5.0
中危
该样本未表现出任何异常!
重新分析
更多

c905064bb651ad48f6a67415f4b982254e6f816ff03b1f19d3da32da19a8d788

3d40f79b056c758266a6b19856e1ac28.exe

分析耗时

44s

最近分析

文件大小

467.5KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619384542.109375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34602820
registers.edi: 0
registers.eax: 0
registers.ebp: 34602888
registers.edx: 2130553844
registers.ebx: 0
registers.esi: 0
registers.ecx: 3064
exception.instruction_r: f7 f0 89 c9 89 c9 89 c9 33 c0 5a 59 59 64 89 10
exception.symbol: 3d40f79b056c758266a6b19856e1ac28+0x716f0
exception.instruction: div eax
exception.module: 3d40f79b056c758266a6b19856e1ac28.exe
exception.exception_code: 0xc0000094
exception.offset: 464624
exception.address: 0x4716f0
success 0 0
1619411934.340001
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x73aae97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x73aaea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x73aab25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x73aab4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x73aaac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x73aaaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x73aa5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x73aa559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74167f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74164de3
3d40f79b056c758266a6b19856e1ac28+0x5aa4d @ 0x45aa4d
3d40f79b056c758266a6b19856e1ac28+0x53254 @ 0x453254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfe7114ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (30 个事件)
Time & API Arguments Status Return Repeated
1619384540.922375
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619384542.109375
NtProtectVirtualMemory
process_identifier: 2440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00471000
success 0 0
1619384542.109375
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1619411930.949001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619411930.965001
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ff0000
success 0 0
1619411930.965001
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02150000
success 0 0
1619411930.965001
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00640000
success 0 0
1619411930.981001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 307200
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619411931.824001
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ff0000
success 0 0
1619411931.824001
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020a0000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ef2000
success 0 0
1619411934.309001
NtProtectVirtualMemory
process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.878883315902628 section {'size_of_data': '0x00070c00', 'virtual_address': '0x00062000', 'entropy': 7.878883315902628, 'name': 'UPX1', 'virtual_size': '0x00071000'} description A section with a high entropy has been found
entropy 0.9667738478027867 description Overall entropy of this PE file is high
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2440 called NtSetContextThread to modify thread in remote process 2852
Time & API Arguments Status Return Repeated
1619384542.515375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4907088
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2852
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2440 resumed a thread in remote process 2852
Time & API Arguments Status Return Repeated
1619384542.609375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2852
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
Executed a process and injected code into it, probably while unpacking (6 个事件)
Time & API Arguments Status Return Repeated
1619384542.500375
CreateProcessInternalW
thread_identifier: 2288
thread_handle: 0x000000fc
process_identifier: 2852
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3d40f79b056c758266a6b19856e1ac28.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619384542.500375
NtUnmapViewOfSection
process_identifier: 2852
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619384542.500375
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2852
commit_size: 720896
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 720896
base_address: 0x00400000
success 0 0
1619384542.515375
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619384542.515375
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4907088
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2852
success 0 0
1619384542.609375
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2852
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:
0x4d6b68 LoadLibraryA
0x4d6b6c GetProcAddress
0x4d6b70 VirtualProtect
0x4d6b74 VirtualAlloc
0x4d6b78 VirtualFree
0x4d6b7c ExitProcess
Library advapi32.dll:
0x4d6b84 RegCloseKey
Library comctl32.dll:
0x4d6b8c ImageList_Add
Library comdlg32.dll:
0x4d6b94 ChooseColorA
Library gdi32.dll:
0x4d6b9c SaveDC
Library ole32.dll:
0x4d6ba4 OleDraw
Library oleaut32.dll:
0x4d6bac VariantCopy
Library user32.dll:
0x4d6bb4 GetDC
Library version.dll:
0x4d6bbc VerQueryValueA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.