13.0
0-day
57 个模型检测该样本为恶意!
重新分析
更多

2430553749649491779b2d34b8dd401087473adcf18c41906933bb1c16ac32a6

3491d0337e7971ddabfc49649beb15f3.exe

分析耗时

79s

最近分析

文件大小

135.0KB
静态报毒 动态报毒 100% 5GY7+UKN+NW AI SCORE=100 AIDETECTVM ATTRIBUTE BARYS BSCOPE BUNITU CLASSIC CONFIDENCE CQAN CQFY DOWNLOADER19 DS@6B2RA7 DZVMWC GENCIRC GENETIC HIGH CONFIDENCE HIGHCONFIDENCE IQZ@AYA39XRG LHXD MALICIOUS PE MALWARE1 OBSCURE PROXY QVM07 R + MAL R06EC0PIA20 R173114 SCORE STATIC AI SUSGEN SUSN SYMMI TARANIS TORRENTLOCKER TSGENERIC UKED UNSAFE ZBOT ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Packed-GT!3491D0337E79 20201211 6.0.6.653
Alibaba Trojan:Win32/Generic.1c347775 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Avast Win32:Susn-BE [Trj] 20201210 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft 20201211 2017.9.26.565
Tencent Malware.Win32.Gencirc.114c1f16 20201211 1.0.0.1
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619353276.93375
IsDebuggerPresent
failed 0 0
1619353281.011
IsDebuggerPresent
failed 0 0
Command line console output was observed (2 个事件)
Time & API Arguments Status Return Repeated
1619353284.073625
WriteConsoleA
buffer: È·¶¨¡£
console_handle: 0x00000007
success 1 0
1619353284.073374
WriteConsoleA
buffer: È·¶¨¡£
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619353279.48075
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section ,rsrc
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (7 个事件)
Time & API Arguments Status Return Repeated
1619345032.508465
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 1384448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x022b0000
success 0 0
1619345032.508465
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01dd0000
success 0 0
1619345032.524465
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 143360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e20000
success 0 0
1619345032.524465
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e50000
success 0 0
1619353280.995
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1619353281.011
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75010000
success 0 0
1619353281.089
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x750b1000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\rislisy.dll
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\rislisy.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3491d0337e7971ddabfc49649beb15f3.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1619353280.38675
ShellExecuteExW
parameters: advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
filepath: netsh.exe
filepath_r: netsh.exe
show_type: 0
success 1 0
1619353280.62075
ShellExecuteExW
parameters: "C:\Users\Administrator.Oskar-PC\AppData\Local\rislisy.dll",rislisy C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3491d0337e7971ddabfc49649beb15f3.exe
filepath: rundll32.exe
filepath_r: rundll32.exe
show_type: 0
success 1 0
1619353281.51175
ShellExecuteExW
parameters: advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
filepath: netsh.exe
filepath_r: netsh.exe
show_type: 0
success 1 0
Expresses interest in specific running processes (1 个事件)
process vboxservice.exe
Uses Windows utilities for basic Windows functionality (4 个事件)
cmdline netsh.exe advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
cmdline "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
cmdline netsh.exe advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
cmdline "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 85.17.117.5
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619345032.727465
NtAllocateVirtualMemory
process_identifier: 192
region_size: 16793600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619345032.727465
NtAllocateVirtualMemory
process_identifier: 192
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00300000
success 0 0
Attempts to identify installed AV products by registry key (1 个事件)
registry HKEY_CURRENT_USER\Software\ESET
Installs itself for autorun at Windows startup (7 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rislisy\Impersonate reg_value 1
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rislisy\Asynchronous reg_value 1
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rislisy\MaxWait reg_value 1
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rislisy\gdiweeuw reg_value É%éõ$—¤×I.
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rislisy\DllName reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\rislisy.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rislisy\Startup reg_value rislisy!v
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rislisy reg_value rundll32.exe "C:\Users\Administrator.Oskar-PC\AppData\Local\rislisy.dll",rislisy
Operates on local firewall's policies and settings (4 个事件)
cmdline netsh.exe advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
cmdline "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
cmdline netsh.exe advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
cmdline "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3491d0337e7971ddabfc49649beb15f3.exe
Potential code injection by writing to the memory of another process (7 个事件)
Time & API Arguments Status Return Repeated
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG˜Và  |êg@¡ €¸à.text*z|
process_handle: 0x000000e0
base_address: 0x00300000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG˜Và  |êg@¡ €¸à.text*z| `.rdataܐ€@@.dataìÆ° œ@À.rsrc¸€¨@@
process_handle: 0x000000e0
base_address: 0x00400000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: 153.15V3hJxaTXA19EQZP13A6JTRLXCV0IMGIXS0RTA1IGBIASAARMOAIZioBi3kla¶¬çoscwwaTtartup ^GoVoIsXflccetuwriched20m.dll\system32\rundll32.exenetsh.exeSYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\Listadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program=""RPFTWARE\Micrptoft\Xjndows T\CurqentWersion\ogon\Notify\rislisy*:Enabled:rundll32Software\ESETSYSTEM\ControlSet001\Services\MBAMProtector// ::Missing first argument 'word file' Missing second argument 'source file' Missing third argument 'target file' written at bytes WRyEP ARGUyeMENTS 1. File with woreyd pairs 'this yyrythat' or 'this =refty that' 2. Source ryefile to replryuace word in 3. Target file to write results to EXerAMPLE : wrep myequate.equ mysource.asm myretsult.asm Line Number ERROR: MISSING SECOND ARGUMENT ERROR: TOO MANY ARGUMENTS ERROR: SYMBOL REDEFINITION "" riched_ClassUntitled&File&New Ctrl+N&Open Ctrl+O&Save Ctrl+SSave &As&Exit Alt+F4&Edit&Undo Ctrl+Z&Cut Ctrl+XC&opy Ctrl+C&Paste Ctrl+V&Clear Del&Copy All Ctrl+AUntitledAll files*.*All files*.*EEAZSOPfExtract error Y/NXVS YNMAIsc*.reuUddt*.*updateVbsaRowBRg;; eltivmvjsSave itNot pssble ¬LÞ~gdfgdf format i ...coppahba.otdlao.tmpok wo missadoopenrojo
process_handle: 0x000000e0
base_address: 0x0040b000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer:  €@€ЀX€â€p€ˆ€   ° Àð€p`‚2˜‚FLCCETUWOSCWWAÿÿ@ˆ€çça” ARIALPŠF Qÿÿ‚START FILES RESTORE ?PbBçÿÿ‚ÿÿӆP“ pÿÿ‚Corrupted directories found on DRiVE C:\P-l+ jÿÿ€CONFIRMPæl+ kÿÿ€CANCELÿÿ@ˆ€ ARIAL<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='Microsoft.Windows.MyCoolApp' processorArchitecture='x86' version='1.0.0.0' type='win32'/> <description>NTW</description> <dependency> <dependentAssembly> <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' /> </dependentAssembly> </dependency> </assembly>
process_handle: 0x000000e0
base_address: 0x00428000
success 1 0
1619345032.742465
WriteProcessMemory
process_identifier: 192
buffer: 153.15V3hJxaTXA19EQZP13A6JTRLXCV0IMGIXS0RTA1IGBIASAARMOAIZioBi3kla¶¬çoscwwaTtartup ^GoVoIsXflccetuwriched20m.dll\system32\rundll32.exenetsh.exeSYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\Listadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program=""RPFTWARE\Micrptoft\Xjndows T\CurqentWersion\ogon\Notify\rislisy*:Enabled:rundll32Software\ESETSYSTEM\ControlSet001\Services\MBAMProtector// ::Missing first argument 'word file' Missing second argument 'source file' Missing third argument 'target file' written at bytes WRyEP ARGUyeMENTS 1. File with woreyd pairs 'this yyrythat' or 'this =refty that' 2. Source ryefile to replryuace word in 3. Target file to write results to EXerAMPLE : wrep myequate.equ mysource.asm myretsult.asm Line Number ERROR: MISSING SECOND ARGUMENT ERROR: TOO MANY ARGUMENTS ERROR: SYMBOL REDEFINITION "" riched_ClassUntitled&File&New Ctrl+N&Open Ctrl+O&Save Ctrl+SSave &As&Exit Alt+F4&Edit&Undo Ctrl+Z&Cut Ctrl+XC&opy Ctrl+C&Paste Ctrl+V&Clear Del&Copy All Ctrl+AUntitledAll files*.*All files*.*EEAZSOPfExtract error Y/NXVS YNMAIsc*.reuUddt*.*updateVbsaRowBRg;; eltivmvjsSave itNot pssble ¬LÞ~gdfgdf format i ...coppahba.otdlao.tmpok wo missadoopenrojo
process_handle: 0x000000e0
base_address: 0x00433600
success 1 0
1619345032.742465
WriteProcessMemory
process_identifier: 192
buffer:  €@€ЀX€â€p€ˆ€   ° Àð€p`‚2˜‚FLCCETUWOSCWWAÿÿ@ˆ€çça” ARIALPŠF Qÿÿ‚START FILES RESTORE ?PbBçÿÿ‚ÿÿӆP“ pÿÿ‚Corrupted directories found on DRiVE C:\P-l+ jÿÿ€CONFIRMPæl+ kÿÿ€CANCELÿÿ@ˆ€ ARIAL<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='Microsoft.Windows.MyCoolApp' processorArchitecture='x86' version='1.0.0.0' type='win32'/> <description>NTW</description> <dependency> <dependentAssembly> <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' /> </dependentAssembly> </dependency> </assembly>
process_handle: 0x000000e0
base_address: 0x00450600
success 1 0
1619345032.742465
WriteProcessMemory
process_identifier: 192
buffer: @
process_handle: 0x000000e0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG˜Và  |êg@¡ €¸à.text*z|
process_handle: 0x000000e0
base_address: 0x00300000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG˜Và  |êg@¡ €¸à.text*z| `.rdataܐ€@@.dataìÆ° œ@À.rsrc¸€¨@@
process_handle: 0x000000e0
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2316 called NtSetContextThread to modify thread in remote process 192
Time & API Arguments Status Return Repeated
1619345032.742465
NtSetContextThread
thread_handle: 0x000000d4
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4201319
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (8 个事件)
Process injection Process 2316 resumed a thread in remote process 192
Process injection Process 192 resumed a thread in remote process 884
Process injection Process 192 resumed a thread in remote process 2860
Process injection Process 192 resumed a thread in remote process 2764
Time & API Arguments Status Return Repeated
1619345033.461465
NtResumeThread
thread_handle: 0x000000d4
suspend_count: 1
process_identifier: 192
success 0 0
1619353280.37075
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 884
success 0 0
1619353280.62075
NtResumeThread
thread_handle: 0x00000268
suspend_count: 1
process_identifier: 2860
success 0 0
1619353281.49575
NtResumeThread
thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 2764
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 85.17.117.5:53
Executed a process and injected code into it, probably while unpacking (31 个事件)
Time & API Arguments Status Return Repeated
1619345032.727465
CreateProcessInternalW
thread_identifier: 2340
thread_handle: 0x000000d4
process_identifier: 192
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3491d0337e7971ddabfc49649beb15f3.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000e0
inherit_handles: 0
success 1 0
1619345032.727465
NtGetContextThread
thread_handle: 0x000000d4
success 0 0
1619345032.727465
NtUnmapViewOfSection
process_identifier: 192
region_size: 214466560
process_handle: 0x000000e0
base_address: 0x6aec8b55
failed 3221225497 0
1619345032.727465
NtUnmapViewOfSection
process_identifier: 192
region_size: 214466560
process_handle: 0x000000e0
base_address: 0x6aec8b55
failed 3221225497 0
1619345032.727465
NtUnmapViewOfSection
process_identifier: 192
region_size: 214466560
process_handle: 0x000000e0
base_address: 0x6aec8b55
failed 3221225497 0
1619345032.727465
NtUnmapViewOfSection
process_identifier: 192
region_size: 4096
process_handle: 0x000000e0
base_address: 0x00400000
success 0 0
1619345032.727465
NtUnmapViewOfSection
process_identifier: 192
region_size: 2004156416
process_handle: 0x000000e0
base_address: 0x00400000
failed 3221225497 0
1619345032.727465
NtAllocateVirtualMemory
process_identifier: 192
region_size: 16793600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619345032.727465
NtAllocateVirtualMemory
process_identifier: 192
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00300000
success 0 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG˜Và  |êg@¡ €¸à.text*z|
process_handle: 0x000000e0
base_address: 0x00300000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG˜Và  |êg@¡ €¸à.text*z| `.rdataܐ€@@.dataìÆ° œ@À.rsrc¸€¨@@
process_handle: 0x000000e0
base_address: 0x00400000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer:
process_handle: 0x000000e0
base_address: 0x00401000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer:
process_handle: 0x000000e0
base_address: 0x00409000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer: 153.15V3hJxaTXA19EQZP13A6JTRLXCV0IMGIXS0RTA1IGBIASAARMOAIZioBi3kla¶¬çoscwwaTtartup ^GoVoIsXflccetuwriched20m.dll\system32\rundll32.exenetsh.exeSYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\Listadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program=""RPFTWARE\Micrptoft\Xjndows T\CurqentWersion\ogon\Notify\rislisy*:Enabled:rundll32Software\ESETSYSTEM\ControlSet001\Services\MBAMProtector// ::Missing first argument 'word file' Missing second argument 'source file' Missing third argument 'target file' written at bytes WRyEP ARGUyeMENTS 1. File with woreyd pairs 'this yyrythat' or 'this =refty that' 2. Source ryefile to replryuace word in 3. Target file to write results to EXerAMPLE : wrep myequate.equ mysource.asm myretsult.asm Line Number ERROR: MISSING SECOND ARGUMENT ERROR: TOO MANY ARGUMENTS ERROR: SYMBOL REDEFINITION "" riched_ClassUntitled&File&New Ctrl+N&Open Ctrl+O&Save Ctrl+SSave &As&Exit Alt+F4&Edit&Undo Ctrl+Z&Cut Ctrl+XC&opy Ctrl+C&Paste Ctrl+V&Clear Del&Copy All Ctrl+AUntitledAll files*.*All files*.*EEAZSOPfExtract error Y/NXVS YNMAIsc*.reuUddt*.*updateVbsaRowBRg;; eltivmvjsSave itNot pssble ¬LÞ~gdfgdf format i ...coppahba.otdlao.tmpok wo missadoopenrojo
process_handle: 0x000000e0
base_address: 0x0040b000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer:  €@€ЀX€â€p€ˆ€   ° Àð€p`‚2˜‚FLCCETUWOSCWWAÿÿ@ˆ€çça” ARIALPŠF Qÿÿ‚START FILES RESTORE ?PbBçÿÿ‚ÿÿӆP“ pÿÿ‚Corrupted directories found on DRiVE C:\P-l+ jÿÿ€CONFIRMPæl+ kÿÿ€CANCELÿÿ@ˆ€ ARIAL<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='Microsoft.Windows.MyCoolApp' processorArchitecture='x86' version='1.0.0.0' type='win32'/> <description>NTW</description> <dependency> <dependentAssembly> <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' /> </dependentAssembly> </dependency> </assembly>
process_handle: 0x000000e0
base_address: 0x00428000
success 1 0
1619345032.727465
WriteProcessMemory
process_identifier: 192
buffer:
process_handle: 0x000000e0
base_address: 0x00429600
success 1 0
1619345032.742465
WriteProcessMemory
process_identifier: 192
buffer:
process_handle: 0x000000e0
base_address: 0x00431600
success 1 0
1619345032.742465
WriteProcessMemory
process_identifier: 192
buffer: 153.15V3hJxaTXA19EQZP13A6JTRLXCV0IMGIXS0RTA1IGBIASAARMOAIZioBi3kla¶¬çoscwwaTtartup ^GoVoIsXflccetuwriched20m.dll\system32\rundll32.exenetsh.exeSYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\Listadvfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program=""RPFTWARE\Micrptoft\Xjndows T\CurqentWersion\ogon\Notify\rislisy*:Enabled:rundll32Software\ESETSYSTEM\ControlSet001\Services\MBAMProtector// ::Missing first argument 'word file' Missing second argument 'source file' Missing third argument 'target file' written at bytes WRyEP ARGUyeMENTS 1. File with woreyd pairs 'this yyrythat' or 'this =refty that' 2. Source ryefile to replryuace word in 3. Target file to write results to EXerAMPLE : wrep myequate.equ mysource.asm myretsult.asm Line Number ERROR: MISSING SECOND ARGUMENT ERROR: TOO MANY ARGUMENTS ERROR: SYMBOL REDEFINITION "" riched_ClassUntitled&File&New Ctrl+N&Open Ctrl+O&Save Ctrl+SSave &As&Exit Alt+F4&Edit&Undo Ctrl+Z&Cut Ctrl+XC&opy Ctrl+C&Paste Ctrl+V&Clear Del&Copy All Ctrl+AUntitledAll files*.*All files*.*EEAZSOPfExtract error Y/NXVS YNMAIsc*.reuUddt*.*updateVbsaRowBRg;; eltivmvjsSave itNot pssble ¬LÞ~gdfgdf format i ...coppahba.otdlao.tmpok wo missadoopenrojo
process_handle: 0x000000e0
base_address: 0x00433600
success 1 0
1619345032.742465
WriteProcessMemory
process_identifier: 192
buffer:  €@€ЀX€â€p€ˆ€   ° Àð€p`‚2˜‚FLCCETUWOSCWWAÿÿ@ˆ€çça” ARIALPŠF Qÿÿ‚START FILES RESTORE ?PbBçÿÿ‚ÿÿӆP“ pÿÿ‚Corrupted directories found on DRiVE C:\P-l+ jÿÿ€CONFIRMPæl+ kÿÿ€CANCELÿÿ@ˆ€ ARIAL<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='Microsoft.Windows.MyCoolApp' processorArchitecture='x86' version='1.0.0.0' type='win32'/> <description>NTW</description> <dependency> <dependentAssembly> <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' /> </dependentAssembly> </dependency> </assembly>
process_handle: 0x000000e0
base_address: 0x00450600
success 1 0
1619345032.742465
WriteProcessMemory
process_identifier: 192
buffer: @
process_handle: 0x000000e0
base_address: 0x7efde008
success 1 0
1619345032.742465
NtSetContextThread
thread_handle: 0x000000d4
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4201319
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 192
success 0 0
1619345033.461465
NtResumeThread
thread_handle: 0x000000d4
suspend_count: 1
process_identifier: 192
success 0 0
1619353279.71475
NtResumeThread
thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 192
success 0 0
1619353280.05875
CreateProcessInternalW
thread_identifier: 880
thread_handle: 0x000002f4
process_identifier: 884
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\netsh.exe
track: 1
command_line: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
filepath_r: C:\Windows\System32\netsh.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f8
inherit_handles: 0
success 1 0
1619353280.15275
CreateProcessInternalW
thread_identifier: 1432
thread_handle: 0x00000268
process_identifier: 2860
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" "C:\Users\Administrator.Oskar-PC\AppData\Local\rislisy.dll",rislisy C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3491d0337e7971ddabfc49649beb15f3.exe
filepath_r: C:\Windows\System32\rundll32.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000270
inherit_handles: 0
success 1 0
1619353280.37075
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 884
success 0 0
1619353280.62075
NtResumeThread
thread_handle: 0x00000268
suspend_count: 1
process_identifier: 2860
success 0 0
1619353280.73075
CreateProcessInternalW
thread_identifier: 360
thread_handle: 0x0000022c
process_identifier: 2764
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\netsh.exe
track: 1
command_line: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
filepath_r: C:\Windows\System32\netsh.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000230
inherit_handles: 0
success 1 0
1619353281.49575
NtResumeThread
thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 2764
success 0 0
1619353282.511625
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 884
success 0 0
1619353282.511374
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2764
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader19.23739
MicroWorld-eScan Gen:Variant.Symmi.60965
FireEye Generic.mg.3491d0337e7971dd
CAT-QuickHeal Trojan.Generic.B4
McAfee Packed-GT!3491D0337E79
Cylance Unsafe
Zillya Trojan.Injector.Win32.357849
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Generic.1c347775
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Symmi.DEE25
BitDefenderTheta Gen:NN.ZexaF.34670.iqZ@ayA39XRG
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.CQFY
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Barys-7726835-0
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Gen:Variant.Symmi.60965
NANO-Antivirus Trojan.Win32.Inject.dzvmwc
Avast Win32:Susn-BE [Trj]
Rising Malware.Obscure/Heur!1.9E03 (CLASSIC)
Ad-Aware Gen:Variant.Symmi.60965
Emsisoft Gen:Variant.Symmi.60965 (B)
Comodo TrojWare.Win32.TrojanDropper.Bunitu.DS@6b2ra7
F-Secure Trojan.TR/Taranis.1984
VIPRE Trojan.Win32.Injector.cqan (v)
TrendMicro TROJ_GEN.R06EC0PIA20
McAfee-GW-Edition BehavesLike.Win32.Packed.cc
Sophos Mal/Generic-R + Mal/Zbot-UM
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Generic.lhxd
Avira TR/Taranis.1984
Antiy-AVL Trojan/Win32.TSGeneric
Microsoft TrojanDropper:Win32/Bunitu
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Gen:Variant.Symmi.60965
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MDA.R173114
VBA32 BScope.Trojan.Downloader
ALYac Gen:Variant.Symmi.60965
MAX malware (ai score=100)
Malwarebytes Trojan.Agent.UKED
TrendMicro-HouseCall TROJ_GEN.R06EC0PIA20
Tencent Malware.Win32.Gencirc.114c1f16
Yandex Trojan.Agent!5gy7+uKn+Nw
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-01-10 01:29:29

Imports

Library MFC42.DLL:
0x40505c
0x405060
0x405064
0x405068
0x40506c
0x405070
0x405074
0x405078
0x40507c
0x405080
0x405084
0x405088
0x40508c
0x405090
0x405094
0x405098
0x40509c
0x4050a0
0x4050a4
0x4050a8
0x4050ac
0x4050b0
0x4050b4
0x4050b8
0x4050bc
0x4050c0
0x4050c4
0x4050c8
0x4050cc
0x4050d0
0x4050d4
0x4050d8
0x4050dc
0x4050e0
0x4050e4
0x4050e8
0x4050ec
0x4050f0
0x4050f4
0x4050f8
0x4050fc
0x405100
0x405104
0x405108
0x40510c
0x405110
0x405114
0x405118
0x40511c
0x405120
0x405124
0x405128
0x40512c
0x405130
0x405134
0x405138
0x40513c
0x405140
0x405144
0x405148
0x40514c
0x405150
0x405154
0x405158
0x40515c
0x405160
0x405164
0x405168
0x40516c
0x405170
0x405174
0x405178
0x40517c
0x405180
0x405184
0x405188
0x40518c
0x405190
0x405194
0x405198
0x40519c
0x4051a0
0x4051a4
0x4051a8
0x4051ac
0x4051b0
0x4051b4
0x4051b8
0x4051bc
0x4051c0
0x4051c4
0x4051c8
0x4051cc
0x4051d0
0x4051d4
0x4051d8
0x4051dc
0x4051e0
0x4051e4
0x4051e8
0x4051ec
0x4051f0
0x4051f4
0x4051f8
0x4051fc
0x405200
0x405204
0x405208
0x40520c
0x405210
0x405214
0x405218
0x40521c
0x405220
0x405224
Library MSVCRT.dll:
0x40522c _controlfp
0x405230 _onexit
0x405234 __dllonexit
0x405238 _except_handler3
0x40523c __set_app_type
0x405240 __p__fmode
0x405244 __p__commode
0x405248 _adjust_fdiv
0x40524c __setusermatherr
0x405250 _initterm
0x405254 __getmainargs
0x405258 _acmdln
0x40525c exit
0x405260 _XcptFilter
0x405264 _exit
0x405268 sprintf
0x40526c _setmbcp
0x405270 __CxxFrameHandler
Library KERNEL32.dll:
0x405008 GetModuleFileNameW
0x40500c FreeLibrary
0x405010 GetStringTypeW
0x405018 SetStdHandle
0x405020 GetOverlappedResult
0x405024 VirtualFree
0x405028 CreateFileW
0x40502c VirtualAlloc
0x405030 HeapCreate
0x405034 FindClose
0x40503c CloseHandle
0x405040 OpenProcess
0x405044 GetModuleHandleA
0x405048 GetStartupInfoA
0x40504c FindFirstFileA
0x405050 GetSystemDirectoryA
0x405054 CreateFileA
Library USER32.dll:
0x405278 LoadIconA
0x40527c DrawIcon
0x405280 GetClientRect
0x405284 GetSystemMetrics
0x405288 IsIconic
0x40528c GetDlgItemTextW
0x405290 AppendMenuW
0x405294 DispatchMessageW
0x405298 GetCursorPos
0x4052a0 SetWindowTextA
0x4052a4 GetMessagePos
0x4052a8 CreatePopupMenu
0x4052ac CallWindowProcA
0x4052b0 SetWindowLongA
0x4052b4 EnableWindow
0x4052b8 SendMessageA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.