SmartHawk

9.0

极危

57 个模型检测该样本为恶意！

重新分析

下载样本

f2d4d71e0c90480972ec179890819443f837f627fcf45d3ea214e05297842958

32c7f1b3178bd5f92f2bc754876adaff.exe

分析耗时

80s

最近分析

文件大小

831.0KB

静态报毒动态报毒 AGENTTESLA AI SCORE=88 AVSARHER BSK66A CLOUD CONFIDENCE DOWNLOADER34 FAMC FAREIT GDSDA GENERICKDZ GENKRYPTIK HIGH CONFIDENCE HTFSWH HWMA238A JXSS KCLOUD KMOQA KRYPTIK LKDZ MALICIOUS PE MALWARE@#6TTSJKOJCVZW PWSX QKEN R348928 SAVE SCORE STATIC AI SUSGEN TASKUN TSCOPE UNSAFE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FYV!32C7F1B3178B	20210226	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.d8e49d37	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_90% (W)	20210203	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20210226	21.1.5827.0
Tencent	Msil.Trojan.Taskun.Lkdz	20210226	1.0.0.1
Kingsoft	Win32.Troj.Undef.(kcloud)	20210226	2017.9.26.565

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619373390.059999 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1619373391.638999 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (7 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345037.653176 IsDebuggerPresent		failed	0	0
1619345037.653176 IsDebuggerPresent		failed	0	0
1619345086.668176 IsDebuggerPresent		failed	0	0
1619345087.168176 IsDebuggerPresent		failed	0	0
1619345087.684176 IsDebuggerPresent		failed	0	0
1619373377.622999 IsDebuggerPresent		failed	0	0
1619373377.622999 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345037.684176 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 169 个事件)

Time & API	Arguments	Status	Return
1619345036.872176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a10000	success	0
1619345036.872176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba0000	success	0
1619345037.247176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x008d0000	success	0
1619345037.247176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c0000	success	0
1619345037.356176 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619345037.653176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x004c0000	success	0
1619345037.653176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f0000	success	0
1619345037.653176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success	0
1619345037.653176 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619345037.653176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00462000	success	0
1619345037.793176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00472000	success	0
1619345037.918176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00495000	success	0
1619345037.934176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049b000	success	0
1619345037.934176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00497000	success	0
1619345038.137176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00473000	success	0
1619345038.215176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047c000	success	0
1619345038.684176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00474000	success	0
1619345038.700176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00476000	success	0
1619345038.793176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00690000	success	0
1619345038.903176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success	0
1619345038.903176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success	0
1619345039.137176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success	0
1619345039.137176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00478000	success	0
1619345039.559176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00479000	success	0
1619345039.684176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00740000	success	0
1619345039.684176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047a000	success	0
1619345039.762176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00970000	success	0
1619345039.825176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00691000	success	0
1619345039.856176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00486000	success	0
1619345039.887176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00971000	success	0
1619345039.934176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00692000	success	0
1619345039.950176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00972000	success	0
1619345039.981176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00693000	success	0
1619345039.997176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00695000	success	0
1619345040.012176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00696000	success	0
1619345073.168176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00698000	success	0
1619345073.325176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046c000	success	0
1619345073.418176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00973000	success	0
1619345073.434176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047d000	success	0
1619345073.434176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00699000	success	0
1619345073.528176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00974000	success	0
1619345073.528176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069a000	success	0
1619345073.528176 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 619008 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x057c0400	failed	3221225550
1619345086.247176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069b000	success	0
1619345086.293176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069c000	success	0
1619345086.309176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069d000	success	0
1619345086.356176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069e000	success	0
1619345086.356176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069f000	success	0
1619345086.481176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00975000	success	0
1619345086.512176 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04f20000	success	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.946073393696683

section

{'size_of_data': '0x000cf200', 'virtual_address': '0x00002000', 'entropy': 7.946073393696683, 'name': '.text', 'virtual_size': '0x000cf02c'}

description

A section with a high entropy has been found

entropy

0.9975918121613486

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345073.528176 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619373389.794999 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (4 个事件)

Time & API	Arguments	Status
1619345087.231176 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x0000dce4	failed
1619345087.231176 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x0000dce4	success
1619345087.559176 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3036 process_handle: 0x000033e4	failed
1619345087.559176 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3036 process_handle: 0x000033e4	success

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

Allocates execute permission to another process indicative of possible code injection (3 个事件)

Time & API	Arguments	Status	Return
1619345086.934176 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002148 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345087.340176 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00003508 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345087.653176 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000092d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0

Manipulates memory of a non-child process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 manipulating memory of non-child process 2288
Process injection	Process 284 manipulating memory of non-child process 3036
1619345086.934176 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002148 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345087.340176 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00003508 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619345087.653176 WriteProcessMemory	process_identifier: 1244 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELeå>_àð @ `@PK @ H.text¤ï ð `.rsrc ò@@.reloc@ö@B process_handle: 0x000092d0 base_address: 0x00400000	success	1
1619345087.668176 WriteProcessMemory	process_identifier: 1244 buffer: 0HX ¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameocekDOzvfzKuQOmfCPJRFmsAQwGFYzrcITdh.exe(LegalCopyright \|)OriginalFilenameocekDOzvfzKuQOmfCPJRFmsAQwGFYzrcITdh.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000092d0 base_address: 0x00462000	success	1
1619345087.668176 WriteProcessMemory	process_identifier: 1244 buffer: ? process_handle: 0x000092d0 base_address: 0x00464000	success	1
1619345087.668176 WriteProcessMemory	process_identifier: 1244 buffer: @ process_handle: 0x000092d0 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345087.653176 WriteProcessMemory	process_identifier: 1244 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELeå>_àð @ `@PK @ H.text¤ï ð `.rsrc ò@@.reloc@ö@B process_handle: 0x000092d0 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 called NtSetContextThread to modify thread in remote process 1244
1619345087.668176 NtSetContextThread	thread_handle: 0x000033e4 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4591518 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1244	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 resumed a thread in remote process 1244
1619345087.950176 NtResumeThread	thread_handle: 0x000033e4 suspend_count: 1 process_identifier: 1244	success	0	0

Executed a process and injected code into it, probably while unpacking (26 个事件)

Time & API	Arguments	Status	Return
1619345037.653176 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 284	success	0
1619345037.668176 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 284	success	0
1619345037.793176 NtResumeThread	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 284	success	0
1619345086.653176 NtResumeThread	thread_handle: 0x00000bf0 suspend_count: 1 process_identifier: 284	success	0
1619345086.668176 NtResumeThread	thread_handle: 0x00010eac suspend_count: 1 process_identifier: 284	success	0
1619345086.934176 CreateProcessInternalW	thread_identifier: 2636 thread_handle: 0x0000e8e4 process_identifier: 2288 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32c7f1b3178bd5f92f2bc754876adaff.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32c7f1b3178bd5f92f2bc754876adaff.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00002148 inherit_handles: 0	success	1
1619345086.934176 NtGetContextThread	thread_handle: 0x0000e8e4	success	0
1619345086.934176 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002148 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345087.340176 CreateProcessInternalW	thread_identifier: 2496 thread_handle: 0x0000dce4 process_identifier: 3036 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32c7f1b3178bd5f92f2bc754876adaff.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32c7f1b3178bd5f92f2bc754876adaff.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00003508 inherit_handles: 0	success	1
1619345087.340176 NtGetContextThread	thread_handle: 0x0000dce4	success	0
1619345087.340176 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00003508 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345087.653176 CreateProcessInternalW	thread_identifier: 2168 thread_handle: 0x000033e4 process_identifier: 1244 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32c7f1b3178bd5f92f2bc754876adaff.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\32c7f1b3178bd5f92f2bc754876adaff.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000092d0 inherit_handles: 0	success	1
1619345087.653176 NtGetContextThread	thread_handle: 0x000033e4	success	0
1619345087.653176 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000092d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619345087.653176 WriteProcessMemory	process_identifier: 1244 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELeå>_àð @ `@PK @ H.text¤ï ð `.rsrc ò@@.reloc@ö@B process_handle: 0x000092d0 base_address: 0x00400000	success	1
1619345087.653176 WriteProcessMemory	process_identifier: 1244 buffer: process_handle: 0x000092d0 base_address: 0x00402000	success	1
1619345087.668176 WriteProcessMemory	process_identifier: 1244 buffer: 0HX ¼¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameocekDOzvfzKuQOmfCPJRFmsAQwGFYzrcITdh.exe(LegalCopyright \|)OriginalFilenameocekDOzvfzKuQOmfCPJRFmsAQwGFYzrcITdh.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000092d0 base_address: 0x00462000	success	1
1619345087.668176 WriteProcessMemory	process_identifier: 1244 buffer: ? process_handle: 0x000092d0 base_address: 0x00464000	success	1
1619345087.668176 WriteProcessMemory	process_identifier: 1244 buffer: @ process_handle: 0x000092d0 base_address: 0x7efde008	success	1
1619345087.668176 NtSetContextThread	thread_handle: 0x000033e4 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4591518 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1244	success	0
1619345087.950176 NtResumeThread	thread_handle: 0x000033e4 suspend_count: 1 process_identifier: 1244	success	0
1619373377.622999 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1244	success	0
1619373377.622999 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 1244	success	0
1619373377.669999 NtResumeThread	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 1244	success	0
1619373391.231999 NtResumeThread	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 1244	success	0
1619373391.325999 NtResumeThread	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 1244	success	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69680
FireEye	Generic.mg.32c7f1b3178bd5f9
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FYV!32C7F1B3178B
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2400197
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056d2f31 )
Alibaba	Trojan:MSIL/AgentTesla.d8e49d37
K7GW	Trojan ( 0056d2f31 )
CrowdStrike	win/malicious_confidence_90% (W)
Cyren	W32/Trojan.JXSS-5795
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.GenericKDZ.69680
NANO-Antivirus	Trojan.Win32.Taskun.htfswh
Paloalto	generic.ml
Tencent	Msil.Trojan.Taskun.Lkdz
Ad-Aware	Trojan.GenericKDZ.69680
Emsisoft	Trojan.Crypt (A)
Comodo	Malware@#6ttsjkojcvzw
F-Secure	Trojan.TR/Kryptik.kmoqa
DrWeb	Trojan.DownLoader34.28070
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Jiangmin	Trojan.MSIL.qken
eGambit	Unsafe.AI_Score_94%
Avira	TR/Kryptik.kmoqa
Antiy-AVL	Trojan/MSIL.Taskun
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/AgentTesla.MA!MTB
Gridinsoft	Trojan.Win32.Kryptik.oa
Arcabit	Trojan.Generic.D11030
AegisLab	Trojan.MSIL.Taskun.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
GData	Trojan.GenericKDZ.69680
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.MSIL.R348928
VBA32	TScope.Trojan.MSIL
ALYac	Spyware.AgentTesla
MAX	malware (ai score=88)
Malwarebytes	Trojan.MalPack.PNG.Generic
ESET-NOD32	a variant of MSIL/Kryptik.XKX
Rising	Trojan.Kryptik!8.8 (CLOUD)
Yandex	Trojan.AvsArher.bSK66A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-24 13:56:29

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.