14.8
0-day
该样本未表现出任何异常!
重新分析
更多

87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

32307c24db9052003547acd8c7814a09.exe

分析耗时

85s

最近分析

文件大小

252.0KB
静态报毒 动态报毒 FYNLOSKI
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Command line console output was observed (2 个事件)
Time & API Arguments Status Return Repeated
1620759751.220125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1620759751.220375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620759747.189125
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620759747.908125
__exception__
stacktrace: 
32307c24db9052003547acd8c7814a09+0x978a @ 0x40978a
32307c24db9052003547acd8c7814a09+0x8fef1 @ 0x48fef1
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637628
registers.edi: 0
registers.eax: 1637628
registers.ebp: 1637708
registers.edx: 0
registers.ebx: 4229144
registers.esi: 1637784
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
Connects to a Dynamic DNS Domain (1 个事件)
domain kualomakalo.ddns.net
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620759746.986125
NtAllocateVirtualMemory
process_identifier: 2284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x021a0000
success 0 0
1620759752.220625
NtAllocateVirtualMemory
process_identifier: 3208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00510000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task. (1 个事件)
description msdcsc.exe tried to sleep 175 seconds, actually delayed analysis time by 175 seconds
Creates a suspicious process (4 个事件)
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe
A process created a hidden window (4 个事件)
Time & API Arguments Status Return Repeated
1620759748.799125
ShellExecuteExW
parameters: /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1620759748.955125
ShellExecuteExW
parameters: /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1620759749.220125
CreateProcessInternalW
thread_identifier: 2860
thread_handle: 0x00000278
process_identifier: 2636
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000288
inherit_handles: 0
success 1 0
1620759755.783625
CreateProcessInternalW
thread_identifier: 3436
thread_handle: 0x00000260
process_identifier: 3432
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000268
inherit_handles: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.923050646356829 section {'size_of_data': '0x0003dc00', 'virtual_address': '0x00078000', 'entropy': 7.923050646356829, 'name': 'UPX1', 'virtual_size': '0x0003e000'} description A section with a high entropy has been found
entropy 0.9840637450199203 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (20 个事件)
Time & API Arguments Status Return Repeated
1620759747.330125
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620759747.330125
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620759747.330125
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620759747.361125
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620759747.361125
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620759747.361125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620759747.361125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620759747.377125
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620759747.377125
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620759747.392125
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
1620759752.299625
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620759752.299625
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620759752.299625
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620759752.361625
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620759752.361625
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620759752.361625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620759752.361625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620759752.408625
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620759752.424625
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620759752.470625
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
Terminates another process (5 个事件)
Time & API Arguments Status Return Repeated
1620759770.642502
NtTerminateProcess
status_code: 0x00000000
process_identifier: 2636
process_handle: 0x0000010c
failed 0 0
1620759753.970625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3284
process_handle: 0x00000248
failed 0 0
1620759753.970625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3284
process_handle: 0x00000248
success 0 0
1620759755.549625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3372
process_handle: 0x0000024c
failed 0 0
1620759755.549625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3372
process_handle: 0x0000024c
success 0 0
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
Uses Windows utilities for basic Windows functionality (9 个事件)
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline "C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe"
cmdline attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
cmdline C:\Program Files (x86)\Internet Explorer\iexplore.exe
cmdline attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
cmdline cmd.exe /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (34 个事件)
Time & API Arguments Status Return Repeated
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00170000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00180000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001a0000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001b0000
success 0 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1620759753.127625
NtAllocateVirtualMemory
process_identifier: 3284
region_size: 749568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000248
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000d0000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000e0000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00170000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00180000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001a0000
success 0 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001b0000
success 0 0
1620759755.799625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1620759755.799625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
Installs itself for autorun at Windows startup (9 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit reg_value C:\Windows\system32\userinit.exe,C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe
Disables Windows' Task Manager (1 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Creates known Fynloski/DarkComet files, registry keys and/or mutexes (5 个事件)
mutex DC_MUTEX-3L7FTLT
mutex DCPERSFWBP
regkey HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey HKEY_CURRENT_USER\Software\DC2_USERS
file C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 3208 manipulating memory of non-child process 3284
Time & API Arguments Status Return Repeated
1620759753.127625
NtAllocateVirtualMemory
process_identifier: 3284
region_size: 749568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000248
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (33 个事件)
Time & API Arguments Status Return Repeated
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: kernel32.dll
process_handle: 0x00000288
base_address: 0x000b0000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: user32.dll
process_handle: 0x00000288
base_address: 0x00100000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: Sleep
process_handle: 0x00000288
base_address: 0x00110000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: MessageBoxA
process_handle: 0x00000288
base_address: 0x00120000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: ExitThread
process_handle: 0x00000288
base_address: 0x00130000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: DeleteFileA
process_handle: 0x00000288
base_address: 0x00140000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: GetLastError
process_handle: 0x00000288
base_address: 0x00150000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: TerminateProcess
process_handle: 0x00000288
base_address: 0x00160000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: CloseHandle
process_handle: 0x00000288
base_address: 0x00170000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: OpenProcess
process_handle: 0x00000288
base_address: 0x00180000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: GetExitCodeProcess
process_handle: 0x00000288
base_address: 0x00190000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe
process_handle: 0x00000288
base_address: 0x001a0000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: ×I5v"5vF@˜ÕØwDT5vÀ5vØ6v5v†5vM6v L 
process_handle: 0x00000288
base_address: 0x001b0000
success 1 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: U‹ìSVW‹]‹C4P‹C,PÿPÿS‰C ‹C8P‹C0PÿPÿS‰C‹C<P‹C,PÿPÿS‰C‹C@P‹C,PÿPÿS‰C‹CDP‹C,PÿPÿS‰C‹CHP‹C,PÿPÿS‰C‹CTP‹C,PÿPÿS‰C ‹CLP‹C,PÿPÿS‰C$‹CPP‹C,PÿPÿS‰C(ëÿSƒøthôÿS ‹C\PÿS„Àtå‹CXPjjÿS$‹ð…ötWVÿS(WVÿSVÿS jÿS_^[]‹ÀU‹ìÄ@ÿÿÿSV3ɉMô‰Uø‰Eü‹Eüè. ùÿ‹Eøè& ùÿu”3ÀUhFRGdÿ0d‰ …Pÿÿÿ3ɺDè+ëøÿDžPÿÿÿDDž|ÿÿÿfÇE€…@ÿÿÿP…PÿÿÿPjjhjjj‹EüèÔ ùÿPjè)ùÿ‹@ÿÿÿ‹EüèNRùÿ„Àu Eüº\RGè™ùÿ‹Eøè5Rùÿ„Àu Uø3Àèï¡ùÿEô‹UøèxùÿºdRG‹Ãèüüÿÿ‰F,ºtRG‹Ãèíüÿÿ‰F0º€RG‹ÃèÞüÿÿ‰F4ºˆRG‹ÃèÏüÿÿ‰F8º”RG‹ÃèÀüÿÿ‰F<º RG‹Ãè±üÿÿ‰F@º¬RG‹Ãè¢üÿÿ‰FDº¼RG‹Ãè“üÿÿ‰FHºÐRG‹Ãè„üÿÿ‰FTºÜRG‹Ãèuüÿÿ‰FLºèRG‹Ãèfüÿÿ‰FP‹Eôèßùÿ‹Ð‹ÃèRüÿÿ‰F\‹…Hÿÿÿ‰FXhüRGh SGèç)ùÿPèé)ùÿ‰hSGh SGèÐ)ùÿPèÒ)ùÿ‰Fh€RGh SGè¸)ùÿPèº)ùÿ‰F hˆRGh SGè )ùÿPè¢)ùÿ‰F h”RGh SGèˆ)ùÿPèŠ)ùÿ‰Fh RGh SGèp)ùÿPèr)ùÿ‰Fh¬RGh SGèX)ùÿPèZ)ùÿ‰Fh¼RGh SGè@)ùÿPèB)ùÿ‰FhÐRGh SGè()ùÿPè*)ùÿ‰F hÜRGh SGè)ùÿPè)ùÿ‰F$hèRGh SGèø(ùÿPèú(ùÿ‰F(j`j‹Îº”NG‹Ãèõûÿÿ3ÀZYYd‰hMRGEôºèùÿÃ
process_handle: 0x00000288
base_address: 0x001c0000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: kernel32.dll
process_handle: 0x00000268
base_address: 0x000b0000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: user32.dll
process_handle: 0x00000268
base_address: 0x000c0000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: Sleep
process_handle: 0x00000268
base_address: 0x000d0000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: MessageBoxA
process_handle: 0x00000268
base_address: 0x000e0000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: CreateProcessA
process_handle: 0x00000268
base_address: 0x000f0000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: GetLastError
process_handle: 0x00000268
base_address: 0x00100000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: SetLastError
process_handle: 0x00000268
base_address: 0x00110000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: CreateMutexA
process_handle: 0x00000268
base_address: 0x00120000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: CloseHandle
process_handle: 0x00000268
base_address: 0x00130000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: ExitThread
process_handle: 0x00000268
base_address: 0x00140000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: OpenProcess
process_handle: 0x00000268
base_address: 0x00150000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: DCPERSFWBP
process_handle: 0x00000268
base_address: 0x00160000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: TerminateProcess
process_handle: 0x00000268
base_address: 0x00170000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: GetExitCodeProcess
process_handle: 0x00000268
base_address: 0x00180000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: DC_MUTEX-3L7FTLT
process_handle: 0x00000268
base_address: 0x00190000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: WaitForSingleObject
process_handle: 0x00000268
base_address: 0x001a0000
success 1 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
process_handle: 0x00000268
base_address: 0x001b0000
success 1 0
1620759755.799625
WriteProcessMemory
process_identifier: 3432
buffer: ×I5v"5vý_wÿ5vÀ5vr5v65v©5v˜ÕØw†5vØ6v5vM6vkL5v h
process_handle: 0x00000268
base_address: 0x001c0000
success 1 0
1620759755.799625
WriteProcessMemory
process_identifier: 3432
buffer: U‹ìƒÄ¬SVW‹]‹C@P‹C8PÿPÿS‰C ‹CDP‹C<PÿPÿS‰C‹CTP‹C8PÿPÿS‰C‹CXP‹C8PÿPÿS‰C‹CHP‹C8PÿPÿS‰C‹CLP‹C8PÿPÿS‰C‹CPP‹C8PÿPÿS‰C4‹C`P‹C8PÿPÿS‰C,‹ClP‹C8PÿPÿS‰C(‹ChP‹C8PÿPÿS‰C0‹CdP‹C8PÿPÿS‰C ‹CpP‹C8PÿPÿS‰C$jÿS‹CxPjjÿS4ÿS=·u$‹C|PjjÿS$‹ø…ÿtVWÿS0VWÿS(WÿS,jÿS jÿS‹C\PjjÿS4‹øÿS=·tRWÿS,ÇE¼DE¬PE¼Pjjjjjj‹CtPjÿS…Àt3öhȋE¬PÿSƒèsƒÎÿ…ötèë¼hÐÿS ë²WÿS,hôÿS ë„_^[‹å]U‹ìÄ ÿÿÿSVW‰Mô‰Uø‰Eü‹Eüèëùÿ‹Eøèãùÿ‹EôèÛùÿµtÿÿÿ3ÀUh)XGdÿ0d‰ …0ÿÿÿ3ɺDèÝåøÿDž0ÿÿÿDDž\ÿÿÿfDž`ÿÿÿ‹Eüè0Mùÿ„Àu Eüº@XGè{ùÿ‹EøèMùÿ„Àu Uø3Àèќùÿ¿HXG… ÿÿÿP…0ÿÿÿPjjhjjj‹EüèOùÿPjè $ùÿ‹ ÿÿÿºTXG‹Ãè±÷ÿÿ‰F8ºdXG‹Ãè¢÷ÿÿ‰F<ºpXG‹Ãè“÷ÿÿ‰F@ºxXG‹Ãè„÷ÿÿ‰FDº„XG‹Ãèu÷ÿÿ‰FTº”XG‹Ãèf÷ÿÿ‰FHº¤XG‹ÃèW÷ÿÿ‰FLº´XG‹ÃèH÷ÿÿ‰FPºÄXG‹Ãè9÷ÿÿ‰F`ºÐXG‹Ãè*÷ÿÿ‰FdºÜXG‹Ãè÷ÿÿ‰Fp‹×‹Ãè÷ÿÿ‰FxºèXG‹Ãè÷ÿÿ‰FlºüXG‹Ãèñöÿÿ‰Fh‹Eôèjùÿ‹Ð‹ÃèÝöÿÿ‰F\ºYG‹ÃèÎöÿÿ‰FX‹EøèGùÿ‹Ð‹Ãèºöÿÿ‰Ft‹…(ÿÿÿ‰F|h$YGh4YGèO$ùÿPèQ$ùÿ‰h@YGh4YGè8$ùÿPè:$ùÿ‰FhpXGh4YGè $ùÿPè"$ùÿ‰F hxXGhPYGè$ùÿPè $ùÿ‰FhÄXGh4YGèð#ùÿPèò#ùÿ‰F,h„XGh4YGèØ#ùÿPèÚ#ùÿ‰Fh”XGh4YGèÀ#ùÿPèÂ#ùÿ‰Fh¤XGh4YGè¨#ùÿPèª#ùÿ‰Fh´XGh4YGè#ùÿPè’#ùÿ‰F4hüXGh4YGèx#ùÿPèz#ùÿ‰F0hÐXGh4YGè`#ùÿPèb#ùÿ‰F hèXGh4YGèH#ùÿPèJ#ùÿ‰F(hYGh4YGè0#ùÿPè2#ùÿ‰FhÜXGh4YGè#ùÿPè#ùÿ‰F$h€j‹Îº(SG‹Ãèöÿÿ3ÀZYYd‰h0XGEôºè,ýøÿÃ
process_handle: 0x00000268
base_address: 0x001d0000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620759755.814625
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x004818f8
module_address: 0x00400000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 327791 0
Modifies security center warnings (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
Created a process named as a common system process (1 个事件)
Time & API Arguments Status Return Repeated
1620759754.158625
CreateProcessInternalW
thread_identifier: 3376
thread_handle: 0x0000025c
process_identifier: 3372
current_directory:
filepath: C:\Windows\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\explorer.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000024c
inherit_handles: 0
success 1 0
Stops Windows services (1 个事件)
service wscsvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start)
Disables Windows Security features (4 个事件)
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description attempts to disable windows update notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
description attempts to disable windows firewall registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
Executed a process and injected code into it, probably while unpacking (50 out of 81 个事件)
Time & API Arguments Status Return Repeated
1620759747.267125
NtResumeThread
thread_handle: 0x00000174
suspend_count: 1
process_identifier: 2284
success 0 0
1620759748.799125
CreateProcessInternalW
thread_identifier: 2260
thread_handle: 0x00000290
process_identifier: 2456
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002cc
inherit_handles: 0
success 1 0
1620759748.955125
CreateProcessInternalW
thread_identifier: 2344
thread_handle: 0x00000290
process_identifier: 2452
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002a4
inherit_handles: 0
success 1 0
1620759749.220125
CreateProcessInternalW
thread_identifier: 2860
thread_handle: 0x00000278
process_identifier: 2636
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000288
inherit_handles: 0
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: kernel32.dll
process_handle: 0x00000288
base_address: 0x000b0000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: user32.dll
process_handle: 0x00000288
base_address: 0x00100000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: Sleep
process_handle: 0x00000288
base_address: 0x00110000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: MessageBoxA
process_handle: 0x00000288
base_address: 0x00120000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: ExitThread
process_handle: 0x00000288
base_address: 0x00130000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: DeleteFileA
process_handle: 0x00000288
base_address: 0x00140000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: GetLastError
process_handle: 0x00000288
base_address: 0x00150000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: TerminateProcess
process_handle: 0x00000288
base_address: 0x00160000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00170000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: CloseHandle
process_handle: 0x00000288
base_address: 0x00170000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00180000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: OpenProcess
process_handle: 0x00000288
base_address: 0x00180000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: GetExitCodeProcess
process_handle: 0x00000288
base_address: 0x00190000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001a0000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe
process_handle: 0x00000288
base_address: 0x001a0000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001b0000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: ×I5v"5vF@˜ÕØwDT5vÀ5vØ6v5v†5vM6v L 
process_handle: 0x00000288
base_address: 0x001b0000
success 1 0
1620759749.220125
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000288
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1620759749.220125
WriteProcessMemory
process_identifier: 2636
buffer: U‹ìSVW‹]‹C4P‹C,PÿPÿS‰C ‹C8P‹C0PÿPÿS‰C‹C<P‹C,PÿPÿS‰C‹C@P‹C,PÿPÿS‰C‹CDP‹C,PÿPÿS‰C‹CHP‹C,PÿPÿS‰C‹CTP‹C,PÿPÿS‰C ‹CLP‹C,PÿPÿS‰C$‹CPP‹C,PÿPÿS‰C(ëÿSƒøthôÿS ‹C\PÿS„Àtå‹CXPjjÿS$‹ð…ötWVÿS(WVÿSVÿS jÿS_^[]‹ÀU‹ìÄ@ÿÿÿSV3ɉMô‰Uø‰Eü‹Eüè. ùÿ‹Eøè& ùÿu”3ÀUhFRGdÿ0d‰ …Pÿÿÿ3ɺDè+ëøÿDžPÿÿÿDDž|ÿÿÿfÇE€…@ÿÿÿP…PÿÿÿPjjhjjj‹EüèÔ ùÿPjè)ùÿ‹@ÿÿÿ‹EüèNRùÿ„Àu Eüº\RGè™ùÿ‹Eøè5Rùÿ„Àu Uø3Àèï¡ùÿEô‹UøèxùÿºdRG‹Ãèüüÿÿ‰F,ºtRG‹Ãèíüÿÿ‰F0º€RG‹ÃèÞüÿÿ‰F4ºˆRG‹ÃèÏüÿÿ‰F8º”RG‹ÃèÀüÿÿ‰F<º RG‹Ãè±üÿÿ‰F@º¬RG‹Ãè¢üÿÿ‰FDº¼RG‹Ãè“üÿÿ‰FHºÐRG‹Ãè„üÿÿ‰FTºÜRG‹Ãèuüÿÿ‰FLºèRG‹Ãèfüÿÿ‰FP‹Eôèßùÿ‹Ð‹ÃèRüÿÿ‰F\‹…Hÿÿÿ‰FXhüRGh SGèç)ùÿPèé)ùÿ‰hSGh SGèÐ)ùÿPèÒ)ùÿ‰Fh€RGh SGè¸)ùÿPèº)ùÿ‰F hˆRGh SGè )ùÿPè¢)ùÿ‰F h”RGh SGèˆ)ùÿPèŠ)ùÿ‰Fh RGh SGèp)ùÿPèr)ùÿ‰Fh¬RGh SGèX)ùÿPèZ)ùÿ‰Fh¼RGh SGè@)ùÿPèB)ùÿ‰FhÐRGh SGè()ùÿPè*)ùÿ‰F hÜRGh SGè)ùÿPè)ùÿ‰F$hèRGh SGèø(ùÿPèú(ùÿ‰F(j`j‹Îº”NG‹Ãèõûÿÿ3ÀZYYd‰hMRGEôºèùÿÃ
process_handle: 0x00000288
base_address: 0x001c0000
success 1 0
1620759751.674125
CreateProcessInternalW
thread_identifier: 3212
thread_handle: 0x00000434
process_identifier: 3208
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\Documents\MSDCSC\msdcsc.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000440
inherit_handles: 0
success 1 0
1620759749.283125
CreateProcessInternalW
thread_identifier: 2740
thread_handle: 0x00000080
process_identifier: 2256
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\attrib.exe
track: 1
command_line: attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32307c24db9052003547acd8c7814a09.exe" +s +h
filepath_r: C:\Windows\system32\attrib.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1620759749.830375
CreateProcessInternalW
thread_identifier: 3092
thread_handle: 0x00000080
process_identifier: 3088
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\attrib.exe
track: 1
command_line: attrib "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp" +s +h
filepath_r: C:\Windows\system32\attrib.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1620759752.283625
NtResumeThread
thread_handle: 0x00000174
suspend_count: 1
process_identifier: 3208
success 0 0
1620759753.127625
CreateProcessInternalW
thread_identifier: 3288
thread_handle: 0x00000244
process_identifier: 3284
current_directory:
filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe
track: 1
command_line:
filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000248
inherit_handles: 0
success 1 0
1620759753.127625
NtGetContextThread
thread_handle: 0x00000244
success 0 0
1620759753.127625
NtAllocateVirtualMemory
process_identifier: 3284
region_size: 749568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000248
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1620759754.158625
CreateProcessInternalW
thread_identifier: 3376
thread_handle: 0x0000025c
process_identifier: 3372
current_directory:
filepath: C:\Windows\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\explorer.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000024c
inherit_handles: 0
success 1 0
1620759754.158625
NtGetContextThread
thread_handle: 0x0000025c
failed 3221225485 0
1620759755.783625
CreateProcessInternalW
thread_identifier: 3436
thread_handle: 0x00000260
process_identifier: 3432
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000268
inherit_handles: 0
success 1 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: kernel32.dll
process_handle: 0x00000268
base_address: 0x000b0000
success 1 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: user32.dll
process_handle: 0x00000268
base_address: 0x000c0000
success 1 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000d0000
success 0 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: Sleep
process_handle: 0x00000268
base_address: 0x000d0000
success 1 0
1620759755.783625
NtAllocateVirtualMemory
process_identifier: 3432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000e0000
success 0 0
1620759755.783625
WriteProcessMemory
process_identifier: 3432
buffer: MessageBoxA
process_handle: 0x00000268
base_address: 0x000e0000
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-06-07 23:59:53

Imports

Library KERNEL32.DLL:
0x4b6bd0 LoadLibraryA
0x4b6bd4 GetProcAddress
0x4b6bd8 VirtualProtect
0x4b6bdc VirtualAlloc
0x4b6be0 VirtualFree
0x4b6be4 ExitProcess
Library advapi32.dll:
0x4b6bec IsValidSid
Library AVICAP32.DLL:
Library comctl32.dll:
0x4b6bfc ImageList_Add
Library gdi32.dll:
0x4b6c04 SaveDC
Library gdiplus.dll:
0x4b6c0c GdipFree
Library msacm32.dll:
0x4b6c14 acmStreamSize
Library netapi32.dll:
0x4b6c1c Netbios
Library ntdll:
Library ntdll.dll:
Library ole32.dll:
0x4b6c34 IsEqualGUID
Library oleaut32.dll:
0x4b6c3c VariantCopy
Library shell32.dll:
0x4b6c44 ShellExecuteA
Library SHFolder.dll:
0x4b6c4c SHGetFolderPathA
Library URLMON.DLL:
0x4b6c54 URLDownloadToFileA
Library user32.dll:
0x4b6c5c GetDC
Library version.dll:
0x4b6c64 VerQueryValueA
Library wininet.dll:
0x4b6c6c FtpPutFileA
Library winmm.dll:
0x4b6c74 waveInOpen
Library WS2_32.DLL:
0x4b6c7c WSAIoctl

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.