7.2
高危
3 个模型检测该样本为恶意!
重新分析
更多

76821baaefc4f13de853989d71eb4797663195e80f35558a7bfdcf27ac326268

34424e8d23255122370fbbbe2764378a.exe

分析耗时

92s

最近分析

文件大小

3.0MB
静态报毒 动态报毒 BSCOPE FISI MALICIOUS MULDROP UPATRE
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20200707 18.4.3895.0
Kingsoft 20200707 2013.8.14.323
McAfee 20200707 6.0.6.653
Tencent 20200707 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1620735290.136625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620735324.136625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620735324.136625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1620726218.760662
IsDebuggerPresent
failed 0 0
1620726218.760662
IsDebuggerPresent
failed 0 0
1620735287.949625
IsDebuggerPresent
failed 0 0
Uses Windows APIs to generate a cryptographic key (12 个事件)
Time & API Arguments Status Return Repeated
1620726220.401662
CryptExportKey
crypto_handle: 0x0068f9f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726220.432662
CryptExportKey
crypto_handle: 0x0068f9f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726220.760662
CryptExportKey
crypto_handle: 0x0067c348
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726220.760662
CryptExportKey
crypto_handle: 0x0067c348
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726220.776662
CryptExportKey
crypto_handle: 0x0067c288
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726220.807662
CryptExportKey
crypto_handle: 0x0067c288
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726220.807662
CryptExportKey
crypto_handle: 0x0067c288
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726220.807662
CryptExportKey
crypto_handle: 0x0067c208
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726221.213662
CryptExportKey
crypto_handle: 0x0067c208
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726221.245662
CryptExportKey
crypto_handle: 0x0067c308
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726221.245662
CryptExportKey
crypto_handle: 0x0067c308
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620726221.245662
CryptExportKey
crypto_handle: 0x0067c088
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path C:\Users\jmorgan\Source\ScreenConnectWork\Custom\DotNetRunner\Release\DotNetRunner.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620726218.791662
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name FILES
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620735324.105625
__exception__
stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c9374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7682f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75ca414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x7682c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x767298ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x7672b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x7672b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x7672b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x7672a66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x76705d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x76705ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x76705d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x76738f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x76738ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x7672bac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x767388e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x752f5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x73d91bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 72283108
registers.edi: 1987312144
registers.eax: 72283108
registers.ebp: 72283188
registers.edx: 1
registers.ebx: 4445452
registers.esi: 2147944117
registers.ecx: 351698545
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706b5
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
Resolves a suspicious Top Level Domain (TLD) (1 个事件)
domain remote.joki-joya.ru description Russian Federation domain TLD
Allocates read-write-execute memory (usually to unpack itself) (50 out of 94 个事件)
Time & API Arguments Status Return Repeated
1620726217.823662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00370000
success 0 0
1620726217.823662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003a0000
success 0 0
1620726218.182662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02550000
success 0 0
1620726218.182662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02720000
success 0 0
1620726218.416662
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1620726218.760662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02550000
success 0 0
1620726218.760662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026a0000
success 0 0
1620726218.760662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1620726218.760662
NtProtectVirtualMemory
process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1620726218.760662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1620726219.166662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f2000
success 0 0
1620726219.291662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00415000
success 0 0
1620726219.291662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041b000
success 0 0
1620726219.291662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00417000
success 0 0
1620726219.588662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02721000
success 0 0
1620726219.651662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02722000
success 0 0
1620726219.948662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ec000
success 0 0
1620726220.010662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f3000
success 0 0
1620726220.057662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02723000
success 0 0
1620726220.260662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fc000
success 0 0
1620726220.260662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02724000
success 0 0
1620726220.260662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02725000
success 0 0
1620726220.260662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02726000
success 0 0
1620726220.370662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00780000
success 0 0
1620726220.620662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f4000
success 0 0
1620726220.745662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f5000
success 0 0
1620726220.760662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f6000
success 0 0
1620726220.760662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f7000
success 0 0
1620726220.807662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f8000
success 0 0
1620726220.823662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e3000
success 0 0
1620726220.854662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f9000
success 0 0
1620726220.854662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00960000
success 0 0
1620726220.870662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00406000
success 0 0
1620726221.073662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040a000
success 0 0
1620726221.073662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1620726221.104662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00961000
success 0 0
1620726221.104662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00781000
success 0 0
1620726221.120662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00962000
success 0 0
1620726221.120662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fd000
success 0 0
1620726221.120662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00963000
success 0 0
1620726221.166662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00782000
success 0 0
1620726221.182662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00964000
success 0 0
1620726221.182662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00965000
success 0 0
1620726221.198662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00966000
success 0 0
1620726221.198662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00783000
success 0 0
1620726221.213662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00967000
success 0 0
1620726221.245662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00968000
success 0 0
1620726221.260662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1620726221.276662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00969000
success 0 0
1620726221.370662
NtAllocateVirtualMemory
process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fe000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 个事件)
Time & API Arguments Status Return Repeated
1620735288.855625
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19578109952
total_number_of_free_bytes: 19578109952
total_number_of_bytes: 34252779520
success 1 0
1620735288.855625
GetDiskFreeSpaceW
root_path: C:\
sectors_per_cluster: 8
number_of_free_clusters: 4779796
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620735292.574625
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19418853376
total_number_of_free_bytes: 19418853376
total_number_of_bytes: 34252779520
success 1 0
1620735292.574625
GetDiskFreeSpaceW
root_path: C:\
sectors_per_cluster: 8
number_of_free_clusters: 4740931
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\setup.msi
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\MSI7440.tmp
File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 个事件)
APEX Malicious
Jiangmin Trojan.MSIL.fisi
VBA32 BScope.Trojan.Muldrop
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.2404764698641975 section {'size_of_data': '0x002e1000', 'virtual_address': '0x00012000', 'entropy': 7.2404764698641975, 'name': '.rsrc', 'virtual_size': '0x002e0e7c'} description A section with a high entropy has been found
entropy 0.9777777777777777 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 个事件)
Time & API Arguments Status Return Repeated
1620726220.979662
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620735288.480625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620735289.292625
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1620735289.292625
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1620735289.292625
LookupPrivilegeValueW
system_name:
privilege_name: SeMachineAccountPrivilege
success 1 0
1620735289.292625
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1620735289.292625
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620735289.292625
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620735289.292625
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620735289.308625
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620735289.308625
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620735289.308625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620735289.308625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620735289.308625
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620735289.324625
LookupPrivilegeValueW
system_name:
privilege_name: SeEnableDelegationPrivilege
success 1 0
1620735289.324625
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620735289.324625
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates known Upatre files, registry keys and/or mutexes (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ScreenConnect.WindowsInstaller\ScreenConnect.WindowsInstaller.exe
Generates some ICMP traffic
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-03-06 00:36:46

Imports

Library mscoree.dll:
0x409130 CorBindToRuntimeEx
Library KERNEL32.dll:
0x409004 CreateFileW
0x409008 FindResourceW
0x40900c LoadResource
0x409010 LoadLibraryW
0x409014 SizeofResource
0x409018 GetProcAddress
0x40901c LockResource
0x409020 CloseHandle
0x409024 WriteConsoleW
0x409028 SetFilePointerEx
0x40902c SetStdHandle
0x409030 GetConsoleMode
0x409034 GetConsoleCP
0x409038 FlushFileBuffers
0x40903c GetCommandLineA
0x409040 IsDebuggerPresent
0x409048 GetLastError
0x40904c SetLastError
0x409058 GetCurrentThreadId
0x40905c EncodePointer
0x409060 DecodePointer
0x409064 ExitProcess
0x409068 GetModuleHandleExW
0x40906c MultiByteToWideChar
0x409070 GetStdHandle
0x409074 WriteFile
0x409078 GetModuleFileNameW
0x40907c GetProcessHeap
0x409080 GetFileType
0x40908c GetStartupInfoW
0x409090 GetModuleFileNameA
0x409098 GetCurrentProcessId
0x4090a8 WideCharToMultiByte
0x4090ac RaiseException
0x4090b4 GetCurrentProcess
0x4090b8 TerminateProcess
0x4090bc TlsAlloc
0x4090c0 TlsGetValue
0x4090c4 TlsSetValue
0x4090c8 TlsFree
0x4090cc GetModuleHandleW
0x4090d8 HeapFree
0x4090dc Sleep
0x4090e0 IsValidCodePage
0x4090e4 GetACP
0x4090e8 GetOEMCP
0x4090ec GetCPInfo
0x4090f0 LoadLibraryExW
0x4090f4 OutputDebugStringW
0x4090f8 RtlUnwind
0x4090fc HeapAlloc
0x409100 HeapReAlloc
0x409104 GetStringTypeW
0x409108 HeapSize
0x40910c LCMapStringW
Library OLEAUT32.dll:
0x409118 VariantInit
0x40911c SafeArrayDestroy
0x409120 SafeArrayAccessData
0x409128 VariantClear

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49191 82.148.22.130 remote.joki-joya.ru 8041

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49238 239.255.255.250 1900
192.168.56.101 49714 239.255.255.250 3702
192.168.56.101 53658 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.