SmartHawk

12.8

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

9405885336e177508e9e2790e23bb7e8f11a070e3c7262bf70f4da6beb598c75

40a0ff8405c40399e9fdece7f94725ef.exe

分析耗时

111s

最近分析

文件大小

727.5KB

静态报毒动态报毒 AGEN AGENSLA AGENTTESLA AI SCORE=89 ATTRIBUTE AVSARHER BTJEKX CONFIDENCE CRYPTINJECT ESAG FAREIT GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HWFHMN MALICIOUS PE MALWARE@#FL3ZBD0GHSEZ PALLAS PBOY POSSIBLETHREAT PWSX QQPASS QQROB QVM03 R06EC0DIC20 SCORE SIGGEN10 STELEGA TM0@AYM9V9I UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FZV!40A0FF8405C4	20201022	6.0.6.653
Alibaba	TrojanSpy:MSIL/AgentTesla.c6e7d654	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201022	18.4.3895.0
Tencent	Msil.Trojan-qqpass.Qqrob.Pboy	20201022	1.0.0.1
Kingsoft		20201022	2013.8.14.323
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620963664.766858 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (34 个事件)

Time & API	Arguments	Status	Return	Repeated
1620963598.717626 IsDebuggerPresent		failed	0	0
1620963598.732626 IsDebuggerPresent		failed	0	0
1620963656.123626 IsDebuggerPresent		failed	0	0
1620963656.623626 IsDebuggerPresent		failed	0	0
1620963657.138626 IsDebuggerPresent		failed	0	0
1620963657.623626 IsDebuggerPresent		failed	0	0
1620963658.138626 IsDebuggerPresent		failed	0	0
1620963658.623626 IsDebuggerPresent		failed	0	0
1620963659.138626 IsDebuggerPresent		failed	0	0
1620963659.623626 IsDebuggerPresent		failed	0	0
1620963660.138626 IsDebuggerPresent		failed	0	0
1620963660.623626 IsDebuggerPresent		failed	0	0
1620963661.138626 IsDebuggerPresent		failed	0	0
1620963661.623626 IsDebuggerPresent		failed	0	0
1620963662.154626 IsDebuggerPresent		failed	0	0
1620963662.623626 IsDebuggerPresent		failed	0	0
1620963663.154626 IsDebuggerPresent		failed	0	0
1620963663.623626 IsDebuggerPresent		failed	0	0
1620963664.170626 IsDebuggerPresent		failed	0	0
1620963664.623626 IsDebuggerPresent		failed	0	0
1620963665.201626 IsDebuggerPresent		failed	0	0
1620963665.623626 IsDebuggerPresent		failed	0	0
1620963666.217626 IsDebuggerPresent		failed	0	0
1620963666.623626 IsDebuggerPresent		failed	0	0
1620963667.217626 IsDebuggerPresent		failed	0	0
1620963667.623626 IsDebuggerPresent		failed	0	0
1620963668.217626 IsDebuggerPresent		failed	0	0
1620963668.623626 IsDebuggerPresent		failed	0	0
1620963669.217626 IsDebuggerPresent		failed	0	0
1620963669.638626 IsDebuggerPresent		failed	0	0
1620963670.217626 IsDebuggerPresent		failed	0	0
1620963670.654626 IsDebuggerPresent		failed	0	0
1620963670.817614 IsDebuggerPresent		failed	0	0
1620963670.817614 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620963665.735858 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\DAaaHNBs"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620963598.826626 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 137 个事件)

Time & API	Arguments	Status
1620963597.607626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x008a0000	success
1620963597.607626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a90000	success
1620963598.217626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x008a0000	success
1620963598.217626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008d0000	success
1620963598.451626 NtProtectVirtualMemory	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1620963598.717626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00ad0000	success
1620963598.717626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c20000	success
1620963598.732626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008aa000	success
1620963598.748626 NtProtectVirtualMemory	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1620963598.748626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a2000	success
1620963599.357626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b2000	success
1620963599.732626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00915000	success
1620963599.748626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0091b000	success
1620963599.748626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00917000	success
1620963600.170626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b3000	success
1620963600.388626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008bc000	success
1620963601.904626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b4000	success
1620963601.967626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b6000	success
1620963602.529626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009f0000	success
1620963602.920626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b7000	success
1620963603.357626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008ca000	success
1620963603.357626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c7000	success
1620963604.607626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c6000	success
1620963604.842626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c21000	success
1620963604.888626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c22000	success
1620963604.982626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b8000	success
1620963605.013626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009f1000	success
1620963605.060626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c23000	success
1620963605.060626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c24000	success
1620963605.138626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c25000	success
1620963605.232626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009f2000	success
1620963605.232626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c26000	success
1620963605.232626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c2a000	success
1620963605.404626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008ba000	success
1620963605.451626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008ac000	success
1620963607.732626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b9000	success
1620963608.170626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008cb000	success
1620963608.248626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009f3000	success
1620963609.482626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a70000	success
1620963610.029626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b70000	success
1620963610.232626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a71000	success
1620963643.513626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008d1000	success
1620963643.717626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a3000	success
1620963643.795626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a72000	success
1620963643.857626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a73000	success
1620963643.920626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a74000	success
1620963643.951626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009f4000	success
1620963643.967626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a75000	success
1620963643.967626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008bd000	success
1620963643.982626 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009f5000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\DAaaHNBs.exe

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\DAaaHNBs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6BCF.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DAaaHNBs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6BCF.tmp"

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\DAaaHNBs.exe

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620963664.092626 ShellExecuteExW	parameters: /Create /TN "Updates\DAaaHNBs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6BCF.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.9633883540237855

section

{'size_of_data': '0x00077000', 'virtual_address': '0x00002000', 'entropy': 7.9633883540237855, 'name': '.text', 'virtual_size': '0x00076ed4'}

description

A section with a high entropy has been found

entropy

7.032169727171687

section

{'size_of_data': '0x0003ea00', 'virtual_address': '0x0007c000', 'entropy': 7.032169727171687, 'name': '.rsrc', 'virtual_size': '0x0003e8f0'}

description

A section with a high entropy has been found

entropy

0.9993122420907841

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620963644.107626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (4 个事件)

Time & API	Arguments	Status
1620963669.685626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 984 process_handle: 0x0000e48c	failed
1620963669.685626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 984 process_handle: 0x0000e48c	success
1620963670.529626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1036 process_handle: 0x00004fc4	failed
1620963670.529626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1036 process_handle: 0x00004fc4	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\DAaaHNBs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6BCF.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DAaaHNBs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6BCF.tmp"

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.41.65
host	203.208.41.66

Allocates execute permission to another process indicative of possible code injection (3 个事件)

Time & API	Arguments	Status	Return
1620963669.217626 NtAllocateVirtualMemory	process_identifier: 984 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f30 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1620963670.060626 NtAllocateVirtualMemory	process_identifier: 1036 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007aa4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1620963670.670626 NtAllocateVirtualMemory	process_identifier: 1832 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000aab0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6BCF.tmp

Manipulates memory of a non-child process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 manipulating memory of non-child process 984
Process injection	Process 2852 manipulating memory of non-child process 1036
1620963669.217626 NtAllocateVirtualMemory	process_identifier: 984 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f30 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1620963670.060626 NtAllocateVirtualMemory	process_identifier: 1036 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007aa4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1620963670.670626 WriteProcessMemory	process_identifier: 1832 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-_à7 @@ @¸6S@à` H.text `.rsrcà@@@.reloc`@B process_handle: 0x0000aab0 base_address: 0x00400000	success	1
1620963670.701626 WriteProcessMemory	process_identifier: 1832 buffer: 0HX@4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameRAEhvZtYSHntYAvzKtPXlf.exe(LegalCopyright `OriginalFilenameRAEhvZtYSHntYAvzKtPXlf.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000aab0 base_address: 0x00454000	success	1
1620963670.701626 WriteProcessMemory	process_identifier: 1832 buffer: 07 process_handle: 0x0000aab0 base_address: 0x00456000	success	1
1620963670.701626 WriteProcessMemory	process_identifier: 1832 buffer: @ process_handle: 0x0000aab0 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620963670.670626 WriteProcessMemory	process_identifier: 1832 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-_à7 @@ @¸6S@à` H.text `.rsrcà@@@.reloc`@B process_handle: 0x0000aab0 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 called NtSetContextThread to modify thread in remote process 1832
1620963670.701626 NtSetContextThread	thread_handle: 0x00004fc4 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4536078 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1832	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2852 resumed a thread in remote process 1832
1620963671.092626 NtResumeThread	thread_handle: 0x00004fc4 suspend_count: 1 process_identifier: 1832	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

216.58.200.238:443

Executed a process and injected code into it, probably while unpacking (26 个事件)

Time & API	Arguments	Status	Return
1620963598.732626 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2852	success	0
1620963598.779626 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2852	success	0
1620963598.857626 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2852	success	0
1620963656.076626 NtResumeThread	thread_handle: 0x00005818 suspend_count: 1 process_identifier: 2852	success	0
1620963656.092626 NtResumeThread	thread_handle: 0x0000efd0 suspend_count: 1 process_identifier: 2852	success	0
1620963664.092626 CreateProcessInternalW	thread_identifier: 364 thread_handle: 0x0000e3e4 process_identifier: 2236 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DAaaHNBs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6BCF.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000a19c inherit_handles: 0	success	1
1620963669.201626 CreateProcessInternalW	thread_identifier: 1168 thread_handle: 0x000050bc process_identifier: 984 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00010f30 inherit_handles: 0	success	1
1620963669.201626 NtGetContextThread	thread_handle: 0x000050bc	success	0
1620963669.217626 NtAllocateVirtualMemory	process_identifier: 984 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f30 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1620963670.060626 CreateProcessInternalW	thread_identifier: 2052 thread_handle: 0x0000e48c process_identifier: 1036 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00007aa4 inherit_handles: 0	success	1
1620963670.060626 NtGetContextThread	thread_handle: 0x0000e48c	success	0
1620963670.060626 NtAllocateVirtualMemory	process_identifier: 1036 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00007aa4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1620963670.670626 CreateProcessInternalW	thread_identifier: 2224 thread_handle: 0x00004fc4 process_identifier: 1832 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000aab0 inherit_handles: 0	success	1
1620963670.670626 NtGetContextThread	thread_handle: 0x00004fc4	success	0
1620963670.670626 NtAllocateVirtualMemory	process_identifier: 1832 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000aab0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1620963670.670626 WriteProcessMemory	process_identifier: 1832 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-_à7 @@ @¸6S@à` H.text `.rsrcà@@@.reloc`@B process_handle: 0x0000aab0 base_address: 0x00400000	success	1
1620963670.685626 WriteProcessMemory	process_identifier: 1832 buffer: process_handle: 0x0000aab0 base_address: 0x00402000	success	1
1620963670.701626 WriteProcessMemory	process_identifier: 1832 buffer: 0HX@4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameRAEhvZtYSHntYAvzKtPXlf.exe(LegalCopyright `OriginalFilenameRAEhvZtYSHntYAvzKtPXlf.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000aab0 base_address: 0x00454000	success	1
1620963670.701626 WriteProcessMemory	process_identifier: 1832 buffer: 07 process_handle: 0x0000aab0 base_address: 0x00456000	success	1
1620963670.701626 WriteProcessMemory	process_identifier: 1832 buffer: @ process_handle: 0x0000aab0 base_address: 0x7efde008	success	1
1620963670.701626 NtSetContextThread	thread_handle: 0x00004fc4 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4536078 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1832	success	0
1620963671.092626 NtResumeThread	thread_handle: 0x00004fc4 suspend_count: 1 process_identifier: 1832	success	0
1620963671.107626 NtResumeThread	thread_handle: 0x00003fe0 suspend_count: 1 process_identifier: 2852	success	0
1620963670.817614 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1832	success	0
1620963670.833614 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 1832	success	0
1620963670.895614 NtResumeThread	thread_handle: 0x00000140 suspend_count: 1 process_identifier: 1832	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43807062
FireEye	Generic.mg.40a0ff8405c40399
CAT-QuickHeal	Trojan.Multi
McAfee	Fareit-FZV!40A0FF8405C4
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056e0e81 )
Alibaba	TrojanSpy:MSIL/AgentTesla.c6e7d654
K7GW	Trojan ( 0056e0e81 )
Cybereason	malicious.405c40
Arcabit	Trojan.Generic.D29C7156
Invincea	Mal/Generic-S
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Stelega.gen
BitDefender	Trojan.GenericKD.43807062
NANO-Antivirus	Trojan.Win32.Stelega.hwfhmn
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Agent.744960.CD
Tencent	Msil.Trojan-qqpass.Qqrob.Pboy
Ad-Aware	Trojan.GenericKD.43807062
Emsisoft	Trojan.GenericKD.43807062 (B)
Comodo	Malware@#fl3zbd0ghsez
F-Secure	Heuristic.HEUR/AGEN.1138633
DrWeb	Trojan.Siggen10.16193
Zillya	Trojan.GenKryptik.Win32.57456
TrendMicro	TROJ_GEN.R06EC0DIC20
McAfee-GW-Edition	BehavesLike.Win32.Generic.bc
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Webroot	W32.Trojan.MSIL.Stelega
Avira	HEUR/AGEN.1138633
Antiy-AVL	Trojan[PSW]/MSIL.Stelega
Microsoft	Trojan:MSIL/CryptInject.PA!MTB
AegisLab	Trojan.Multi.Generic.4!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stelega.gen
GData	Trojan.GenericKD.43807062
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Agensla.C4194969
BitDefenderTheta	Gen:NN.ZemsilF.34570.Tm0@ayM9v9i
ALYac	Spyware.AgentTesla
MAX	malware (ai score=89)
Malwarebytes	Trojan.Crypt
ESET-NOD32	a variant of MSIL/GenKryptik.ESAG
TrendMicro-HouseCall	TROJ_GEN.R06EC0DIC20
Yandex	Trojan.AvsArher.bTJEKx
Ikarus	Trojan.MSIL.Inject

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-09 22:58:03

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	216.58.200.238
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.