13.0
0-day
54 个模型检测该样本为恶意!
重新分析
更多

8df1564ebde006b74b51b3f685836ebc5b34626edb0cbe5ec8b825799e1774dd

37d2a702fefe834d556cc6889fb5d84f.exe

分析耗时

90s

最近分析

文件大小

380.5KB
静态报毒 动态报毒 100% AGEN AI SCORE=83 ASHIFY CONFIDENCE CONFUSER ELDORADO FSEO GENERICKD HEAPOVERRIDE HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALWARE@#1CDBS9WFA1OAM NANOCORE PWSX R066C0PIK20 RRAT SCORE STATIC AI TCLZBGCVL9O UNSAFE WANNACRY XM0@AOGYNUG YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Trojan-FSEO!37D2A702FEFE 20201211 6.0.6.653
Alibaba Trojan:MSIL/Kryptik.4ee11a00 20190527 0.3.0.5
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619369580.959125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619369576.053498
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619345036.499212
IsDebuggerPresent
failed 0 0
1619369573.334125
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619369577.350498
WriteConsoleW
buffer: 成功: 成功创建计划任务 "DSL Service"。
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619345036.874212
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain billionaire.ddns.net
Allocates read-write-execute memory (usually to unpack itself) (50 out of 141 个事件)
Time & API Arguments Status Return Repeated
1619345035.640212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00330000
success 0 0
1619345035.640212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00330000
success 0 0
1619345036.374212
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619345036.499212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1619345036.499212
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619345036.499212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1619345036.640212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00402000
success 0 0
1619345036.734212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00403000
success 0 0
1619345036.734212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044b000
success 0 0
1619345036.734212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619345036.780212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040c000
success 0 0
1619345036.827212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00730000
success 0 0
1619345036.859212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00731000
success 0 0
1619345036.859212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00732000
success 0 0
1619345036.859212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00733000
success 0 0
1619345036.890212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00734000
success 0 0
1619345037.155212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00404000
success 0 0
1619345037.187212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00405000
success 0 0
1619345037.202212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00406000
success 0 0
1619345037.249212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619345037.327212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00432000
success 0 0
1619345037.327212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043c000
success 0 0
1619345037.327212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00408000
success 0 0
1619345037.343212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00735000
success 0 0
1619345037.343212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00738000
success 0 0
1619345037.374212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619345037.374212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00427000
success 0 0
1619345037.374212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619345037.405212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003eb000
success 0 0
1619345037.468212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00739000
success 0 0
1619345037.796212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00426000
success 0 0
1619345037.796212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0073b000
success 0 0
1619345037.796212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0073c000
success 0 0
1619345037.796212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040a000
success 0 0
1619345037.827212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b20000
success 0 0
1619345037.937212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0073d000
success 0 0
1619345037.968212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00409000
success 0 0
1619345038.093212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00445000
success 0 0
1619345038.155212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00331000
success 0 0
1619345038.296212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0073e000
success 0 0
1619345038.296212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04910000
success 0 0
1619345038.296212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x05570000
success 0 0
1619345038.296212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b0000
success 0 0
1619345038.296212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b1000
success 0 0
1619345038.327212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b2000
success 0 0
1619345038.343212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b3000
success 0 0
1619345038.343212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b4000
success 0 0
1619345038.343212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b5000
success 0 0
1619345038.343212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b6000
success 0 0
1619345038.359212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056b9000
success 0 0
Creates a suspicious process (1 个事件)
cmdline "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5337.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619369575.490125
CreateProcessInternalW
thread_identifier: 1868
thread_handle: 0x000001f0
process_identifier: 3056
current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5337.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000001f4
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.786853631286739 section {'size_of_data': '0x0005e800', 'virtual_address': '0x00002000', 'entropy': 7.786853631286739, 'name': '.text', 'virtual_size': '0x0005e614'} description A section with a high entropy has been found
entropy 0.9947368421052631 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619369580.256125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5337.tmp"
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619345098.655212
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000021c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619369580.803125
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description MSBuild.exe tried to sleep 5456336 seconds, actually delayed analysis time by 5456336 seconds
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5337.tmp
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èb’ç @ €8çW À_  H.text˜Ç È `.reloc Ê@B.rsrcÀ_ `Ì@@
process_handle: 0x0000021c
base_address: 0x00400000
success 1 0
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer: à ”7
process_handle: 0x0000021c
base_address: 0x00420000
success 1 0
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer: @
process_handle: 0x0000021c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èb’ç @ €8çW À_  H.text˜Ç È `.reloc Ê@B.rsrcÀ_ `Ì@@
process_handle: 0x0000021c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 732 called NtSetContextThread to modify thread in remote process 1124
Time & API Arguments Status Return Repeated
1619345098.671212
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1124
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 732 resumed a thread in remote process 1124
Time & API Arguments Status Return Repeated
1619345098.984212
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 1124
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619345036.499212
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 732
success 0 0
1619345036.530212
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 732
success 0 0
1619345098.655212
CreateProcessInternalW
thread_identifier: 3036
thread_handle: 0x00000220
process_identifier: 1124
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000021c
inherit_handles: 0
success 1 0
1619345098.655212
NtGetContextThread
thread_handle: 0x00000220
success 0 0
1619345098.655212
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000021c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èb’ç @ €8çW À_  H.text˜Ç È `.reloc Ê@B.rsrcÀ_ `Ì@@
process_handle: 0x0000021c
base_address: 0x00400000
success 1 0
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x0000021c
base_address: 0x00402000
success 1 0
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer: à ”7
process_handle: 0x0000021c
base_address: 0x00420000
success 1 0
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x0000021c
base_address: 0x00422000
success 1 0
1619345098.655212
WriteProcessMemory
process_identifier: 1124
buffer: @
process_handle: 0x0000021c
base_address: 0x7efde008
success 1 0
1619345098.671212
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1124
success 0 0
1619345098.984212
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 1124
success 0 0
1619369573.334125
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1124
success 0 0
1619369573.397125
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1124
success 0 0
1619369575.490125
CreateProcessInternalW
thread_identifier: 1868
thread_handle: 0x000001f0
process_identifier: 3056
current_directory: C:\Windows\Microsoft.NET\Framework\v2.0.50727
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5337.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000001f4
inherit_handles: 1
success 1 0
1619369579.897125
NtResumeThread
thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 1124
success 0 0
1619369580.053125
NtResumeThread
thread_handle: 0x000002d8
suspend_count: 1
process_identifier: 1124
success 0 0
1619369580.147125
NtResumeThread
thread_handle: 0x000002e0
suspend_count: 1
process_identifier: 1124
success 0 0
1619369581.272125
NtResumeThread
thread_handle: 0x00000360
suspend_count: 1
process_identifier: 1124
success 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.33745069
FireEye Generic.mg.37d2a702fefe834d
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Trojan-FSEO!37D2A702FEFE
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2000869
Sangfor Malware
K7AntiVirus Trojan ( 00565b091 )
Alibaba Trojan:MSIL/Kryptik.4ee11a00
K7GW Trojan ( 00565b091 )
Cybereason malicious.4d5961
Arcabit Trojan.Generic.D202E8AD
BitDefenderTheta Gen:NN.ZemsilF.34670.xm0@aOGyNUg
Cyren W32/MSIL_Kryptik.AXD.gen!Eldorado
Symantec Ransom.Wannacry
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Nanocore-7758947-0
Kaspersky HEUR:Trojan.MSIL.RRAT.gen
BitDefender Trojan.GenericKD.33745069
Paloalto generic.ml
AegisLab Trojan.MSIL.RRAT.4!c
Ad-Aware Trojan.GenericKD.33745069
Emsisoft Trojan.GenericKD.33745069 (B)
Comodo Malware@#1cdbs9wfa1oam
F-Secure Heuristic.HEUR/AGEN.1133748
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R066C0PIK20
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1133748
MAX malware (ai score=83)
Antiy-AVL Trojan/MSIL.RRAT
Gridinsoft Trojan.Win32.Downloader.dd!n
Microsoft Trojan:Win32/Ashify.J!ibt
ZoneAlarm HEUR:Trojan.MSIL.RRAT.gen
GData Trojan.GenericKD.33745069
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.C4084876
ALYac Trojan.GenericKD.33745069
VBA32 CIL.HeapOverride.Heur
Malwarebytes Trojan.MalPack.DFD.Generic
ESET-NOD32 a variant of MSIL/Kryptik.VQY
TrendMicro-HouseCall TROJ_GEN.R066C0PIK20
Yandex Trojan.Kryptik!tclZbGCVL9o
Ikarus Trojan.MSIL.Confuser
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/Kryptik.VQY!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-29 17:00:15

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 51808 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.