SmartHawk

8.6

极危

53 个模型检测该样本为恶意！

重新分析

下载样本

94a85d18a97677231d7c812144d01d3639db1d924aef4c695af4de5811677eb0

388c8e7ecb2c43262f177f3ccd7e01ac.exe

分析耗时

88s

最近分析

文件大小

453.5KB

静态报毒动态报毒 100% AGEN AGENTTESLA AI SCORE=89 BASIC CLOUD CONFIDENCE CQ0@AEHPJDN ELDORADO FAREIT FORMBOOK G9T1SEFM GDSDA GENKRYPTIK HGIASOSA HIGH CONFIDENCE HSXTOJ KCLOUD KRYPTIK LKXW M7QV MALWARE@#5UDGHHX13R52 MXRESICN PALLAS POSSIBLETHREAT PWSX R350659 SCORE SIGGEN10 TASKUN UNSAFE WOREFLINT YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FVT!388C8E7ECB2C	20210217	6.0.6.653
Alibaba	Trojan:MSIL/Formbook.cff80fad	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20210217	21.1.5827.0
Tencent	Msil.Trojan.Taskun.Lkxw	20210217	1.0.0.1
Kingsoft	Win32.Troj.Undef.(kcloud)	20210217	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345431.910124 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345031.118458 IsDebuggerPresent		failed	0	0
1619345031.118458 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345432.550124 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\qPdGbJ"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345031.149458 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.sdata

Allocates read-write-execute memory (usually to unpack itself) (50 out of 73 个事件)

Time & API	Arguments	Status
1619345030.306458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00430000	success
1619345030.306458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00480000	success
1619345030.649458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01fa0000	success
1619345030.649458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02180000	success
1619345030.821458 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619345031.118458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x021c0000	success
1619345031.118458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02390000	success
1619345031.134458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0039a000	success
1619345031.134458 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619345031.134458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00392000	success
1619345031.306458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a2000	success
1619345031.399458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00445000	success
1619345031.399458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044b000	success
1619345031.399458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00447000	success
1619345031.493458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a3000	success
1619345031.602458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a4000	success
1619345031.602458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a5000	success
1619345031.634458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ac000	success
1619345032.040458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a6000	success
1619345032.056458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a8000	success
1619345032.118458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00630000	success
1619345032.337458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success
1619345032.337458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success
1619345032.446458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a9000	success
1619345032.446458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b0000	success
1619345032.540458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00631000	success
1619345032.556458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00436000	success
1619345032.618458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b1000	success
1619345032.696458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b2000	success
1619345032.712458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef40000	success
1619345032.712458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1619345032.712458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1619345032.712458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef48000	success
1619345032.712458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef30000	success
1619345032.712458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef30000	success
1619345032.727458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00632000	success
1619345032.899458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02181000	success
1619345032.993458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b3000	success
1619345033.118458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b4000	success
1619345033.118458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ad000	success
1619345033.134458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00633000	success
1619345033.196458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00634000	success
1619345033.212458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b5000	success
1619345033.212458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0039c000	success
1619345033.212458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00393000	success
1619345033.227458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00635000	success
1619345033.243458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00639000	success
1619345033.259458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b6000	success
1619345033.274458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0063a000	success
1619345033.290458 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0063b000	success

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\qPdGbJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BE6.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qPdGbJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BE6.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345090.196458 ShellExecuteExW	parameters: /Create /TN "Updates\qPdGbJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BE6.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.647321340530546

section

{'size_of_data': '0x0006c400', 'virtual_address': '0x00002000', 'entropy': 7.647321340530546, 'name': '.text', 'virtual_size': '0x0006c314'}

description

A section with a high entropy has been found

entropy

0.9569060773480663

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619345092.962458 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619345093.243458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2144 process_handle: 0x00000390	failed
1619345093.243458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2144 process_handle: 0x00000390	success
1619345093.649458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1832 process_handle: 0x00000398	failed
1619345093.649458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1832 process_handle: 0x00000398	success
1619345094.352458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1344 process_handle: 0x000003a0	failed
1619345094.352458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1344 process_handle: 0x000003a0	success
1619345094.712458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2604 process_handle: 0x000003a8	failed
1619345094.712458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2604 process_handle: 0x000003a8	success
1619345095.071458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1360 process_handle: 0x000003b0	failed
1619345095.071458 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1360 process_handle: 0x000003b0	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\qPdGbJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BE6.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qPdGbJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BE6.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619345092.931458 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345093.399458 NtAllocateVirtualMemory	process_identifier: 1832 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345093.759458 NtAllocateVirtualMemory	process_identifier: 1344 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000394 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345094.477458 NtAllocateVirtualMemory	process_identifier: 2604 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000039c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345094.868458 NtAllocateVirtualMemory	process_identifier: 1360 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Manipulates memory of a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 manipulating memory of non-child process 2144
Process injection	Process 732 manipulating memory of non-child process 1832
Process injection	Process 732 manipulating memory of non-child process 1344
Process injection	Process 732 manipulating memory of non-child process 2604
Process injection	Process 732 manipulating memory of non-child process 1360
1619345092.931458 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345093.399458 NtAllocateVirtualMemory	process_identifier: 1832 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345093.759458 NtAllocateVirtualMemory	process_identifier: 1344 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000394 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345094.477458 NtAllocateVirtualMemory	process_identifier: 2604 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000039c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619345094.868458 NtAllocateVirtualMemory	process_identifier: 1360 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (19 个事件)

Time & API	Arguments	Status	Return
1619345031.118458 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 732	success	0
1619345031.134458 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 732	success	0
1619345031.149458 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 732	success	0
1619345090.196458 CreateProcessInternalW	thread_identifier: 428 thread_handle: 0x00000340 process_identifier: 2244 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qPdGbJ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BE6.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000378 inherit_handles: 0	success	1
1619345092.931458 CreateProcessInternalW	thread_identifier: 200 thread_handle: 0x00000334 process_identifier: 2144 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000388 inherit_handles: 0	success	1
1619345092.931458 NtGetContextThread	thread_handle: 0x00000334	success	0
1619345092.931458 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345093.399458 CreateProcessInternalW	thread_identifier: 2824 thread_handle: 0x00000390 process_identifier: 1832 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000038c inherit_handles: 0	success	1
1619345093.399458 NtGetContextThread	thread_handle: 0x00000390	success	0
1619345093.399458 NtAllocateVirtualMemory	process_identifier: 1832 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345093.759458 CreateProcessInternalW	thread_identifier: 1552 thread_handle: 0x00000398 process_identifier: 1344 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000394 inherit_handles: 0	success	1
1619345093.759458 NtGetContextThread	thread_handle: 0x00000398	success	0
1619345093.759458 NtAllocateVirtualMemory	process_identifier: 1344 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000394 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345094.477458 CreateProcessInternalW	thread_identifier: 2964 thread_handle: 0x000003a0 process_identifier: 2604 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000039c inherit_handles: 0	success	1
1619345094.477458 NtGetContextThread	thread_handle: 0x000003a0	success	0
1619345094.477458 NtAllocateVirtualMemory	process_identifier: 2604 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000039c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619345094.868458 CreateProcessInternalW	thread_identifier: 176 thread_handle: 0x000003a8 process_identifier: 1360 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\388c8e7ecb2c43262f177f3ccd7e01ac.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x000003a4 inherit_handles: 0	success	1
1619345094.868458 NtGetContextThread	thread_handle: 0x000003a8	success	0
1619345094.868458 NtAllocateVirtualMemory	process_identifier: 1360 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.MSIL.Basic.6.Gen
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FVT!388C8E7ECB2C
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.MSIL.Formbook.MK
K7AntiVirus	Trojan ( 0056cbe11 )
Alibaba	Trojan:MSIL/Formbook.cff80fad
K7GW	Trojan ( 0056cbe11 )
Cybereason	malicious.ecb2c4
Cyren	W32/MSIL_Kryptik.BKX.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.MSIL.Basic.6.Gen
NANO-Antivirus	Trojan.Win32.Taskun.hsxtoj
Avast	Win32:PWSX-gen [Trj]
Tencent	Msil.Trojan.Taskun.Lkxw
Ad-Aware	Trojan.MSIL.Basic.6.Gen
Emsisoft	Trojan.MSIL.Basic.6.Gen (B)
Comodo	Malware@#5udghhx13r52
F-Secure	Heuristic.HEUR/AGEN.1138555
DrWeb	Trojan.Siggen10.5751
Zillya	Trojan.Basic.Win32.671
McAfee-GW-Edition	Fareit-FVT!388C8E7ECB2C
FireEye	Generic.mg.388c8e7ecb2c4326
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
GData	Trojan.MSIL.Basic.6.Gen
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1138555
MAX	malware (ai score=89)
Kingsoft	Win32.Troj.Undef.(kcloud)
Arcabit	Trojan.MSIL.Basic.6.Gen
AegisLab	Trojan.Win32.Generic.m7QV
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
Microsoft	Trojan:MSIL/Formbook.MK!MTB
Cynet	Malicious (score: 90)
AhnLab-V3	Trojan/Win32.AgentTesla.R350659
ALYac	Trojan.MSIL.Basic.6.Gen
Malwarebytes	Trojan.MalPack
ESET-NOD32	a variant of MSIL/Kryptik.XJL
Rising	Trojan.Woreflint!8.F5EA (CLOUD)
Yandex	Trojan.GenKryptik!xc/G9T1sEfM
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	PossibleThreat.PALLAS.H
BitDefenderTheta	Gen:NN.ZemsilF.34574.Cq0@aeHpjdn
AVG	Win32:PWSX-gen [Trj]

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-18 07:40:00

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.