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619269282.376567
CreateProcessInternalW
thread_identifier: 2268
thread_handle: 0x0000ff10
process_identifier: 340
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\25e972b46dc6a1356b1fd216a4df0107.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\25e972b46dc6a1356b1fd216a4df0107.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000030c8
inherit_handles: 0
success 1 0
1619269282.376567
NtGetContextThread
thread_handle: 0x0000ff10
success 0 0
1619269282.376567
NtAllocateVirtualMemory
process_identifier: 340
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000030c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619269282.376567
WriteProcessMemory
process_identifier: 340
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELŒ]_à  Po €@ À@…ÌnO€H   H.text$O P `.rsrcH€R@@.reloc  X@B
process_handle: 0x000030c8
base_address: 0x00400000
success 1 0
1619269282.376567
WriteProcessMemory
process_identifier: 340
buffer:
process_handle: 0x000030c8
base_address: 0x00402000
success 1 0
1619269282.391567
WriteProcessMemory
process_identifier: 340
buffer:  €P€8€€h€ €¼\ƒê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t*InternalNameHQlzUkapoqCUDFDwRwOPBhsJPtufLkscxXVWz.exe(LegalCopyright |*OriginalFilenameHQlzUkapoqCUDFDwRwOPBhsJPtufLkscxXVWz.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000030c8
base_address: 0x00448000
success 1 0
1619269282.391567
WriteProcessMemory
process_identifier: 340
buffer: ` ?
process_handle: 0x000030c8
base_address: 0x0044a000
success 1 0
1619269282.391567
WriteProcessMemory
process_identifier: 340
buffer: @
process_handle: 0x000030c8
base_address: 0x7efde008
success 1 0
1619269282.391567
NtSetContextThread
thread_handle: 0x0000ff10
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4484894
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 340
success 0 0
1619269282.626567
NtResumeThread
thread_handle: 0x0000ff10
suspend_count: 1
process_identifier: 340
success 0 0
1619293314.043249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 340
success 0 0
1619293314.043249
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 340
success 0 0
1619293314.106249
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 340
success 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
FireEye Generic.mg.25e972b46dc6a135
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
Qihoo-360 Generic/Trojan.PSW.374
McAfee Fareit-FVT!25E972B46DC6
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056cba21 )
Alibaba TrojanPSW:MSIL/CryptInject.5e9e262c
K7GW Trojan ( 0056cba21 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.MSILPerseus.D38524
Invincea Mal/Generic-S
Cyren W32/Trojan.LPLM-2196
Symantec Packed.Generic.570
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Gen:Variant.MSILPerseus.230692
NANO-Antivirus Trojan.Win32.Agensla.hsiajw
MicroWorld-eScan Gen:Variant.MSILPerseus.230692
Avast Win32:PWSX-gen [Trj]
Tencent Msil.Trojan-qqpass.Qqrob.Htcr
Ad-Aware Gen:Variant.MSILPerseus.230692
Emsisoft Gen:Variant.MSILPerseus.230692 (B)
Comodo Malware@#1q98yhzxsqwso
F-Secure Trojan.TR/Kryptik.arxzi
DrWeb Trojan.PackedNET.405
Zillya Trojan.Kryptik.Win32.2369762
TrendMicro Trojan.MSIL.MALREP.THIBDBO
McAfee-GW-Edition Fareit-FVT!25E972B46DC6
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Jiangmin Trojan.PSW.MSIL.apdm
Avira TR/Kryptik.arxzi
Microsoft Trojan:MSIL/CryptInject.AR!MTB
AegisLab Trojan.MSIL.Agensla.i!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Gen:Variant.MSILPerseus.230692
AhnLab-V3 Trojan/Win32.Infostealer.R348320
ALYac Gen:Variant.MSILPerseus.230692
MAX malware (ai score=82)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack.ADC
ESET-NOD32 a variant of MSIL/Kryptik.XJJ
TrendMicro-HouseCall Trojan.MSIL.MALREP.THIBDBO
Yandex Trojan.Kryptik!gfAbEp8i3F8
Ikarus Trojan.MSIL.Crypt
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-18 06:00:42

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.