9.2
极危
该样本未表现出任何异常!
重新分析
更多

820e49a2ee586e3c97b85a746b229549bd2f56eefec462fd0e6463b0713d1016

3e586bef51b9bc31a775c16fdd2fd2df.exe

分析耗时

104s

最近分析

文件大小

168.1KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619411711.208625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619411699.536625
CryptGenKey
crypto_handle: 0x00555ac8
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00554fe8
flags: 1
key: fbåíÃ×èµÌ§Ÿfj%ðã
success 1 0
1619411711.208625
CryptExportKey
crypto_handle: 0x00555ac8
crypto_export_handle: 0x005550b0
buffer: f¤;C&–À­€I¦³TŠâÀ†FD©õ?^_¯cÈ/Äÿ8ò¨N”‡EüV ‚ÝžsûQ ¹Ï\|9†Sɓ?ˆxg¬ÞæA¦ð z Ù9ß žÆAd7é”É0Þ û½
blob_type: 1
flags: 64
success 1 0
1619411740.473625
CryptExportKey
crypto_handle: 0x00555ac8
crypto_export_handle: 0x005550b0
buffer: f¤‘NMý' GÔpEº+'‘zÍÛ: I8Ðå#ÎÁ3«TõUe%[¶ËƒÀ|‡ÏÁD1ºl֝áo¤G‚QhCl9’^§3ßùýÿM²Ìå-v`úvZSMA­1
blob_type: 1
flags: 64
success 1 0
1619411764.958625
CryptExportKey
crypto_handle: 0x00555ac8
crypto_export_handle: 0x005550b0
buffer: f¤‚H{=s·[)”õ©t[™ŽÍ˦Ÿüzh “~ÿšù8eÊçFŠ2ð@BËÿ;¼È]:ŒRRM ™Š³µ…Ô±GLib*nÍ1á$-úÀùî|x0üÏGªâiò3»ž
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:4283709731&cup2hreq=8f893d04b495c829c9f8254720e909a6ebb4fab5cafac48f226f6fb897bb8e7c
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619382681&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=24dda8192328b30d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619382496&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:4283709731&cup2hreq=8f893d04b495c829c9f8254720e909a6ebb4fab5cafac48f226f6fb897bb8e7c
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:4283709731&cup2hreq=8f893d04b495c829c9f8254720e909a6ebb4fab5cafac48f226f6fb897bb8e7c
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619411692.2705
NtAllocateVirtualMemory
process_identifier: 2116
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619411753.614375
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004090000
success 0 0
1619411699.161625
NtAllocateVirtualMemory
process_identifier: 2040
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x021c0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619411692.7865
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3e586bef51b9bc31a775c16fdd2fd2df.exe
newfilepath: C:\Windows\SysWOW64\msls31\msorc32r.exe
newfilepath_r: C:\Windows\SysWOW64\msls31\msorc32r.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3e586bef51b9bc31a775c16fdd2fd2df.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619411713.645625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process msorc32r.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619411712.395625
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (5 个事件)
host 107.5.122.110
host 172.217.24.14
host 199.101.86.6
host 45.55.219.163
host 203.208.40.66
Installs itself for autorun at Windows startup (1 个事件)
service_name msorc32r service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\msls31\msorc32r.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619411696.1925
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02cb8490
display_name: msorc32r
error_control: 0
service_name: msorc32r
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\msls31\msorc32r.exe"
filepath_r: "C:\Windows\SysWOW64\msls31\msorc32r.exe"
service_manager_handle: 0x02ca2b58
desired_access: 2
service_type: 16
password:
success 46892176 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619411716.208625
RegSetValueExA
key_handle: 0x0000039c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619411716.208625
RegSetValueExA
key_handle: 0x0000039c
value: ŸâÂR:×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619411716.208625
RegSetValueExA
key_handle: 0x0000039c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619411716.208625
RegSetValueExW
key_handle: 0x0000039c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619411716.208625
RegSetValueExA
key_handle: 0x000003b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619411716.208625
RegSetValueExA
key_handle: 0x000003b4
value: ŸâÂR:×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619411716.208625
RegSetValueExA
key_handle: 0x000003b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619411716.239625
RegSetValueExW
key_handle: 0x00000398
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\msls31\msorc32r.exe:Zone.Identifier
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
dead_host 107.5.122.110:80
dead_host 199.101.86.6:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-25 23:30:27

Imports

Library MFC42.DLL:
0x410884
0x410888
0x41088c
0x410890
0x410894
0x410898
0x41089c
0x4108a0
0x4108a4
0x4108a8
0x4108ac
0x4108b0
0x4108b4
0x4108b8
0x4108bc
0x4108c0
0x4108c4
0x4108c8
0x4108cc
0x4108d0
0x4108d4
0x4108d8
0x4108dc
0x4108e0
0x4108e4
0x4108e8
0x4108ec
0x4108f0
0x4108f4
0x4108f8
0x4108fc
0x410900
0x410904
0x410908
0x41090c
0x410910
0x410914
0x410918
0x41091c
0x410920
0x410924
0x410928
0x41092c
0x410930
0x410934
0x410938
0x41093c
0x410940
0x410944
0x410948
0x41094c
0x410950
0x410954
0x410958
0x41095c
0x410960
0x410964
0x410968
0x41096c
0x410970
0x410974
0x410978
0x41097c
0x410980
0x410984
0x410988
0x41098c
0x410990
0x410994
0x410998
0x41099c
0x4109a0
0x4109a4
0x4109a8
0x4109ac
0x4109b0
0x4109b4
0x4109b8
0x4109bc
0x4109c0
0x4109c4
0x4109c8
0x4109cc
0x4109d0
0x4109d4
0x4109d8
0x4109dc
0x4109e0
0x4109e4
0x4109e8
0x4109ec
0x4109f0
0x4109f4
0x4109f8
0x4109fc
0x410a00
0x410a04
0x410a08
0x410a0c
0x410a10
0x410a14
0x410a18
0x410a1c
0x410a20
0x410a24
0x410a28
0x410a2c
0x410a30
0x410a34
0x410a38
0x410a3c
0x410a40
0x410a44
0x410a48
0x410a4c
0x410a50
0x410a54
0x410a58
0x410a5c
0x410a60
0x410a64
0x410a68
0x410a6c
0x410a70
0x410a74
0x410a78
0x410a7c
0x410a80
0x410a84
0x410a88
0x410a8c
0x410a90
0x410a94
0x410a98
0x410a9c
0x410aa0
0x410aa4
0x410aa8
0x410aac
0x410ab0
0x410ab4
0x410ab8
0x410abc
0x410ac0
0x410ac4
0x410ac8
0x410acc
0x410ad0
0x410ad4
0x410ad8
0x410adc
0x410ae0
0x410ae4
0x410ae8
0x410aec
0x410af0
0x410af4
0x410af8
0x410afc
0x410b00
Library MSVCRT.dll:
0x410bec _adjust_fdiv
0x410bf0 __setusermatherr
0x410bf4 _initterm
0x410bf8 __getmainargs
0x410bfc _acmdln
0x410c00 exit
0x410c04 __p__commode
0x410c08 _exit
0x410c0c _onexit
0x410c10 __dllonexit
0x410c14 _ftol
0x410c18 atoi
0x410c1c _setmbcp
0x410c20 __p__fmode
0x410c24 __set_app_type
0x410c28 _except_handler3
0x410c2c _XcptFilter
0x410c30 __CxxFrameHandler
0x410c34 _EH_prolog
0x410c38 _mbsstr
0x410c3c _vsnprintf
0x410c40 sprintf
0x410c44 _mbsnbcpy
0x410c48 _mbscmp
0x410c4c _mbsupr
0x410c50 _mbsnbcat
0x410c54 _wcslwr
0x410c58 malloc
0x410c5c clock
0x410c60 _controlfp
Library KERNEL32.dll:
0x4107c0 GlobalLock
0x4107c4 GlobalUnlock
0x4107c8 FlushViewOfFile
0x4107cc CloseHandle
0x4107d0 UnmapViewOfFile
0x4107d4 GetCurrentThreadId
0x4107d8 SetEvent
0x4107dc IsBadWritePtr
0x4107e0 IsBadReadPtr
0x4107e4 GlobalSize
0x4107e8 ReleaseMutex
0x4107ec CreateEventA
0x4107f0 CreateMutexA
0x4107f4 OpenEventA
0x4107f8 OpenMutexA
0x4107fc GetLastError
0x410800 ExitProcess
0x410804 GetModuleHandleA
0x410808 GetStartupInfoA
0x41080c GlobalAlloc
0x410810 Sleep
0x410814 FreeLibrary
0x410818 LoadLibraryA
0x410820 WinExec
0x410824 DeviceIoControl
0x410828 GetFileSize
0x41082c CreateFileA
0x410830 MapViewOfFile
0x410834 WaitForSingleObject
0x410838 CreateFileMappingA
0x41083c OpenFileMappingA
Library USER32.dll:
0x410cd8 ScreenToClient
0x410cdc SendMessageA
0x410ce0 ReleaseDC
0x410ce4 InvalidateRect
0x410ce8 RedrawWindow
0x410cec SetTimer
0x410cf0 KillTimer
0x410cf4 GetParent
0x410cf8 GetSystemMetrics
0x410cfc DrawFocusRect
0x410d00 GetSubMenu
0x410d04 LoadMenuA
0x410d08 InSendMessage
0x410d0c CreateWindowExA
0x410d10 DrawIcon
0x410d14 GetClientRect
0x410d18 GetSystemMenu
0x410d1c IsIconic
0x410d20 LoadIconA
0x410d24 InflateRect
0x410d28 PtInRect
0x410d2c LoadCursorA
0x410d30 CopyIcon
0x410d34 IsWindow
0x410d38 GetSysColor
0x410d3c SetCursor
0x410d40 GetMessagePos
0x410d44 MessageBeep
0x410d48 SetWindowLongA
0x410d4c DestroyCursor
0x410d54 AppendMenuA
0x410d58 GetWindowRect
0x410d5c EmptyClipboard
0x410d60 SetClipboardData
0x410d64 OpenClipboard
0x410d68 GetClipboardData
0x410d6c CloseClipboard
0x410d70 EnableWindow
0x410d74 GetDC
Library GDI32.dll:
0x410774 GetTextMetricsA
0x41077c GetObjectA
0x410780 CreateFontIndirectA
0x410784 CreateSolidBrush
0x410788 GetStockObject
0x41078c GetCharWidthA
Library ADVAPI32.dll:
0x41073c RegQueryValueA
0x410740 RegCloseKey
0x410744 RegOpenKeyExA
Library SHELL32.dll:
0x410ca8 ShellExecuteA
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49196 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49197 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49195 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49194 203.208.41.98 update.googleapis.com 443
203.208.40.66 443 192.168.56.101 49193

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619382681&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619382681&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=24dda8192328b30d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619382496&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=24dda8192328b30d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619382496&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.