SmartHawk

2.4

中危

该样本未表现出任何异常！

重新分析

下载样本

ceb94b19779d25b8b619b58d4176e44855fd2582c7caba5c2d694ff992f1abc4

408870ccfce7025ec9387df0703d7ce3.exe

分析耗时

36s

最近分析

文件大小

235.5KB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619390857.193375 NtProtectVirtualMemory	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003dc000	success	0	0
1619390857.208375 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success	0	0

Foreign language identified in PE resource (30 个事件)

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_ICON

language

LANG_SAAMI

offset

0x0043afd8

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x00000468

name

RT_GROUP_ICON

language

LANG_SAAMI

offset

0x0043b440

filetype

data

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x0000005a

name

RT_GROUP_ICON

language

LANG_SAAMI

offset

0x0043b440

filetype

data

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x0000005a

name

RT_GROUP_ICON

language

LANG_SAAMI

offset

0x0043b440

filetype

data

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x0000005a

name

RT_GROUP_ICON

language

LANG_SAAMI

offset

0x0043b440

filetype

data

sublanguage

SUBLANG_ARABIC_TUNISIA

size

0x0000005a

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.40.66
host	203.208.41.65

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-08-12 15:14:23

Imports

Library KERNEL32.dll:

• 0x40013010 FatalAppExitW

• 0x40013014 OpenFileMappingW

• 0x40013018 GetLargestConsoleWindowSize

• 0x4001301c GetConsoleAliasesLengthW

• 0x40013020 FlushViewOfFile

• 0x40013024 GetNumaAvailableMemoryNode

• 0x40013028 SetNamedPipeHandleState

• 0x4001302c CreatePipe

• 0x40013030 OpenProcess

• 0x40013034 SetProcessAffinityMask

• 0x40013038 GetQueuedCompletionStatus

• 0x4001303c CreateIoCompletionPort

• 0x40013040 HeapAlloc

• 0x40013044 SetConsoleTextAttribute

• 0x40013048 LocalAlloc

• 0x4001304c GetSystemPowerStatus

• 0x40013050 GetModuleHandleW

• 0x40013054 SetCalendarInfoW

• 0x40013058 SetThreadExecutionState

• 0x4001305c SetConsoleCursorPosition

• 0x40013060 GetEnvironmentVariableW

• 0x40013064 CommConfigDialogA

• 0x40013068 GetAtomNameW

• 0x4001306c CreateMailslotA

• 0x40013070 GetLastError

• 0x40013074 IsBadReadPtr

• 0x40013078 FindFirstVolumeMountPointW

• 0x4001307c SetFilePointer

• 0x40013080 WriteConsoleW

• 0x40013084 LCMapStringW

• 0x40013088 FindAtomW

• 0x4001308c _lopen

• 0x40013090 GetProcAddress

• 0x40013094 GetConsoleOutputCP

• 0x40013098 InterlockedIncrement

• 0x4001309c InterlockedDecrement

• 0x400130a0 Sleep

• 0x400130a4 InitializeCriticalSection

• 0x400130a8 DeleteCriticalSection

• 0x400130ac EnterCriticalSection

• 0x400130b0 LeaveCriticalSection

• 0x400130b4 EncodePointer

• 0x400130b8 DecodePointer

• 0x400130bc RaiseException

• 0x400130c0 GetCommandLineW

• 0x400130c4 HeapSetInformation

• 0x400130c8 GetStartupInfoW

• 0x400130cc HeapFree

• 0x400130d0 RtlUnwind

• 0x400130d4 IsProcessorFeaturePresent

• 0x400130d8 CloseHandle

• 0x400130dc UnhandledExceptionFilter

• 0x400130e0 SetUnhandledExceptionFilter

• 0x400130e4 IsDebuggerPresent

• 0x400130e8 TerminateProcess

• 0x400130ec GetCurrentProcess

• 0x400130f0 ExitProcess

• 0x400130f4 WriteFile

• 0x400130f8 GetStdHandle

• 0x400130fc GetModuleFileNameW

• 0x40013100 FreeEnvironmentStringsW

• 0x40013104 GetEnvironmentStringsW

• 0x40013108 SetHandleCount

• 0x4001310c InitializeCriticalSectionAndSpinCount

• 0x40013110 GetFileType

• 0x40013114 TlsAlloc

• 0x40013118 TlsGetValue

• 0x4001311c TlsSetValue

• 0x40013120 TlsFree

• 0x40013124 SetLastError

• 0x40013128 GetCurrentThreadId

• 0x4001312c HeapCreate

• 0x40013130 QueryPerformanceCounter

• 0x40013134 GetTickCount

• 0x40013138 GetCurrentProcessId

• 0x4001313c GetSystemTimeAsFileTime

• 0x40013140 HeapSize

• 0x40013144 GetCPInfo

• 0x40013148 GetACP

• 0x4001314c GetOEMCP

• 0x40013150 IsValidCodePage

• 0x40013154 GetStringTypeW

• 0x40013158 MultiByteToWideChar

• 0x4001315c SetStdHandle

• 0x40013160 WideCharToMultiByte

• 0x40013164 GetConsoleCP

• 0x40013168 GetConsoleMode

• 0x4001316c FlushFileBuffers

• 0x40013170 LoadLibraryW

• 0x40013174 HeapReAlloc

• 0x40013178 CreateFileW

Library USER32.dll:

• 0x40013180 GetCursorInfo

• 0x40013184 GetCaretPos

Library ADVAPI32.dll:

• 0x40013000 InitializeAcl

• 0x40013004 GetAclInformation

• 0x40013008 BackupEventLogA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.24.14
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.