6.2
高危
该样本未表现出任何异常!
重新分析
更多

889c0d28e7f3ed6a39871d3121d74f05698570e511dfc9c011c40e3fda020dcc

3df3495c4e5d1e16be4310026b04e8f9.exe

分析耗时

69s

最近分析

文件大小

508.5KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619420232.418626
IsDebuggerPresent
failed 0 0
1619420271.731626
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619420268.215626
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 77 个事件)
Time & API Arguments Status Return Repeated
1619420231.684626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00710000
success 0 0
1619420231.684626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a0000
success 0 0
1619420232.356626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619420232.434626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005da000
success 0 0
1619420232.434626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619420232.434626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d2000
success 0 0
1619420232.778626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e2000
success 0 0
1619420232.840626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e3000
success 0 0
1619420232.856626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0061b000
success 0 0
1619420232.856626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00617000
success 0 0
1619420232.887626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ec000
success 0 0
1619420233.418626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e4000
success 0 0
1619420233.418626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e5000
success 0 0
1619420233.449626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e6000
success 0 0
1619420233.481626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1619420233.621626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f6000
success 0 0
1619420233.668626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0060a000
success 0 0
1619420233.746626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00602000
success 0 0
1619420233.778626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00615000
success 0 0
1619420267.418626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0060c000
success 0 0
1619420267.512626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005fa000
success 0 0
1619420267.512626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f7000
success 0 0
1619420267.528626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e7000
success 0 0
1619420267.731626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00711000
success 0 0
1619420267.824626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00712000
success 0 0
1619420267.934626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ea000
success 0 0
1619420267.981626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005db000
success 0 0
1619420267.981626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 367616
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a50400
failed 3221225550 0
1619420271.340626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e8000
success 0 0
1619420271.340626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00713000
success 0 0
1619420271.340626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00714000
success 0 0
1619420271.340626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00715000
success 0 0
1619420271.371626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00716000
success 0 0
1619420271.543626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00717000
success 0 0
1619420271.590626
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00718000
success 0 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a50178
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a501a0
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a501c8
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a501f0
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a50218
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa90e
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa902
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 72
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa000
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa91c
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa940
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa948
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa94c
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa954
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa958
failed 3221225550 0
1619420271.606626
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04aaa95c
failed 3221225550 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.97036208278292 section {'size_of_data': '0x0007a400', 'virtual_address': '0x00002000', 'entropy': 7.97036208278292, 'name': '.text', 'virtual_size': '0x0007a238'} description A section with a high entropy has been found
entropy 0.9625984251968503 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619420267.981626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (10 个事件)
Time & API Arguments Status Return Repeated
1619420271.824626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2168
process_handle: 0x00007f94
failed 0 0
1619420271.824626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2168
process_handle: 0x00007f94
success 0 0
1619420271.871626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1704
process_handle: 0x000063d8
failed 0 0
1619420271.871626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1704
process_handle: 0x000063d8
success 0 0
1619420271.903626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2968
process_handle: 0x000059fc
failed 0 0
1619420271.903626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2968
process_handle: 0x000059fc
success 0 0
1619420271.934626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1752
process_handle: 0x00004428
failed 0 0
1619420271.934626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1752
process_handle: 0x00004428
success 0 0
1619420271.965626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 472
process_handle: 0x00005848
failed 0 0
1619420271.965626
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 472
process_handle: 0x00005848
success 0 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.41.34
host 203.208.41.65
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619420271.778626
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004430
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.840626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0001056c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.871626
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00003a84
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.903626
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000a794
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.949626
NtAllocateVirtualMemory
process_identifier: 472
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000aa60
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Manipulates memory of a non-child process indicative of process injection (10 个事件)
Process injection Process 1128 manipulating memory of non-child process 2168
Process injection Process 1128 manipulating memory of non-child process 1704
Process injection Process 1128 manipulating memory of non-child process 2968
Process injection Process 1128 manipulating memory of non-child process 1752
Process injection Process 1128 manipulating memory of non-child process 472
Time & API Arguments Status Return Repeated
1619420271.778626
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004430
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.840626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0001056c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.871626
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00003a84
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.903626
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000a794
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.949626
NtAllocateVirtualMemory
process_identifier: 472
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000aa60
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Executed a process and injected code into it, probably while unpacking (21 个事件)
Time & API Arguments Status Return Repeated
1619420232.418626
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1128
success 0 0
1619420232.481626
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 1128
success 0 0
1619420271.559626
NtGetContextThread
thread_handle: 0x0000015c
success 0 0
1619420271.559626
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 1128
success 0 0
1619420271.699626
NtResumeThread
thread_handle: 0x00008270
suspend_count: 1
process_identifier: 1128
success 0 0
1619420271.715626
NtResumeThread
thread_handle: 0x00001b00
suspend_count: 1
process_identifier: 1128
success 0 0
1619420271.778626
CreateProcessInternalW
thread_identifier: 2528
thread_handle: 0x00000d60
process_identifier: 2168
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00004430
inherit_handles: 0
success 1 0
1619420271.778626
NtGetContextThread
thread_handle: 0x00000d60
success 0 0
1619420271.778626
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004430
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.840626
CreateProcessInternalW
thread_identifier: 2452
thread_handle: 0x00007f94
process_identifier: 1704
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0001056c
inherit_handles: 0
success 1 0
1619420271.840626
NtGetContextThread
thread_handle: 0x00007f94
success 0 0
1619420271.840626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0001056c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.871626
CreateProcessInternalW
thread_identifier: 2964
thread_handle: 0x000063d8
process_identifier: 2968
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00003a84
inherit_handles: 0
success 1 0
1619420271.871626
NtGetContextThread
thread_handle: 0x000063d8
success 0 0
1619420271.871626
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00003a84
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.903626
CreateProcessInternalW
thread_identifier: 2940
thread_handle: 0x000059fc
process_identifier: 1752
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000a794
inherit_handles: 0
success 1 0
1619420271.903626
NtGetContextThread
thread_handle: 0x000059fc
success 0 0
1619420271.903626
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000a794
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619420271.949626
CreateProcessInternalW
thread_identifier: 1760
thread_handle: 0x00004428
process_identifier: 472
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df3495c4e5d1e16be4310026b04e8f9.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000aa60
inherit_handles: 0
success 1 0
1619420271.949626
NtGetContextThread
thread_handle: 0x00004428
success 0 0
1619420271.949626
NtAllocateVirtualMemory
process_identifier: 472
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000aa60
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-31 14:02:49

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.