SmartHawk

11.2

0-day

50 个模型检测该样本为恶意！

重新分析

下载样本

c30062f4cde56147d613cd82db50320106572f0247ff964063bc076088d283c9

38234fd676dbe808f27f2c8f87f78da4.exe

分析耗时

90s

最近分析

文件大小

540.5KB

静态报毒动态报毒 100% AGENSLA AI SCORE=87 AUTO CONFIDENCE ELDORADO FAREIT GDSDA GENERICKD HEAPOVERRIDE HIGH CONFIDENCE HLCYBJ HU0@AKU08XN KRYPTIK MALICIOUS PE NANOCORE PWSX R002C0GFA20 SCORE SIGGEN9 SUSGEN TROJANPSW UNSAFE VR@8SRUHN WACATAC ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FUP!38234FD676DB	20200624	6.0.6.653
Alibaba	TrojanPSW:MSIL/NanoCore.c3aeb69f	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Avast	Win32:PWSX-gen [Trj]	20200623	18.4.3895.0
Tencent	Win32.Trojan.Inject.Auto	20200624	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20200624	2013.8.14.323

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345757.148875 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1619345783.07125 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (50 out of 83 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345030.198343 IsDebuggerPresent		failed	0	0
1619345030.198343 IsDebuggerPresent		failed	0	0
1619345040.557343 IsDebuggerPresent		failed	0	0
1619345041.042343 IsDebuggerPresent		failed	0	0
1619345041.573343 IsDebuggerPresent		failed	0	0
1619345042.042343 IsDebuggerPresent		failed	0	0
1619345042.573343 IsDebuggerPresent		failed	0	0
1619345043.042343 IsDebuggerPresent		failed	0	0
1619345043.573343 IsDebuggerPresent		failed	0	0
1619345044.042343 IsDebuggerPresent		failed	0	0
1619345044.573343 IsDebuggerPresent		failed	0	0
1619345045.042343 IsDebuggerPresent		failed	0	0
1619345045.573343 IsDebuggerPresent		failed	0	0
1619345046.042343 IsDebuggerPresent		failed	0	0
1619345046.573343 IsDebuggerPresent		failed	0	0
1619345047.042343 IsDebuggerPresent		failed	0	0
1619345047.573343 IsDebuggerPresent		failed	0	0
1619345048.042343 IsDebuggerPresent		failed	0	0
1619345048.573343 IsDebuggerPresent		failed	0	0
1619345049.057343 IsDebuggerPresent		failed	0	0
1619345049.573343 IsDebuggerPresent		failed	0	0
1619345050.057343 IsDebuggerPresent		failed	0	0
1619345050.573343 IsDebuggerPresent		failed	0	0
1619345051.057343 IsDebuggerPresent		failed	0	0
1619345051.573343 IsDebuggerPresent		failed	0	0
1619345052.057343 IsDebuggerPresent		failed	0	0
1619345052.573343 IsDebuggerPresent		failed	0	0
1619345053.057343 IsDebuggerPresent		failed	0	0
1619345053.573343 IsDebuggerPresent		failed	0	0
1619345054.057343 IsDebuggerPresent		failed	0	0
1619345054.573343 IsDebuggerPresent		failed	0	0
1619345055.057343 IsDebuggerPresent		failed	0	0
1619345055.573343 IsDebuggerPresent		failed	0	0
1619345056.057343 IsDebuggerPresent		failed	0	0
1619345056.573343 IsDebuggerPresent		failed	0	0
1619345057.057343 IsDebuggerPresent		failed	0	0
1619345057.573343 IsDebuggerPresent		failed	0	0
1619345058.057343 IsDebuggerPresent		failed	0	0
1619345058.573343 IsDebuggerPresent		failed	0	0
1619345059.057343 IsDebuggerPresent		failed	0	0
1619345059.573343 IsDebuggerPresent		failed	0	0
1619345060.057343 IsDebuggerPresent		failed	0	0
1619345060.573343 IsDebuggerPresent		failed	0	0
1619345061.057343 IsDebuggerPresent		failed	0	0
1619345061.573343 IsDebuggerPresent		failed	0	0
1619345062.057343 IsDebuggerPresent		failed	0	0
1619345062.573343 IsDebuggerPresent		failed	0	0
1619345063.057343 IsDebuggerPresent		failed	0	0
1619345063.573343 IsDebuggerPresent		failed	0	0
1619345064.057343 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345757.741875 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\waVVhdtQQWAmI"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345030.213343 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	\x04)>\x00~J\x12\x7f
section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 154 个事件)

Time & API	Arguments	Status
1619345029.588343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00890000	success
1619345029.588343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009f0000	success
1619345029.979343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00430000	success
1619345029.979343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00470000	success
1619345030.120343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619345030.198343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02150000	success
1619345030.198343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02310000	success
1619345030.198343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success
1619345030.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619345030.198343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00462000	success
1619345030.448343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b2000	success
1619345030.620343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e5000	success
1619345030.620343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004eb000	success
1619345030.620343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e7000	success
1619345030.807343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b3000	success
1619345030.854343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004bc000	success
1619345030.870343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b4000	success
1619345030.995343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00680000	success
1619345031.245343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00681000	success
1619345031.323343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 483328 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00162000	success
1619345039.698343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00682000	success
1619345039.792343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b5000	success
1619345039.854343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00683000	success
1619345039.870343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00684000	success
1619345040.010343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00685000	success
1619345040.042343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00686000	success
1619345040.135343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b6000	success
1619345040.151343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00687000	success
1619345040.198343 NtAllocateVirtualMemory	process_identifier: 1068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00688000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00160000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00160000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00160000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00160000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00160000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success
1619345040.198343 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x001d8000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\waVVhdtQQWAmI" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3DE.tmp"
cmdline	schtasks.exe /Create /TN "Updates\waVVhdtQQWAmI" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3DE.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345075.604343 ShellExecuteExW	parameters: /Create /TN "Updates\waVVhdtQQWAmI" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3DE.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.999605784114281

section

{'size_of_data': '0x00075c00', 'virtual_address': '0x00002000', 'entropy': 7.999605784114281, 'name': '\\x04)>\\x00~J\\x12\\x7f', 'virtual_size': '0x00075b90'}

description

A section with a high entropy has been found

entropy

0.8730305838739574

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345031.307343 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619345762.36725 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619345078.385343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x0000f014	failed
1619345078.385343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x0000f014	success
1619345078.713343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1868 process_handle: 0x0000c254	failed
1619345078.713343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1868 process_handle: 0x0000c254	success
1619345079.010343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1056 process_handle: 0x00004f54	failed
1619345079.010343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1056 process_handle: 0x00004f54	success
1619345079.323343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3036 process_handle: 0x000004fc	failed
1619345079.323343 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3036 process_handle: 0x000004fc	success
1619345782.14925 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1068 process_handle: 0x00000230	failed
1619345782.14925 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1068 process_handle: 0x00000230	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\waVVhdtQQWAmI" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3DE.tmp"
cmdline	schtasks.exe /Create /TN "Updates\waVVhdtQQWAmI" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3DE.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619345078.135343 NtAllocateVirtualMemory	process_identifier: 2840 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00004700 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345078.495343 NtAllocateVirtualMemory	process_identifier: 1868 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d278 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345078.807343 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000379c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345079.120343 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00005c48 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345079.401343 NtAllocateVirtualMemory	process_identifier: 1912 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000e7dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3DE.tmp

Manipulates memory of a non-child process indicative of process injection (8 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1068 manipulating memory of non-child process 2840
Process injection	Process 1068 manipulating memory of non-child process 1868
Process injection	Process 1068 manipulating memory of non-child process 1056
Process injection	Process 1068 manipulating memory of non-child process 3036
1619345078.135343 NtAllocateVirtualMemory	process_identifier: 2840 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00004700 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345078.495343 NtAllocateVirtualMemory	process_identifier: 1868 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d278 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345078.807343 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000379c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345079.120343 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00005c48 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619345079.401343 WriteProcessMemory	process_identifier: 1912 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\|¾^à¦Ä à@ @<ÄOàà H.text¤ ¦ `.rsrcàà¨@@.reloc¬@B process_handle: 0x0000e7dc base_address: 0x00400000	success	1
1619345079.417343 WriteProcessMemory	process_identifier: 1912 buffer: 0HXà4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameUNOnzDefkvaAlsTwMObIpWv.exe(LegalCopyright `OriginalFilenameUNOnzDefkvaAlsTwMObIpWv.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000e7dc base_address: 0x0044e000	success	1
1619345079.417343 WriteProcessMemory	process_identifier: 1912 buffer: À4 process_handle: 0x0000e7dc base_address: 0x00450000	success	1
1619345079.417343 WriteProcessMemory	process_identifier: 1912 buffer: @ process_handle: 0x0000e7dc base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345079.401343 WriteProcessMemory	process_identifier: 1912 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\|¾^à¦Ä à@ @<ÄOàà H.text¤ ¦ `.rsrcàà¨@@.reloc¬@B process_handle: 0x0000e7dc base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1068 called NtSetContextThread to modify thread in remote process 1912
1619345079.417343 NtSetContextThread	thread_handle: 0x000004fc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4506766 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1912	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1068 resumed a thread in remote process 1912
1619345079.651343 NtResumeThread	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 1912	success	0	0

Executed a process and injected code into it, probably while unpacking (32 个事件)

Time & API	Arguments	Status	Return
1619345030.198343 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1068	success	0
1619345030.198343 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 1068	success	0
1619345030.229343 NtResumeThread	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 1068	success	0
1619345040.510343 NtResumeThread	thread_handle: 0x000062c4 suspend_count: 1 process_identifier: 1068	success	0
1619345040.542343 NtResumeThread	thread_handle: 0x00007808 suspend_count: 1 process_identifier: 1068	success	0
1619345075.604343 CreateProcessInternalW	thread_identifier: 2952 thread_handle: 0x0000c1a4 process_identifier: 2956 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\waVVhdtQQWAmI" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3DE.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000005a4 inherit_handles: 0	success	1
1619345078.120343 CreateProcessInternalW	thread_identifier: 1344 thread_handle: 0x0000e29c process_identifier: 2840 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00004700 inherit_handles: 0	success	1
1619345078.120343 NtGetContextThread	thread_handle: 0x0000e29c	success	0
1619345078.135343 NtAllocateVirtualMemory	process_identifier: 2840 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00004700 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345078.495343 CreateProcessInternalW	thread_identifier: 2188 thread_handle: 0x0000f014 process_identifier: 1868 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000d278 inherit_handles: 0	success	1
1619345078.495343 NtGetContextThread	thread_handle: 0x0000f014	success	0
1619345078.495343 NtAllocateVirtualMemory	process_identifier: 1868 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d278 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345078.807343 CreateProcessInternalW	thread_identifier: 1752 thread_handle: 0x0000c254 process_identifier: 1056 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000379c inherit_handles: 0	success	1
1619345078.807343 NtGetContextThread	thread_handle: 0x0000c254	success	0
1619345078.807343 NtAllocateVirtualMemory	process_identifier: 1056 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000379c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345079.120343 CreateProcessInternalW	thread_identifier: 1404 thread_handle: 0x00004f54 process_identifier: 3036 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00005c48 inherit_handles: 0	success	1
1619345079.120343 NtGetContextThread	thread_handle: 0x00004f54	success	0
1619345079.120343 NtAllocateVirtualMemory	process_identifier: 3036 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00005c48 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345079.401343 CreateProcessInternalW	thread_identifier: 176 thread_handle: 0x000004fc process_identifier: 1912 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\38234fd676dbe808f27f2c8f87f78da4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000e7dc inherit_handles: 0	success	1
1619345079.401343 NtGetContextThread	thread_handle: 0x000004fc	success	0
1619345079.401343 NtAllocateVirtualMemory	process_identifier: 1912 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000e7dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619345079.401343 WriteProcessMemory	process_identifier: 1912 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\|¾^à¦Ä à@ @<ÄOàà H.text¤ ¦ `.rsrcàà¨@@.reloc¬@B process_handle: 0x0000e7dc base_address: 0x00400000	success	1
1619345079.401343 WriteProcessMemory	process_identifier: 1912 buffer: process_handle: 0x0000e7dc base_address: 0x00402000	success	1
1619345079.417343 WriteProcessMemory	process_identifier: 1912 buffer: 0HXà4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameUNOnzDefkvaAlsTwMObIpWv.exe(LegalCopyright `OriginalFilenameUNOnzDefkvaAlsTwMObIpWv.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000e7dc base_address: 0x0044e000	success	1
1619345079.417343 WriteProcessMemory	process_identifier: 1912 buffer: À4 process_handle: 0x0000e7dc base_address: 0x00450000	success	1
1619345079.417343 WriteProcessMemory	process_identifier: 1912 buffer: @ process_handle: 0x0000e7dc base_address: 0x7efde008	success	1
1619345079.417343 NtSetContextThread	thread_handle: 0x000004fc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4506766 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1912	success	0
1619345079.651343 NtResumeThread	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 1912	success	0
1619345079.651343 NtResumeThread	thread_handle: 0x00003d24 suspend_count: 1 process_identifier: 1068	success	0
1619345761.18025 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1912	success	0
1619345761.18025 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 1912	success	0
1619345761.32125 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 1912	success	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

DrWeb	Trojan.Siggen9.52830
MicroWorld-eScan	Trojan.GenericKD.43310112
FireEye	Generic.mg.38234fd676dbe808
McAfee	Fareit-FUP!38234FD676DB
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 005633e31 )
Alibaba	TrojanPSW:MSIL/NanoCore.c3aeb69f
K7GW	Trojan ( 0056847d1 )
CrowdStrike	win/malicious_confidence_100% (W)
TrendMicro	TROJ_GEN.R002C0GFA20
BitDefenderTheta	Gen:NN.ZemsilF.34128.Hu0@aKu08Xn
F-Prot	W32/MSIL_Kryptik.AVL.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.VEF
TrendMicro-HouseCall	TROJ_GEN.R002C0GFA20
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.43310112
NANO-Antivirus	Trojan.Win32.Kryptik.hlcybj
Paloalto	generic.ml
AegisLab	Trojan.Win32.Malicious.4!c
Tencent	Win32.Trojan.Inject.Auto
Endgame	malicious (high confidence)
Sophos	Mal/Generic-S
Comodo	TrojWare.MSIL.NanoCore.VR@8sruhn
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Emsisoft	Trojan.GenericKD.43310112 (B)
SentinelOne	DFI - Malicious PE
Cyren	W32/MSIL_Kryptik.AVL.gen!Eldorado
eGambit	Unsafe.AI_Score_79%
Fortinet	MSIL/Kryptik.VEF!tr
Antiy-AVL	Trojan/Win32.Wacatac
Microsoft	Trojan:MSIL/NanoCore.VN!MTB
Arcabit	Trojan.Generic.D294DC20
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.43310112
ALYac	Trojan.GenericKD.43310112
MAX	malware (ai score=87)
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Trojan.MalPack.DFD.Generic
APEX	Malicious
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen
Ad-Aware	Trojan.GenericKD.43310112
Webroot	Trojan.Dropper.Gen
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
Qihoo-360	Generic/Trojan.PSW.374

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-09 02:17:38

Imports

Library mscoree.dll:

• 0x48e000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.