11.2
0-day
50 个模型检测该样本为恶意!
重新分析
更多

7d01a97eb5e90a8c74c6a16961ab1a1bff4a1408779e46cf769bb5889d2d44bc

35972e5b09c51bd0b8c6c051aa7c2baa.exe

分析耗时

130s

最近分析

文件大小

1.1MB
静态报毒 动态报毒 100% AEQN AGENSLA AGENTTESLA AI SCORE=88 ALI1000139 BCOFD BTSXG1 CONFIDENCE ELDORADO EN0@AQYFKZK FAREIT GDSDA GENERICKD HIDDENTEAR HIGH CONFIDENCE HLOPSU IGENT KCLOUD KRYPTIK MALICIOUS PE MALWARE@#2GR8079FF7RZ1 PSWTROJ PWSX R339637 SCORE SIGGEN2 STARTER STATIC AI SUSGEN YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FUM!35972E5B09C5 20201211 6.0.6.653
Alibaba Trojan:Win32/starter.ali1000139 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Kingsoft Win32.PSWTroj.Undef.(kcloud) 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619369207.1365
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619369170.683875
IsDebuggerPresent
failed 0 0
1619369170.683875
IsDebuggerPresent
failed 0 0
1619369209.590375
IsDebuggerPresent
failed 0 0
1619369209.590375
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619369207.6525
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\tTTRoOpVzCYK"。
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619369210.746375
CryptExportKey
crypto_handle: 0x0054db50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619369210.746375
CryptExportKey
crypto_handle: 0x0054db50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619369210.761375
CryptExportKey
crypto_handle: 0x0054dc10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619369170.699875
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 359 个事件)
Time & API Arguments Status Return Repeated
1619369170.027875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619369170.027875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00420000
success 0 0
1619369170.324875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00650000
success 0 0
1619369170.324875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c0000
success 0 0
1619369170.480875
NtProtectVirtualMemory
process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619369170.683875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00930000
success 0 0
1619369170.683875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00970000
success 0 0
1619369170.683875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0046a000
success 0 0
1619369170.683875
NtProtectVirtualMemory
process_identifier: 2364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619369170.683875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00462000
success 0 0
1619369170.902875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00472000
success 0 0
1619369171.011875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a5000
success 0 0
1619369171.027875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ab000
success 0 0
1619369171.027875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a7000
success 0 0
1619369171.136875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00473000
success 0 0
1619369171.168875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047c000
success 0 0
1619369171.621875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00474000
success 0 0
1619369171.636875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00476000
success 0 0
1619369171.730875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00930000
success 0 0
1619369171.824875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049a000
success 0 0
1619369171.824875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00497000
success 0 0
1619369171.949875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00496000
success 0 0
1619369172.058875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047a000
success 0 0
1619369172.418875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00931000
success 0 0
1619369172.558875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00477000
success 0 0
1619369172.621875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00478000
success 0 0
1619369205.652875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c1000
success 0 0
1619369205.980875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00479000
success 0 0
1619369206.043875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04990000
success 0 0
1619369206.058875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00932000
success 0 0
1619369206.090875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04991000
success 0 0
1619369206.121875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00933000
success 0 0
1619369206.136875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00936000
success 0 0
1619369206.136875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04992000
success 0 0
1619369206.136875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00971000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00972000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00973000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00974000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00975000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00976000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0097a000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0098b000
success 0 0
1619369206.152875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0098c000
success 0 0
1619369206.183875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00937000
success 0 0
1619369206.183875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0098d000
success 0 0
1619369206.183875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0098e000
success 0 0
1619369206.199875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00938000
success 0 0
1619369206.246875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00939000
success 0 0
1619369206.261875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04993000
success 0 0
1619369206.261875
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047d000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\tTTRoOpVzCYK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE51B.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tTTRoOpVzCYK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE51B.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619369206.886875
ShellExecuteExW
parameters: /Create /TN "Updates\tTTRoOpVzCYK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE51B.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.970330942955365 section {'size_of_data': '0x000f8800', 'virtual_address': '0x00002000', 'entropy': 7.970330942955365, 'name': '.text', 'virtual_size': '0x000f8648'} description A section with a high entropy has been found
entropy 0.9085923217550275 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619369210.168375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\tTTRoOpVzCYK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE51B.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tTTRoOpVzCYK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE51B.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619369209.168875
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 843776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE51B.tmp
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619369209.168875
WriteProcessMemory
process_identifier: 2468
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL}ë ¦à 0¨ ÈnÆ à @ à @… Æ Kà HÄÀ  H.textt¦ ¨  `.rsrcHÄà ƪ @@.reloc À p @B
process_handle: 0x00000388
base_address: 0x00400000
success 1 0
1619369209.183875
WriteProcessMemory
process_identifier: 2468
buffer: À p6
process_handle: 0x00000388
base_address: 0x004cc000
success 1 0
1619369209.183875
WriteProcessMemory
process_identifier: 2468
buffer: @
process_handle: 0x00000388
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619369209.168875
WriteProcessMemory
process_identifier: 2468
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL}ë ¦à 0¨ ÈnÆ à @ à @… Æ Kà HÄÀ  H.textt¦ ¨  `.rsrcHÄà ƪ @@.reloc À p @B
process_handle: 0x00000388
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2364 called NtSetContextThread to modify thread in remote process 2468
Time & API Arguments Status Return Repeated
1619369209.199875
NtSetContextThread
thread_handle: 0x00000330
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4900462
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2468
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2364 resumed a thread in remote process 2468
Time & API Arguments Status Return Repeated
1619369209.386875
NtResumeThread
thread_handle: 0x00000330
suspend_count: 1
process_identifier: 2468
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 216.58.200.238:443
Executed a process and injected code into it, probably while unpacking (17 个事件)
Time & API Arguments Status Return Repeated
1619369170.683875
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2364
success 0 0
1619369170.699875
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2364
success 0 0
1619369170.730875
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2364
success 0 0
1619369206.886875
CreateProcessInternalW
thread_identifier: 2104
thread_handle: 0x0000033c
process_identifier: 2796
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tTTRoOpVzCYK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE51B.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000378
inherit_handles: 0
success 1 0
1619369209.152875
CreateProcessInternalW
thread_identifier: 1380
thread_handle: 0x00000330
process_identifier: 2468
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\35972e5b09c51bd0b8c6c051aa7c2baa.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\35972e5b09c51bd0b8c6c051aa7c2baa.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000388
inherit_handles: 0
success 1 0
1619369209.168875
NtGetContextThread
thread_handle: 0x00000330
success 0 0
1619369209.168875
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 843776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619369209.168875
WriteProcessMemory
process_identifier: 2468
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL}ë ¦à 0¨ ÈnÆ à @ à @… Æ Kà HÄÀ  H.textt¦ ¨  `.rsrcHÄà ƪ @@.reloc À p @B
process_handle: 0x00000388
base_address: 0x00400000
success 1 0
1619369209.168875
WriteProcessMemory
process_identifier: 2468
buffer:
process_handle: 0x00000388
base_address: 0x00402000
success 1 0
1619369209.183875
WriteProcessMemory
process_identifier: 2468
buffer:
process_handle: 0x00000388
base_address: 0x004ae000
success 1 0
1619369209.183875
WriteProcessMemory
process_identifier: 2468
buffer: À p6
process_handle: 0x00000388
base_address: 0x004cc000
success 1 0
1619369209.183875
WriteProcessMemory
process_identifier: 2468
buffer: @
process_handle: 0x00000388
base_address: 0x7efde008
success 1 0
1619369209.199875
NtSetContextThread
thread_handle: 0x00000330
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4900462
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2468
success 0 0
1619369209.386875
NtResumeThread
thread_handle: 0x00000330
suspend_count: 1
process_identifier: 2468
success 0 0
1619369209.590375
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2468
success 0 0
1619369209.605375
NtResumeThread
thread_handle: 0x0000012c
suspend_count: 1
process_identifier: 2468
success 0 0
1619369209.746375
NtResumeThread
thread_handle: 0x000001bc
suspend_count: 1
process_identifier: 2468
success 0 0
File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Ransom.GenericKD.33999150
FireEye Generic.mg.35972e5b09c51bd0
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FUM!35972E5B09C5
Sangfor Malware
K7AntiVirus Trojan ( 005684041 )
Alibaba Trojan:Win32/starter.ali1000139
K7GW Trojan ( 005684041 )
Cybereason malicious.ad8b70
Arcabit Trojan.Ransom.Generic.D206C92E
Cyren W32/MSIL_Kryptik.AVA.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Agent.gen
BitDefender Trojan.Ransom.GenericKD.33999150
NANO-Antivirus Trojan.Win32.Kryptik.hlopsu
Paloalto generic.ml
Ad-Aware Trojan.Ransom.GenericKD.33999150
Sophos Mal/Generic-S
Comodo Malware@#2gr8079ff7rz1
F-Secure Trojan.TR/Kryptik.bcofd
DrWeb Trojan.PWS.Siggen2.50071
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Fareit-FUM!35972E5B09C5
Emsisoft Trojan.Ransom.GenericKD.33999150 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.PSW.MSIL.aeqn
Avira TR/Kryptik.bcofd
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Gridinsoft Malware.Win32.Gen.vl!i
Microsoft Trojan:MSIL/AgentTesla.AA!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.Ransom.GenericKD.33999150
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MSIL.R339637
BitDefenderTheta Gen:NN.ZemsilF.34670.en0@aqYfKzk
ALYac Trojan.Ransom.GenericKD.33999150
MAX malware (ai score=88)
Malwarebytes Ransom.HiddenTear
ESET-NOD32 a variant of MSIL/Kryptik.WFS
Yandex Trojan.Igent.bTSxg1.10
Ikarus Trojan.MSIL.Inject
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.WGF!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/Trojan.PSW.374
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2045-03-07 08:57:09

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.