9.8
极危
53 个模型检测该样本为恶意!
重新分析
更多

4fe45a8e07fc28eb30222f08219ca2bb8832220a97ff56333193bd422a876f0c

2ac0a5bf25087878319d1e0847424ce7.exe

分析耗时

105s

最近分析

文件大小

301.0KB
静态报毒 动态报毒 5UCDUROXMWO ADNAPFEK AI SCORE=82 ATTRIBUTE AUTO AVEMARIA CONFIDENCE DETPLOCK ELDORADO GCMUZ GDSDA GENASA HCYM HIGH CONFIDENCE HIGHCONFIDENCE HJLPYA KRYPTIK LOQZLSNU5WW MALWARE@#2UQP5GBJTYEZX MORTYSTEALER QVM11 R066C0DIK20 RAZY SCORE SIGGEN9 STATIC AI SUSGEN SUSPICIOUS PE UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201228 21.1.5827.0
Alibaba TrojanSpy:Win32/AveMaria.7cf100f2 20190527 0.3.0.5
Kingsoft 20201228 2017.9.26.565
McAfee RDN/Generic.grp 20201228 6.0.6.653
Tencent Win32.Trojan.Inject.Auto 20201228 1.0.0.1
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619367078.668126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619367078.699126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619367078.699126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619367078.699126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619367086.011126
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619367086.011126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619367079.371126
IsDebuggerPresent
failed 0 0
Command line console output was observed (10 个事件)
Time & API Arguments Status Return Repeated
1619367087.558126
WriteConsoleW
buffer: 无法将“Add-MpPreference”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。请
console_handle: 0x00000023
success 1 0
1619367087.574126
WriteConsoleW
buffer: 检查名称的拼写,如果包括路径,请确保路径正确,然后重试。
console_handle: 0x0000002f
success 1 0
1619367087.589126
WriteConsoleW
buffer: 所在位置 行:1 字符: 17
console_handle: 0x0000003b
success 1 0
1619367087.605126
WriteConsoleW
buffer: + Add-MpPreference <<<< -ExclusionPath C:\
console_handle: 0x00000047
success 1 0
1619367087.605126
WriteConsoleW
buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000053
success 1 0
1619367087.621126
WriteConsoleW
buffer: mmandNotFoundException
console_handle: 0x0000005f
success 1 0
1619367087.621126
WriteConsoleW
buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000006b
success 1 0
1619367078.073876
WriteConsoleW
buffer: Microsoft Windows [版本 6.1.7601]
console_handle: 0x00000007
success 1 0
1619367078.073876
WriteConsoleW
buffer: 版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
console_handle: 0x00000007
success 1 0
1619367078.073876
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619367080.730126
CryptExportKey
crypto_handle: 0x00614d38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.636126
CryptExportKey
crypto_handle: 0x00614bf8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.636126
CryptExportKey
crypto_handle: 0x00614bf8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.636126
CryptExportKey
crypto_handle: 0x00614bf8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.777126
CryptExportKey
crypto_handle: 0x00614bf8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.777126
CryptExportKey
crypto_handle: 0x00614bf8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.777126
CryptExportKey
crypto_handle: 0x00614bf8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.855126
CryptExportKey
crypto_handle: 0x00614bf8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.902126
CryptExportKey
crypto_handle: 0x00614138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.902126
CryptExportKey
crypto_handle: 0x00614138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.964126
CryptExportKey
crypto_handle: 0x00614138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.964126
CryptExportKey
crypto_handle: 0x00614138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.964126
CryptExportKey
crypto_handle: 0x00614138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367081.964126
CryptExportKey
crypto_handle: 0x00614138
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367082.293126
CryptExportKey
crypto_handle: 0x00614678
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367082.293126
CryptExportKey
crypto_handle: 0x00614678
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367082.293126
CryptExportKey
crypto_handle: 0x00614678
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367082.293126
CryptExportKey
crypto_handle: 0x00614678
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367082.293126
CryptExportKey
crypto_handle: 0x00614678
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367082.293126
CryptExportKey
crypto_handle: 0x00614678
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367082.308126
CryptExportKey
crypto_handle: 0x00614678
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.246126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.246126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.246126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.511126
CryptExportKey
crypto_handle: 0x00614578
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.636126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.636126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.636126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.636126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.730126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.761126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.761126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.808126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.808126
CryptExportKey
crypto_handle: 0x00614a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.855126
CryptExportKey
crypto_handle: 0x00614978
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.855126
CryptExportKey
crypto_handle: 0x00614978
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.855126
CryptExportKey
crypto_handle: 0x00614978
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.855126
CryptExportKey
crypto_handle: 0x00614978
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.855126
CryptExportKey
crypto_handle: 0x00614978
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.855126
CryptExportKey
crypto_handle: 0x00614978
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.871126
CryptExportKey
crypto_handle: 0x00614978
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.949126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367085.949126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367086.246126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367086.246126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367086.261126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367086.261126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367086.261126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367086.293126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619367086.293126
CryptExportKey
crypto_handle: 0x00613ff8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619367075.714126
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 143 个事件)
Time & API Arguments Status Return Repeated
1619367048.621126
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00220000
success 0 0
1619367077.621126
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d00000
success 0 0
1619366680.748645
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000041c0000
success 0 0
1619367078.824126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x03180000
success 0 0
1619367078.824126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03310000
success 0 0
1619367079.293126
NtProtectVirtualMemory
process_identifier: 1476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x72431000
success 0 0
1619367079.371126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0275a000
success 0 0
1619367079.371126
NtProtectVirtualMemory
process_identifier: 1476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x72432000
success 0 0
1619367079.371126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02752000
success 0 0
1619367079.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02762000
success 0 0
1619367079.683126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03311000
success 0 0
1619367079.714126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03312000
success 0 0
1619367079.824126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0278a000
success 0 0
1619367080.152126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02763000
success 0 0
1619367080.355126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02764000
success 0 0
1619367080.402126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0279b000
success 0 0
1619367080.402126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02797000
success 0 0
1619367080.511126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0275b000
success 0 0
1619367080.683126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02782000
success 0 0
1619367080.699126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02795000
success 0 0
1619367081.121126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02765000
success 0 0
1619367081.558126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0278c000
success 0 0
1619367081.855126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02783000
success 0 0
1619367081.902126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c00000
success 0 0
1619367082.230126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02766000
success 0 0
1619367082.293126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0279c000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02784000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02785000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02786000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02787000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02788000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02789000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c20000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c21000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c22000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c23000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c24000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c25000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c26000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c27000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c28000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c29000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c2a000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c2b000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c2c000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c2d000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c2e000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c2f000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030a0000
success 0 0
1619367082.621126
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030a1000
success 0 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (2 个事件)
cmdline powershell Add-MpPreference -ExclusionPath C:\
cmdline C:\Windows\System32\cmd.exe
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619367077.871126
CreateProcessInternalW
thread_identifier: 2516
thread_handle: 0x00000214
process_identifier: 1176
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line:
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000210
inherit_handles: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.932124228730686 section {'size_of_data': '0x00049200', 'virtual_address': '0x000d0000', 'entropy': 7.932124228730686, 'name': 'UPX1', 'virtual_size': '0x0004a000'} description A section with a high entropy has been found
entropy 7.446069637009682 section {'size_of_data': '0x00001e00', 'virtual_address': '0x0011a000', 'entropy': 7.446069637009682, 'name': '.rsrc', 'virtual_size': '0x00002000'} description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619367080.511126
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 45.138.172.56
host 8.8.8.8
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619367078.871126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000230
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00410000
success 0 0
1619367078.871126
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000230
base_address: 0x00410000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rundII64 reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2ac0a5bf25087878319d1e0847424ce7.exe
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619367078.871126
WriteProcessMemory
process_identifier: 1176
buffer: U‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃÔ;Dd$VÄA
process_handle: 0x00000230
base_address: 0x00410000
success 1 0
1619367078.871126
WriteProcessMemory
process_identifier: 1176
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2ac0a5bf25087878319d1e0847424ce7.exe€ ý~èlôëlôëP,w|,wà¦AôôëÐ$€igÿÿÿÿÿôëøôëÐúëà^‘wt*k6þÿÿÿ|,w 5wè
process_handle: 0x00000230
base_address: 0x00420000
success 1 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\2ac0a5bf25087878319d1e0847424ce7.exe:Zone.Identifier
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.626613
ALYac Gen:Variant.Razy.626613
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Multi.Generic.4!c
Sangfor Malware
K7AntiVirus Trojan ( 005659841 )
BitDefender Gen:Variant.Razy.626613
K7GW Trojan ( 005659841 )
Cybereason malicious.f25087
Cyren W32/Kryptik.BKJ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky Trojan-Spy.Win32.AveMaria.dbp
Alibaba TrojanSpy:Win32/AveMaria.7cf100f2
NANO-Antivirus Trojan.Win32.Kryptik.hjlpya
Rising Trojan.Detplock!8.4A0D (TFE:5:5ucdurOXMWO)
Ad-Aware Gen:Variant.Razy.626613
Sophos Mal/Generic-S
Comodo Malware@#2uqp5gbjtyezx
DrWeb Trojan.Siggen9.43433
TrendMicro TROJ_GEN.R066C0DIK20
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
MaxSecure Trojan.Malware.97559332.susgen
Emsisoft Gen:Variant.Razy.626613 (B)
Ikarus Trojan.Inject
GData Gen:Variant.Razy.626613
Jiangmin TrojanSpy.AveMaria.in
Avira TR/AD.MortyStealer.gcmuz
Antiy-AVL Trojan[Spy]/Win32.AveMaria
Arcabit Trojan.Razy.D98FB5
ZoneAlarm Trojan-Spy.Win32.AveMaria.dbp
Microsoft Trojan:MSIL/Adnapfek
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C4100351
McAfee RDN/Generic.grp
MAX malware (ai score=82)
VBA32 TrojanSpy.AveMaria
Malwarebytes Backdoor.AveMaria
Panda Trj/GdSda.A
ESET-NOD32 Win32/Agent.TJS
TrendMicro-HouseCall TROJ_GEN.R066C0DIK20
Tencent Win32.Trojan.Inject.Auto
Yandex Trojan.GenAsa!lOQzlSNU5Ww
SentinelOne Static AI - Suspicious PE
Fortinet W32/Kryptik.HCYM!tr
BitDefenderTheta AI:Packer.397F05361F
AVG Win32:Trojan-gen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 45.138.172.56:56421
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-27 07:40:31

Imports

Library KERNEL32.DLL:
0x51bb80 LoadLibraryA
0x51bb84 ExitProcess
0x51bb88 GetProcAddress
0x51bb8c VirtualProtect
Library WS2_32.dll:
0x51bb94 WSAStartup

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.