5.0
中危
54 个模型检测该样本为恶意!
重新分析
更多

4589a8d0716595f43499858fe3603a4114f6cf34b1cfc50b73ff56d88450c688

28d8931a84a232bf921d59c7a93ad6c1.exe

分析耗时

95s

最近分析

文件大小

116.0KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTVM ATTRIBUTE CONFIDENCE ELDORADO FUERBOOS FUERY FUGRAFA GENCIRC GENERICRXJB GENETIC GRAFTOR HCJV HIGH CONFIDENCE HIGHCONFIDENCE HWEEOS HYW@AA4AI3L KRYPTIK LKGSNOBERZN MALWARE1 MALWARE@#1ER4RVWK9J9VR R06CC0DHN20 R360961 RANSOMWARE RANSOMX REVIL REVILRANSOM SCORE SODINOKIBI STATIC AI SUSPICIOUS PE UIVADZ3T1ZY UNSAFE XPACK ZEXAF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXJB-QB!28D8931A84A2 20201228 6.0.6.653
Alibaba Ransom:Win32/Sodinokibi.7b523016 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RansomX-gen [Ransom] 20201228 21.1.5827.0
Kingsoft 20201228 2017.9.26.565
Tencent Malware.Win32.Gencirc.114de75f 20201228 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619340500.515375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619340490.249375
IsDebuggerPresent
failed 0 0
Command line console output was observed (10 个事件)
Time & API Arguments Status Return Repeated
1619340489.874375
WriteConsoleW
buffer: [DBG]
console_handle: 0x00000007
success 1 0
1619340489.874375
WriteConsoleW
buffer: core_init() - Program initialization
console_handle: 0x00000007
success 1 0
1619340490.202375
WriteConsoleW
buffer: [DBG]
console_handle: 0x00000007
success 1 0
1619340490.218375
WriteConsoleW
buffer: cfg:{"all":false,"pc_sk":"YM2p5jT+tRtl+n1tNWpuo7x3/vEzk8m5Fp0Coull61w=","ext":["83w9yl"]}
console_handle: 0x00000007
success 1 0
1619340490.218375
WriteConsoleW
buffer: [DBG]
console_handle: 0x00000007
success 1 0
1619340490.218375
WriteConsoleW
buffer: start GUI
console_handle: 0x00000007
success 1 0
1619340493.999375
WriteConsoleW
buffer: [DBG]
console_handle: 0x00000007
success 1 0
1619340493.999375
WriteConsoleW
buffer: start decrypt FILE
console_handle: 0x00000007
success 1 0
1619340557.249375
WriteConsoleW
buffer: [DBG]
console_handle: 0x00000007
success 1 0
1619340557.249375
WriteConsoleW
buffer: start decrypt FILE
console_handle: 0x00000007
success 1 0
This executable has a PDB path (1 个事件)
pdb_path *****************\Debug\rwdec_x86_debug.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619340496.609375
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .9wfm2x
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1619340496.593375
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04590000
success 0 0
Creates a shortcut to an executable file (3 个事件)
file C:\Users\Administrator.Oskar-PC\Links\Desktop.lnk
file C:\Users\Administrator.Oskar-PC\Links\Downloads.lnk
file C:\Users\Administrator.Oskar-PC\Links\RecentPlaces.lnk
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.204508377055437 section {'size_of_data': '0x00003e00', 'virtual_address': '0x0000c000', 'entropy': 7.204508377055437, 'name': '.rdata', 'virtual_size': '0x00003cac'} description A section with a high entropy has been found
entropy 7.819525427816072 section {'size_of_data': '0x00000e00', 'virtual_address': '0x00010000', 'entropy': 7.819525427816072, 'name': '.data', 'virtual_size': '0x00000ff8'} description A section with a high entropy has been found
网络通信
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Fugrafa.10828
FireEye Generic.mg.28d8931a84a232bf
Qihoo-360 Win32/Trojan.Ransom.f48
McAfee GenericRXJB-QB!28D8931A84A2
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056cd1e1 )
Alibaba Ransom:Win32/Sodinokibi.7b523016
K7GW Trojan ( 0056cd1e1 )
Cybereason malicious.a84a23
Arcabit Trojan.Fugrafa.D2A4C
Cyren W32/Kryptik.BYW.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:RansomX-gen [Ransom]
ClamAV Win.Ransomware.Sodinokibi-7013612-0
BitDefender Gen:Variant.Fugrafa.10828
NANO-Antivirus Trojan.Win32.Kryptik.hweeos
Paloalto generic.ml
AegisLab Trojan.Win32.Zusy.4!c
Rising Trojan.Fuery!8.EAFB (TFE:5:LKgsnobeRzN)
Ad-Aware Gen:Variant.Fugrafa.10828
Emsisoft Gen:Variant.Fugrafa.10828 (B)
Comodo Malware@#1er4rvwk9j9vr
F-Secure Trojan.TR/Crypt.XPACK.Gen
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom_Sodinokibi.R06CC0DHN20
McAfee-GW-Edition BehavesLike.Win32.Generic.ct
Sophos Mal/Generic-S
Ikarus Trojan-Ransom.Sodinokibi
Avira TR/Crypt.XPACK.Gen
Antiy-AVL Trojan/Win32.Fuerboos
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Ransom:Win32/Revil.SI!MTB
GData Win32.Trojan-Ransom.Sodinokibi.F
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RevilRansom.R360961
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.34700.hyW@aa4aI3l
ALYac Trojan.Ransom.Sodinokibi
MAX malware (ai score=100)
Malwarebytes Ransom.Sodinokibi
ESET-NOD32 a variant of Win32/Kryptik.HCJV
TrendMicro-HouseCall Ransom_Sodinokibi.R06CC0DHN20
Tencent Malware.Win32.Gencirc.114de75f
Yandex Trojan.Kryptik!UiVADz3t1zY
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-10-17 00:50:47

Imports

Library KERNEL32.dll:
0x40c010 CloseHandle
0x40c014 CreateThread
0x40c018 GetModuleHandleW
0x40c01c CopyFileW
0x40c020 MoveFileW
0x40c024 GetStdHandle
0x40c028 CreateFileW
0x40c02c WriteFile
0x40c030 OutputDebugStringW
0x40c03c HeapAlloc
0x40c040 SetEndOfFile
0x40c044 GetProcessHeap
0x40c050 ExitProcess
0x40c054 GetCurrentThread
0x40c058 GetProcAddress
0x40c060 lstrlenW
0x40c064 LoadLibraryA
0x40c070 WriteConsoleW
0x40c074 DeleteFileW
0x40c07c HeapFree
Library USER32.dll:
0x40c098 CheckDlgButton
0x40c09c IsDlgButtonChecked
0x40c0a0 EnableWindow
0x40c0a4 SetDlgItemTextW
0x40c0a8 DialogBoxParamW
0x40c0ac SendMessageW
0x40c0b0 SetDlgItemInt
0x40c0b4 GetDlgItem
0x40c0b8 SetWindowTextW
0x40c0bc wsprintfW
0x40c0c0 MessageBoxW
0x40c0c4 EndDialog
Library GDI32.dll:
0x40c008 CreateFontW
Library SHELL32.dll:
0x40c08c SHBrowseForFolderW
Library COMDLG32.dll:
0x40c000 GetOpenFileNameW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.