SmartHawk

11.6

0-day

53 个模型检测该样本为恶意！

重新分析

下载样本

e86142f3f4772825135e389edefa8b13db71930958ea6611a6287bf644cc5414

3962e9b89b828c1937a0bd69113e671f.exe

分析耗时

109s

最近分析

文件大小

808.0KB

静态报毒动态报毒 AGENTTESLA AGNETTESLA AI SCORE=86 ATTRIBUTE CLOUD CONFIDENCE ELDORADO FAREIT GDSDA GENERICKD GTUPO HIGH CONFIDENCE HIGHCONFIDENCE HQMFQZ KRYPTIK LKNQ MALICIOUS PE PWSX R06BC0DH420 R346819 SCORE SIGGEN2 SUSGEN UNSAFE YM0@AQYM59L ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:MSIL/AgnetTesla.fe83b157	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200826	18.4.3895.0
Tencent	Msil.Trojan.Crypt.Lknq	20200826	1.0.0.1
Kingsoft		20200826	2013.8.14.323
McAfee	Fareit-FXO!3962E9B89B82	20200826	6.0.6.653
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619354385.236001 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619354423.486001 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619354424.439001 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619354426.002001 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619354426.205001 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (13 个事件)

Time & API	Arguments	Status	Return	Repeated
1619354332.861374 IsDebuggerPresent		failed	0	0
1619354332.861374 IsDebuggerPresent		failed	0	0
1619354383.908374 IsDebuggerPresent		failed	0	0
1619354384.408374 IsDebuggerPresent		failed	0	0
1619354384.970374 IsDebuggerPresent		failed	0	0
1619354385.408374 IsDebuggerPresent		failed	0	0
1619354385.970374 IsDebuggerPresent		failed	0	0
1619354386.408374 IsDebuggerPresent		failed	0	0
1619354386.970374 IsDebuggerPresent		failed	0	0
1619354387.408374 IsDebuggerPresent		failed	0	0
1619354387.986374 IsDebuggerPresent		failed	0	0
1619354388.673001 IsDebuggerPresent		failed	0	0
1619354388.673001 IsDebuggerPresent		failed	0	0

Command line console output was observed (3 个事件)

Time & API	Arguments	Status	Return
1619354385.298001 WriteConsoleW	buffer: 错误: console_handle: 0x0000000b	success	1
1619354385.314001 WriteConsoleW	buffer: 任务 XML 格式错误。 console_handle: 0x0000000b	success	1
1619354385.314001 WriteConsoleW	buffer: (44,77):Command: console_handle: 0x0000000b	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619354332.892374 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619354425.939001 __exception__	stacktrace: 0x48feb9e 0x48fdb46 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3272836 registers.edi: 38817260 registers.eax: 0 registers.ebp: 3272884 registers.edx: 8 registers.ebx: 0 registers.esi: 1469325590 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 69 c6 d6 63 2b 21 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f325e5	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619354425.939001
__exception__

stacktrace:

0x48feb9e
0x48fdb46
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3272836
registers.edi: 38817260
registers.eax: 0
registers.ebp: 3272884
registers.edx: 8
registers.ebx: 0
registers.esi: 1469325590
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 69 c6 d6 63 2b 21
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4f325e5

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 169 个事件)

Time & API	Arguments	Status	Return
1619354332.502374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00710000	success	0
1619354332.502374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008d0000	success	0
1619354332.689374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02080000	success	0
1619354332.689374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02160000	success	0
1619354332.752374 NtProtectVirtualMemory	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619354332.861374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x004f0000	success	0
1619354332.861374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00550000	success	0
1619354332.861374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fa000	success	0
1619354332.877374 NtProtectVirtualMemory	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619354332.877374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f2000	success	0
1619354333.064374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00412000	success	0
1619354333.158374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00435000	success	0
1619354333.158374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043b000	success	0
1619354333.158374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success	0
1619354333.267374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00413000	success	0
1619354333.298374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0041c000	success	0
1619354333.720374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00414000	success	0
1619354333.752374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00416000	success	0
1619354333.861374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e0000	success	0
1619354334.111374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fc000	success	0
1619354334.111374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00417000	success	0
1619354334.111374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f3000	success	0
1619354334.189374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00418000	success	0
1619354334.314374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00419000	success	0
1619354334.361374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00426000	success	0
1619354334.392374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c0000	success	0
1619354334.408374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042a000	success	0
1619354334.408374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00427000	success	0
1619354334.423374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e1000	success	0
1619354334.455374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c1000	success	0
1619354334.486374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e2000	success	0
1619354334.517374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e5000	success	0
1619354375.533374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e6000	success	0
1619354375.923374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e7000	success	0
1619354376.048374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c2000	success	0
1619354376.048374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0041d000	success	0
1619354376.048374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e8000	success	0
1619354376.064374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e9000	success	0
1619354376.252374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c3000	success	0
1619354376.267374 NtProtectVirtualMemory	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 284160 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05030400	failed	3221225550
1619354383.033374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ea000	success	0
1619354383.080374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005eb000	success	0
1619354383.095374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ec000	success	0
1619354383.236374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ed000	success	0
1619354383.252374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ee000	success	0
1619354383.627374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c4000	success	0
1619354383.658374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bb0000	success	0
1619354383.658374 NtAllocateVirtualMemory	process_identifier: 2296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04bb1000	success	0
1619354383.658374 NtProtectVirtualMemory	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05030178	failed	3221225550
1619354383.658374 NtProtectVirtualMemory	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x050301a0	failed	3221225550

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2272.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2272.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619354384.877374 ShellExecuteExW	parameters: /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2272.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.491255931951769

section

{'size_of_data': '0x000c9600', 'virtual_address': '0x00002000', 'entropy': 7.491255931951769, 'name': '.text', 'virtual_size': '0x000c946c'}

description

A section with a high entropy has been found

entropy

0.9975232198142415

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619354376.236374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619354401.470001 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (4 个事件)

Time & API	Arguments	Status	Return
1619354387.892374 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2168 process_handle: 0x00003868	failed	0
1619354387.892374 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2168 process_handle: 0x00003868	success	0
1619354422.611001 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2296 process_handle: 0x00000238	failed	0
1619354422.611001 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2296 process_handle: 0x00000238	failed	3221225738

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2272.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2272.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619354387.627374 NtAllocateVirtualMemory	process_identifier: 2168 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000043e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619354388.002374 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00008594 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2296 manipulating memory of non-child process 2168
1619354387.627374 NtAllocateVirtualMemory	process_identifier: 2168 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000043e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619354388.002374 WriteProcessMemory	process_identifier: 3060 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL!Ù'_àPNo @ À@ønSø H.textTO P `.rsrcøR@@.reloc V@B process_handle: 0x00008594 base_address: 0x00400000	success	1
1619354388.017374 WriteProcessMemory	process_identifier: 3060 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNamefQIQVHdxbTrHEloBzXDrYkarSMNr.exe(LegalCopyright l!OriginalFilenamefQIQVHdxbTrHEloBzXDrYkarSMNr.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00008594 base_address: 0x00448000	success	1
1619354388.017374 WriteProcessMemory	process_identifier: 3060 buffer: `P? process_handle: 0x00008594 base_address: 0x0044a000	success	1
1619354388.017374 WriteProcessMemory	process_identifier: 3060 buffer: @ process_handle: 0x00008594 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619354388.002374 WriteProcessMemory	process_identifier: 3060 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL!Ù'_àPNo @ À@ønSø H.textTO P `.rsrcøR@@.reloc V@B process_handle: 0x00008594 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2296 called NtSetContextThread to modify thread in remote process 3060
1619354388.017374 NtSetContextThread	thread_handle: 0x00003868 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4484942 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3060	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2296 resumed a thread in remote process 3060
1619354388.330374 NtResumeThread	thread_handle: 0x00003868 suspend_count: 1 process_identifier: 3060	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.78:443

Executed a process and injected code into it, probably while unpacking (32 个事件)

Time & API	Arguments	Status	Return
1619354332.861374 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2296	success	0
1619354332.877374 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2296	success	0
1619354332.908374 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2296	success	0
1619354383.814374 NtResumeThread	thread_handle: 0x00008e24 suspend_count: 1 process_identifier: 2296	success	0
1619354383.830374 NtResumeThread	thread_handle: 0x0000a7e8 suspend_count: 1 process_identifier: 2296	success	0
1619354383.861374 NtGetContextThread	thread_handle: 0x00008e24	success	0
1619354383.861374 NtGetContextThread	thread_handle: 0x00008e24	success	0
1619354383.861374 NtResumeThread	thread_handle: 0x00008e24 suspend_count: 1 process_identifier: 2296	success	0
1619354384.877374 CreateProcessInternalW	thread_identifier: 2604 thread_handle: 0x00005358 process_identifier: 2960 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2272.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000023d0 inherit_handles: 0	success	1
1619354387.627374 CreateProcessInternalW	thread_identifier: 2764 thread_handle: 0x00008ae4 process_identifier: 2168 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3962e9b89b828c1937a0bd69113e671f.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3962e9b89b828c1937a0bd69113e671f.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000043e4 inherit_handles: 0	success	1
1619354387.627374 NtGetContextThread	thread_handle: 0x00008ae4	success	0
1619354387.627374 NtAllocateVirtualMemory	process_identifier: 2168 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000043e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619354388.002374 CreateProcessInternalW	thread_identifier: 200 thread_handle: 0x00003868 process_identifier: 3060 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3962e9b89b828c1937a0bd69113e671f.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3962e9b89b828c1937a0bd69113e671f.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00008594 inherit_handles: 0	success	1
1619354388.002374 NtGetContextThread	thread_handle: 0x00003868	success	0
1619354388.002374 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00008594 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619354388.002374 WriteProcessMemory	process_identifier: 3060 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL!Ù'_àPNo @ À@ønSø H.textTO P `.rsrcøR@@.reloc V@B process_handle: 0x00008594 base_address: 0x00400000	success	1
1619354388.017374 WriteProcessMemory	process_identifier: 3060 buffer: process_handle: 0x00008594 base_address: 0x00402000	success	1
1619354388.017374 WriteProcessMemory	process_identifier: 3060 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNamefQIQVHdxbTrHEloBzXDrYkarSMNr.exe(LegalCopyright l!OriginalFilenamefQIQVHdxbTrHEloBzXDrYkarSMNr.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00008594 base_address: 0x00448000	success	1
1619354388.017374 WriteProcessMemory	process_identifier: 3060 buffer: `P? process_handle: 0x00008594 base_address: 0x0044a000	success	1
1619354388.017374 WriteProcessMemory	process_identifier: 3060 buffer: @ process_handle: 0x00008594 base_address: 0x7efde008	success	1
1619354388.017374 NtSetContextThread	thread_handle: 0x00003868 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4484942 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3060	success	0
1619354388.330374 NtResumeThread	thread_handle: 0x00003868 suspend_count: 1 process_identifier: 3060	success	0
1619354388.330374 NtResumeThread	thread_handle: 0x0000a784 suspend_count: 1 process_identifier: 2296	success	0
1619354388.377374 NtGetContextThread	thread_handle: 0x0000a784	success	0
1619354388.377374 NtGetContextThread	thread_handle: 0x0000a784	success	0
1619354388.377374 NtResumeThread	thread_handle: 0x0000a784 suspend_count: 1 process_identifier: 2296	success	0
1619354388.673001 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 3060	success	0
1619354388.689001 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 3060	success	0
1619354388.861001 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 3060	success	0
1619354424.345001 NtResumeThread	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 3060	success	0
1619354424.377001 NtResumeThread	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 3060	success	0
1619354425.970001 NtResumeThread	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 3060	success	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34285710
CAT-QuickHeal	Trojan.Multi
ALYac	Spyware.AgentTesla
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.Multi.Generic.4!c
Sangfor	Malware
K7AntiVirus	Trojan ( 0056be4e1 )
Alibaba	Trojan:MSIL/AgnetTesla.fe83b157
K7GW	Trojan ( 0056be4e1 )
Cybereason	malicious.8072f1
TrendMicro	TROJ_GEN.R06BC0DH420
Cyren	W32/MSIL_Kryptik.BHF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Trojan.GenericKD.34285710
NANO-Antivirus	Trojan.Win32.Crypt.hqmfqz
Avast	Win32:PWSX-gen [Trj]
Tencent	Msil.Trojan.Crypt.Lknq
Ad-Aware	Trojan.GenericKD.34285710
F-Secure	Trojan.TR/Kryptik.gtupo
DrWeb	Trojan.PWS.Siggen2.53037
Zillya	Trojan.Crypt.Win32.64734
MaxSecure	Trojan.Malware.300983.susgen
FireEye	Trojan.GenericKD.34285710
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
GData	Trojan.GenericKD.34285710
Avira	TR/Kryptik.gtupo
Antiy-AVL	Trojan/MSIL.Kryptik
Arcabit	Trojan.Generic.D20B288E
ViRobot	Trojan.Win32.Z.Highconfidence.827392
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
Microsoft	Trojan:MSIL/AgnetTesla.I!MTB
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Kryptik.R346819
McAfee	Fareit-FXO!3962E9B89B82
MAX	malware (ai score=86)
Malwarebytes	Trojan.MalPack
ESET-NOD32	a variant of MSIL/Kryptik.XEO
TrendMicro-HouseCall	TROJ_GEN.R06BC0DH420
Rising	Trojan.AgnetTesla!8.11EC9 (CLOUD)
SentinelOne	DFI - Malicious PE
eGambit	Unsafe.AI_Score_94%
Fortinet	MSIL/Kryptik.XEO!tr
BitDefenderTheta	Gen:NN.ZemsilF.34196.Ym0@aqYM59l
AVG	Win32:PWSX-gen [Trj]

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-04 05:51:45

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.