SmartHawk

2.8

中危

1 个模型检测该样本为恶意！

重新分析

下载样本

4cf7ee59d1099c1b8ccb90af5dd812761bba248f9e680311f8683f14056bfa30

3692b90172cbf1ca899f4d1dbc6d8853.exe

分析耗时

38s

最近分析

文件大小

15.4MB

静态报毒动态报毒 AIDETECTVM MALWARE2

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
McAfee	20201026	6.0.6.653
Alibaba	20190527	0.3.0.5
Baidu	20190318	1.0.0.2
Avast	20201027	18.4.3895.0
Tencent	20201027	1.0.0.1
Kingsoft	20201027	2013.8.14.323
CrowdStrike	20190702	1.0

Command line console output was observed (25 个事件)

Time & API	Arguments	Status	Return
1620744146.770876 WriteConsoleW	buffer: 不允许 and 符。& 运算符保留供将来使用；可使用 "&" 将 and 符作为字符串来传递。 console_handle: 0x00000023	success	1
1620744146.802876 WriteConsoleW	buffer: 所在位置 C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3692b90172cbf1ca899 console_handle: 0x0000002f	success	1
1620744146.817876 WriteConsoleW	buffer: f4d1dbc6d8853.exe.ps1:3 字符: 865 console_handle: 0x0000003b	success	1
1620744146.833876 WriteConsoleW	buffer: + $PEL鴖=_?ro???恛@ console_handle: 0x00000047	success	1
1620744146.864876 WriteConsoleW	buffer: 瘌罃? @??€?爈?? console_handle: 0x00000053	success	1
1620744146.895876 WriteConsoleW	buffer: p?碆?P console_handle: 0x0000005f	success	1
1620744146.911876 WriteConsoleW	buffer: .text鑠oro```.dataP恛vo console_handle: 0x0000006b	success	1
1620744146.942876 WriteConsoleW	buffer: @`?rdata酿?皊騻抯@`@.bss?蚌 console_handle: 0x00000077	success	1
1620744146.958876 WriteConsoleW	buffer: €p?idata?@?匂@0?CRT4`?桍 console_handle: 0x00000083	success	1
1620744146.989876 WriteConsoleW	buffer: @0?tls p?橏@0?rsrc爈€?n汌@0 console_handle: 0x0000008f	success	1
1620744147.083876 WriteConsoleW	buffer: 竺嵈& <<<< 嵓'冹1纅?@MZ??8??8??8??8 console_handle: 0x000000cb	success	1
1620744147.099876 WriteConsoleW	buffer: th??88吚tJ?$鑖No?$鐱9o??8ｄ88｀88D8??6o? tm1纼?脥? console_handle: 0x000000d7	success	1
1620744147.130876 WriteConsoleW	buffer: ?$?No氪f悑<@伜@PE崐@u€稱f侜t?f侜卝児?哴嫅?1 console_handle: 0x000000e3	success	1
1620744147.145876 WriteConsoleW	buffer: 绤?暲镵峷?$0I??8o1纼?脙yt?媺?1绤?暲?f悆?88荄$?荄$?荄$ console_handle: 0x000000ef	success	1
1620744147.177876 WriteConsoleW	buffer: ??$????塂$鑖Mo??兡,脥?嵓'U1拦夊WV峌壸冹\|螳?璨Fo)膷D$冟 console_handle: 0x000000fb	success	1
1620744147.208876 WriteConsoleW	buffer: 鹎烫烫茾烫烫茾烫烫茾烫烫茾烫烫茾烫烫茾烫烫茾烫烫冧饗5?8咑厑d?1 console_handle: 0x00000107	success	1
1620744147.239876 WriteConsoleW	buffer: 鰦X?D8?9???$?變?夝???8吚u蕖?81蹆?勷¤88吚凘??¤88凐 console_handle: 0x00000113	success	1
1620744147.255876 WriteConsoleW	buffer: 勫呟??吚t荄$荄$?$袃?枵8o?$ N?鳦8冹，88?$@鐳 console_handle: 0x0000011f	success	1
1620744147.255876 WriteConsoleW	buffer: Lo柽6oD8??8@?吚tN1呻嵍勔t;冡t+?兝?€?~鐗藘?€?D穗鑽v嵓' console_handle: 0x0000012b	success	1
1620744147.302876 WriteConsoleW	buffer: 勔t兝?€?~瘢?8??8呟t稶增E??E拢惎??塃悏茘?塃寜$?Ko咑塃攱=? console_handle: 0x00000137	success	1
1620744147.302876 WriteConsoleW	buffer: 嶥1蹓瀴$钁Jo峹?$柚Jo婱攭檵瀮?墊$?$塋$铓Jo;]恥蓩E寖?媢斍?? console_handle: 0x00000143	success	1
1620744147.349876 WriteConsoleW	buffer: 韬2oD8?????塂$??塂$???$杈?????吷劧??呉u console_handle: 0x0000014f	success	1
1620744147.364876 WriteConsoleW	buffer: + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx console_handle: 0x0000015b	success	1
1620744147.395876 WriteConsoleW	buffer: ception console_handle: 0x00000167	success	1
1620744147.411876 WriteConsoleW	buffer: + FullyQualifiedErrorId : AmpersandNotAllowed console_handle: 0x00000173	success	1

Uses Windows APIs to generate a cryptographic key (4 个事件)

Time & API	Arguments	Status	Return
1620744145.849876 CryptExportKey	crypto_handle: 0x055134b8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620744145.849876 CryptExportKey	crypto_handle: 0x055134b8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620744146.208876 CryptExportKey	crypto_handle: 0x0551bea8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620744146.208876 CryptExportKey	crypto_handle: 0x0551bea8 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620744144.614876 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 个事件)

Time & API	Arguments	Status
1620744144.427876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x027cb000	success
1620744145.880876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x05b20000	success
1620744145.880876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be0000	success
1620744145.880876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be1000	success
1620744145.895876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be2000	success
1620744145.895876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be3000	success
1620744145.895876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be4000	success
1620744145.911876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be5000	success
1620744145.911876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be6000	success
1620744145.911876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05be7000	success
1620744145.911876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05beb000	success
1620744145.911876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05bfc000	success
1620744145.911876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05bfd000	success
1620744146.099876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0281f000	success
1620744146.130876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02769000	success
1620744146.145876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05aa0000	success
1620744146.145876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05aa1000	success
1620744146.177876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05aa2000	success
1620744146.192876 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05aa3000	success

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)

Bkav	W32.AIDetectVM.malware2

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Generates some ICMP traffic

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-20 02:48:24

Imports

Library KERNEL32.dll:

• 0x13842b4 AddVectoredExceptionHandler

• 0x13842b8 AreFileApisANSI

• 0x13842bc CloseHandle

• 0x13842c0 CreateEventA

• 0x13842c4 CreateFileA

• 0x13842c8 CreateFileMappingA

• 0x13842cc CreateFileMappingW

• 0x13842d0 CreateFileW

• 0x13842d4 CreateIoCompletionPort

• 0x13842d8 CreateMutexW

• 0x13842dc CreateThread

• 0x13842e0 CreateWaitableTimerA

• 0x13842e4 DeleteCriticalSection

• 0x13842e8 DeleteFileA

• 0x13842ec DeleteFileW

• 0x13842f0 DuplicateHandle

• 0x13842f4 EnterCriticalSection

• 0x13842f8 ExitProcess

• 0x13842fc FlushFileBuffers

• 0x1384300 FlushViewOfFile

• 0x1384304 FormatMessageA

• 0x1384308 FormatMessageW

• 0x138430c FreeEnvironmentStringsW

• 0x1384310 FreeLibrary

• 0x1384314 GetConsoleMode

• 0x1384318 GetCurrentProcess

• 0x138431c GetCurrentProcessId

• 0x1384320 GetCurrentThreadId

• 0x1384324 GetDiskFreeSpaceA

• 0x1384328 GetDiskFreeSpaceW

• 0x138432c GetEnvironmentStringsW

• 0x1384330 GetFileAttributesA

• 0x1384334 GetFileAttributesExW

• 0x1384338 GetFileAttributesW

• 0x138433c GetFileSize

• 0x1384340 GetFullPathNameA

• 0x1384344 GetFullPathNameW

• 0x1384348 GetLastError

• 0x138434c GetModuleHandleA

• 0x1384350 GetProcAddress

• 0x1384354 GetProcessAffinityMask

• 0x1384358 GetProcessHeap

• 0x138435c GetQueuedCompletionStatus

• 0x1384360 GetStartupInfoA

• 0x1384364 GetStdHandle

• 0x1384368 GetSystemInfo

• 0x138436c GetSystemTime

• 0x1384370 GetSystemTimeAsFileTime

• 0x1384374 GetTempPathA

• 0x1384378 GetTempPathW

• 0x138437c GetTickCount

• 0x1384380 GetVersionExA

• 0x1384384 GetVersionExW

• 0x1384388 HeapAlloc

• 0x138438c HeapCompact

• 0x1384390 HeapCreate

• 0x1384394 HeapDestroy

• 0x1384398 HeapFree

• 0x138439c HeapReAlloc

• 0x13843a0 HeapSize

• 0x13843a4 HeapValidate

• 0x13843a8 InitializeCriticalSection

• 0x13843ac InterlockedCompareExchange

• 0x13843b0 LeaveCriticalSection

• 0x13843b4 LoadLibraryA

• 0x13843b8 LoadLibraryW

• 0x13843bc LocalFree

• 0x13843c0 LockFile

• 0x13843c4 LockFileEx

• 0x13843c8 MapViewOfFile

• 0x13843cc MultiByteToWideChar

• 0x13843d0 OutputDebugStringA

• 0x13843d4 OutputDebugStringW

• 0x13843d8 QueryPerformanceCounter

• 0x13843dc ReadFile

• 0x13843e0 SetConsoleCtrlHandler

• 0x13843e4 SetEndOfFile

• 0x13843e8 SetErrorMode

• 0x13843ec SetEvent

• 0x13843f0 SetFilePointer

• 0x13843f4 SetProcessPriorityBoost

• 0x13843f8 SetUnhandledExceptionFilter

• 0x13843fc SetWaitableTimer

• 0x1384400 Sleep

• 0x1384404 SwitchToThread

• 0x1384408 SystemTimeToFileTime

• 0x138440c TerminateProcess

• 0x1384410 TlsGetValue

• 0x1384414 TryEnterCriticalSection

• 0x1384418 UnhandledExceptionFilter

• 0x138441c UnlockFile

• 0x1384420 UnlockFileEx

• 0x1384424 UnmapViewOfFile

• 0x1384428 VirtualAlloc

• 0x138442c VirtualFree

• 0x1384430 VirtualProtect

• 0x1384434 VirtualQuery

• 0x1384438 WaitForSingleObject

• 0x138443c WaitForSingleObjectEx

• 0x1384440 WideCharToMultiByte

• 0x1384444 WriteConsoleW

• 0x1384448 WriteFile

Library msvcrt.dll:

• 0x1384450 __dllonexit

• 0x1384454 __getmainargs

• 0x1384458 __initenv

• 0x138445c __lconv_init

• 0x1384460 __set_app_type

• 0x1384464 __setusermatherr

• 0x1384468 _acmdln

• 0x138446c _amsg_exit

• 0x1384470 _beginthread

• 0x1384474 _beginthreadex

• 0x1384478 _cexit

• 0x138447c _endthreadex

• 0x1384480 _errno

• 0x1384484 _fmode

• 0x1384488 _initterm

• 0x138448c _iob

• 0x1384490 _lock

• 0x1384494 _onexit

• 0x1384498 _unlock

• 0x138449c abort

• 0x13844a0 calloc

• 0x13844a4 exit

• 0x13844a8 fprintf

• 0x13844ac free

• 0x13844b0 fwrite

• 0x13844b4 localtime

• 0x13844b8 malloc

• 0x13844bc memcmp

• 0x13844c0 memmove

• 0x13844c4 memset

• 0x13844c8 memcpy

• 0x13844cc qsort

• 0x13844d0 realloc

• 0x13844d4 signal

• 0x13844d8 strcmp

• 0x13844dc strcspn

• 0x13844e0 strlen

• 0x13844e4 strncmp

• 0x13844e8 vfprintf

Library WINMM.DLL:

• 0x13844f0 timeBeginPeriod

• 0x13844f4 timeEndPeriod

Library WS2_32.dll:

• 0x13844fc WSAGetOverlappedResult

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	53660	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62194	239.255.255.250	1900
192.168.56.101	63430	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.