SmartHawk

4.8

中危

该样本未表现出任何异常！

重新分析

下载样本

074d1917372f288369ac85ab4095483bb7ea05a4e4392e7b0a3fcb3113d45692

3cf2b206f8d7323d74f1f252ad202693.exe

分析耗时

87s

最近分析

文件大小

360.3KB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2967088837&cup2hreq=be62b74543492c79aee52f3714d7c976d5e8c7e1539fcba51e62f47d0911fd6e

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619379713&mv=u&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5ad27e68626eb039&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619380097&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:2967088837&cup2hreq=be62b74543492c79aee52f3714d7c976d5e8c7e1539fcba51e62f47d0911fd6e

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2967088837&cup2hreq=be62b74543492c79aee52f3714d7c976d5e8c7e1539fcba51e62f47d0911fd6e

Creates executable files on the filesystem (10 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\YRmzEydZngXxaqQ.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T12_55_56.358189200Z\dotNetFx40_Full_x86_x64.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX1\Loader.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Windows_Activator\Windows Activator.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX0\Loader.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T12_48_05.093039900Z\ChromeSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T13_03_23.134665700Z\vcredist_x64.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T12_55_50.744383200Z\vcredist_x64.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Wintup.exe
file	C:\Windows\CTS.exe

Drops a binary and executes it (1 个事件)

file	C:\Windows\CTS.exe

Drops an executable to the user AppData folder (9 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Windows_Activator\Windows Activator.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX1\Loader.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T12_55_50.744383200Z\vcredist_x64.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T13_03_23.134665700Z\vcredist_x64.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T12_55_56.358189200Z\dotNetFx40_Full_x86_x64.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\YRmzEydZngXxaqQ.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Wintup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX0\Loader.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T12_48_05.093039900Z\ChromeSetup.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.838283320600078

section

{'size_of_data': '0x00006200', 'virtual_address': '0x0000f000', 'entropy': 7.838283320600078, 'name': 'UPX1', 'virtual_size': '0x00007000'}

description

A section with a high entropy has been found

entropy

0.98

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 个事件)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Installs itself for autorun at Windows startup (2 个事件)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS				reg_value	C:\Windows\CTS.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS				reg_value	C:\Windows\CTS.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.24.14:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2015-05-05 21:45:31

Imports

Library ADVAPI32.dll:

• 0x416064 RegCloseKey

Library KERNEL32.DLL:

• 0x41606c LoadLibraryA

• 0x416070 ExitProcess

• 0x416074 GetProcAddress

• 0x416078 VirtualProtect

Library ntdll.dll:

• 0x416080 NtClose

Library USER32.dll:

• 0x416088 wsprintfW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com	172.217.24.14
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
redirector.gvt1.com	A 203.208.41.65	203.208.41.33
update.googleapis.com	A 203.208.41.98	203.208.40.98
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49187	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49188	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49186	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49185	203.208.41.98 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5ad27e68626eb039&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619380097&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5ad27e68626eb039&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619380097&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619379713&mv=u&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619379713&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5ad27e68626eb039&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619380097&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5ad27e68626eb039&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619380097&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619379713&mv=u&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619379713&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.