10.4
0-day
50 个模型检测该样本为恶意!
重新分析
更多

0f6166d9b707f8610c81b7068962611e25cdef8db665b10343179d82131ef0a3

3af1d421410a6e528c93384a25437956.exe

分析耗时

76s

最近分析

文件大小

110.5KB
静态报毒 动态报毒 ATTRIBUTE BL821GMM CLOUD CONFIDENCE DELSHAD FSQALE GDSDA GENERIC STARTPAGE GM0@AIJYOGP HGIASOOA HIGHCONFIDENCE JTVZP KCLOUD LOIB MALICIOUS PE MALWARE@#127QE4ZOONPIK MSILPERSEUS OCCAMY ONJH STARTPAGE STARTPAGE1 STATIC AI TSCOPE UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_90% (W) 20210203 1.0
Baidu 20190318 1.0.0.2
Alibaba Trojan:MSIL/DelShad.bcfd8a2e 20190527 0.3.0.5
Tencent Msil.Trojan.Delshad.Loib 20210420 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20210420 2017.9.26.565
McAfee RDN/Generic StartPage 20210420 6.0.6.653
Avast Win32:Malware-gen 20210420 21.1.5827.0
静态指标
Queries for the computername (14 个事件)
Time & API Arguments Status Return Repeated
1619353530.4455
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353530.4765
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353530.4925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353530.5085
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353533.9455
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619353533.9455
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353546.71225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353546.96225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353546.99325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353547.04025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353547.05525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353549.836625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619353549.836625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619353557.851625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (5 个事件)
Time & API Arguments Status Return Repeated
1619345032.374212
IsDebuggerPresent
failed 0 0
1619345032.374212
IsDebuggerPresent
failed 0 0
1619353530.9615
IsDebuggerPresent
failed 0 0
1619353546.93025
IsDebuggerPresent
failed 0 0
1619353557.804625
IsDebuggerPresent
failed 0 0
Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619353532.0395
CryptExportKey
crypto_handle: 0x004681f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.7895
CryptExportKey
crypto_handle: 0x004680b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.8045
CryptExportKey
crypto_handle: 0x004680b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.8045
CryptExportKey
crypto_handle: 0x004680b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.8515
CryptExportKey
crypto_handle: 0x004680b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.8515
CryptExportKey
crypto_handle: 0x004680b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.8515
CryptExportKey
crypto_handle: 0x004680b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.8835
CryptExportKey
crypto_handle: 0x004680b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.9145
CryptExportKey
crypto_handle: 0x004675f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.9145
CryptExportKey
crypto_handle: 0x004675f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.9455
CryptExportKey
crypto_handle: 0x004675f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.9455
CryptExportKey
crypto_handle: 0x004675f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.9455
CryptExportKey
crypto_handle: 0x004675f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353532.9455
CryptExportKey
crypto_handle: 0x004675f8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.2265
CryptExportKey
crypto_handle: 0x00467b38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.2265
CryptExportKey
crypto_handle: 0x00467b38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.2425
CryptExportKey
crypto_handle: 0x00467b38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.2425
CryptExportKey
crypto_handle: 0x00467b38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.2425
CryptExportKey
crypto_handle: 0x00467b38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.2425
CryptExportKey
crypto_handle: 0x00467b38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.2585
CryptExportKey
crypto_handle: 0x00467b38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467a38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6485
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6645
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.6645
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.7265
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.7265
CryptExportKey
crypto_handle: 0x00467ef8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8205
CryptExportKey
crypto_handle: 0x00467e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8205
CryptExportKey
crypto_handle: 0x00467e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8205
CryptExportKey
crypto_handle: 0x00467e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8205
CryptExportKey
crypto_handle: 0x00467e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8205
CryptExportKey
crypto_handle: 0x00467e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8205
CryptExportKey
crypto_handle: 0x00467e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8365
CryptExportKey
crypto_handle: 0x00467e38
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8835
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353533.8835
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353534.0395
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353534.0395
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353534.0395
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353534.0395
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353534.0395
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353534.0395
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619353534.0395
CryptExportKey
crypto_handle: 0x004674b8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\Projects\TestCase_5\TestCase_5\obj\x86\Debug\TestCase_5.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619345032.421212
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 个事件)
Time & API Arguments Status Return Repeated
1619345031.609212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00920000
success 0 0
1619345031.609212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a60000
success 0 0
1619345031.953212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x021c0000
success 0 0
1619345031.953212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02370000
success 0 0
1619345032.109212
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619345032.374212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x021c0000
success 0 0
1619345032.374212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02330000
success 0 0
1619345032.374212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1619345032.374212
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619345032.374212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1619345032.796212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f2000
success 0 0
1619345032.937212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00415000
success 0 0
1619345032.953212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041b000
success 0 0
1619345032.953212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00417000
success 0 0
1619345033.140212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f3000
success 0 0
1619345033.171212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fc000
success 0 0
1619345033.218212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a0000
success 0 0
1619345033.359212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f4000
success 0 0
1619345058.468212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040a000
success 0 0
1619345058.468212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619345061.781212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00406000
success 0 0
1619345064.078212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040b000
success 0 0
1619345064.140212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619345064.374212
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ec000
success 0 0
1619353530.5865
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02820000
success 0 0
1619353530.5865
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02830000
success 0 0
1619353530.8985
NtProtectVirtualMemory
process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x70dc1000
success 0 0
1619353530.9615
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0231a000
success 0 0
1619353530.9615
NtProtectVirtualMemory
process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x70dc2000
success 0 0
1619353530.9615
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02312000
success 0 0
1619353531.1485
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02762000
success 0 0
1619353531.2265
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02831000
success 0 0
1619353531.2585
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02832000
success 0 0
1619353531.3675
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0278a000
success 0 0
1619353531.6015
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02763000
success 0 0
1619353531.8045
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02764000
success 0 0
1619353531.8365
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0279b000
success 0 0
1619353531.8365
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02797000
success 0 0
1619353531.9145
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0231b000
success 0 0
1619353531.9925
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02782000
success 0 0
1619353532.0085
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02795000
success 0 0
1619353532.3205
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02765000
success 0 0
1619353532.7425
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0278c000
success 0 0
1619353532.8835
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02783000
success 0 0
1619353532.9455
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030c0000
success 0 0
1619353533.1335
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02766000
success 0 0
1619353533.2265
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0279c000
success 0 0
1619353533.4145
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02784000
success 0 0
1619353533.4145
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02785000
success 0 0
1619353533.4145
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02786000
success 0 0
Attempts to modify Internet Explorer's start page (1 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (2 个事件)
cmdline "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
cmdline "wmic" shadowcopy delete
Executes one or more WMI queries (1 个事件)
wmi SELECT * FROM Win32_ShadowCopy
A process created a hidden window (6 个事件)
Time & API Arguments Status Return Repeated
1619345033.640212
CreateProcessInternalW
thread_identifier: 472
thread_handle: 0x000001c8
process_identifier: 912
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "net" stop WinDefend
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000001d4
inherit_handles: 1
success 1 0
1619345035.718212
CreateProcessInternalW
thread_identifier: 1544
thread_handle: 0x000001c8
process_identifier: 2288
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000001f0
inherit_handles: 1
success 1 0
1619345051.874212
CreateProcessInternalW
thread_identifier: 1916
thread_handle: 0x000001c8
process_identifier: 1940
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "REG" add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 2 /f
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000001f4
inherit_handles: 1
success 1 0
1619345053.703212
CreateProcessInternalW
thread_identifier: 1208
thread_handle: 0x00000214
process_identifier: 1824
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "wmic" shadowcopy delete
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000021c
inherit_handles: 1
success 1 0
1619345056.953212
CreateProcessInternalW
thread_identifier: 1108
thread_handle: 0x00000214
process_identifier: 152
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000220
inherit_handles: 1
success 1 0
1619345064.796212
CreateProcessInternalW
thread_identifier: 2576
thread_handle: 0x00000240
process_identifier: 2840
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "certutil" -addstore ROOT c:\windows\temp\MyEvilCert.cer
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000418
inherit_handles: 1
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619345058.953212
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619353531.9145
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619353549.804625
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline "wmic" shadowcopy delete
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 66.186.100.181
Uses suspicious command line tools or Windows utilities (1 个事件)
cmdline "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
Generates some ICMP traffic
Disables Windows Security features (1 个事件)
description attempts to disable windows defender registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start
Stops Windows services (1 个事件)
service WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start)
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 66.186.100.181:9000
File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)
MicroWorld-eScan Gen:Variant.MSILPerseus.218457
CAT-QuickHeal Trojan.MSIL
ALYac Gen:Variant.MSILPerseus.218457
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.MSIL.DelShad.4!c
Sangfor Trojan.Win32.StartPage.jtvzp
K7AntiVirus Trojan ( 0056d4381 )
BitDefender Gen:Variant.MSILPerseus.218457
K7GW Trojan ( 0056d4381 )
CrowdStrike win/malicious_confidence_90% (W)
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Agent.CZB
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.DelShad.gen
Alibaba Trojan:MSIL/DelShad.bcfd8a2e
NANO-Antivirus Trojan.Win32.DelShad.fsqale
Tencent Msil.Trojan.Delshad.Loib
Ad-Aware Gen:Variant.MSILPerseus.218457
Sophos Mal/Generic-S
Comodo Malware@#127qe4zoonpik
F-Secure Trojan.TR/StartPage.jtvzp
DrWeb Trojan.StartPage1.57542
Zillya Trojan.DelShad.Win32.111
McAfee-GW-Edition RDN/Generic StartPage
FireEye Generic.mg.3af1d421410a6e52
Emsisoft Gen:Variant.MSILPerseus.218457 (B)
SentinelOne Static AI - Malicious PE
GData Gen:Variant.MSILPerseus.218457
Jiangmin Trojan.MSIL.onjh
Antiy-AVL Trojan/MSIL.DelShad
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Startpage.oa
ViRobot Trojan.Win32.Z.Delshad.113152
ZoneAlarm HEUR:Trojan.MSIL.DelShad.gen
Microsoft Trojan:Win32/Occamy.C0F
McAfee RDN/Generic StartPage
VBA32 TScope.Trojan.MSIL
Malwarebytes Malware.AI.4263920422
Panda Trj/GdSda.A
Rising Trojan.DelShad!8.107D7 (CLOUD)
Yandex Trojan.DelShad!bL821GmM/xs
Ikarus Trojan.StartPage
Fortinet MSIL/DelShad!tr
BitDefenderTheta Gen:NN.ZemsilF.34678.gm0@aiJYogp
AVG Win32:Malware-gen
Cybereason malicious.1410a6
Avast Win32:Malware-gen
Qihoo-360 Win32/Trojan.StartPage.HgIASOoA
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2017-02-07 05:30:31

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49188 103.116.4.197 secdo.box.com 443
192.168.56.101 49189 103.116.4.197 secdo.box.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702
192.168.56.101 50534 8.8.8.8 53
192.168.56.101 53657 8.8.8.8 53
192.168.56.101 65004 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.