9.6
极危
42 个模型检测该样本为恶意!
重新分析
更多

32927a4fab73ea5801cca6c5f5c34c3d74b7f0a850036e9882112bb2b90d1ee7

47f2fb738959ba95f544d01464d4a32a.exe

分析耗时

89s

最近分析

文件大小

756.0KB
静态报毒 动态报毒 AI SCORE=80 AVSETECER BUBCVG FAREIT GDSDA GENERICKD HIGH CONFIDENCE KCLOUD KRYPTIK MALWARE@#1D0UIW4ZV4YJZ MASSLOGGER PACKEDNET PGDE PWSX QVM03 R346301 SCORE TSCOPE UNSAFE USXZY YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20210127 6.0.6.653
Alibaba Trojan:MSIL/MassLogger.5f555349 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20210127 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20210127 2017.9.26.565
Tencent Msil.Trojan.Crypt.Pgde 20210127 1.0.0.1
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619521517.698626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619521518.807626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (5 个事件)
Time & API Arguments Status Return Repeated
1619521459.994499
IsDebuggerPresent
failed 0 0
1619521459.994499
IsDebuggerPresent
failed 0 0
1619521504.026499
IsDebuggerPresent
failed 0 0
1619521504.338626
IsDebuggerPresent
failed 0 0
1619521504.338626
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619521460.010499
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 168 个事件)
Time & API Arguments Status Return Repeated
1619521458.916499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00970000
success 0 0
1619521458.916499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af0000
success 0 0
1619521459.698499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02270000
success 0 0
1619521459.698499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02410000
success 0 0
1619521459.869499
NtProtectVirtualMemory
process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619521459.994499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00970000
success 0 0
1619521459.994499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a30000
success 0 0
1619521459.994499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0029a000
success 0 0
1619521459.994499
NtProtectVirtualMemory
process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619521459.994499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00292000
success 0 0
1619521460.229499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a2000
success 0 0
1619521460.276499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00345000
success 0 0
1619521460.291499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034b000
success 0 0
1619521460.291499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00347000
success 0 0
1619521460.448499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a3000
success 0 0
1619521460.448499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a4000
success 0 0
1619521460.494499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ac000
success 0 0
1619521460.541499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00720000
success 0 0
1619521460.651499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a31000
success 0 0
1619521460.666499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a32000
success 0 0
1619521460.698499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a5000
success 0 0
1619521460.698499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00336000
success 0 0
1619521460.713499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00721000
success 0 0
1619521460.713499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a33000
success 0 0
1619521460.713499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a34000
success 0 0
1619521460.776499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a35000
success 0 0
1619521460.776499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00722000
success 0 0
1619521460.791499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033a000
success 0 0
1619521460.791499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00337000
success 0 0
1619521460.963499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a6000
success 0 0
1619521460.994499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a7000
success 0 0
1619521461.354499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a8000
success 0 0
1619521461.635499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a9000
success 0 0
1619521461.666499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00723000
success 0 0
1619521461.682499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00840000
success 0 0
1619521461.698499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00724000
success 0 0
1619521500.448499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0029c000
success 0 0
1619521500.463499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00727000
success 0 0
1619521500.588499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00841000
success 0 0
1619521500.588499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ad000
success 0 0
1619521500.604499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00842000
success 0 0
1619521500.604499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00728000
success 0 0
1619521500.791499
NtProtectVirtualMemory
process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 317440
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02350400
failed 3221225550 0
1619521503.651499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00729000
success 0 0
1619521503.666499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072a000
success 0 0
1619521503.666499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072b000
success 0 0
1619521503.713499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072c000
success 0 0
1619521503.713499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072d000
success 0 0
1619521503.885499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00843000
success 0 0
1619521503.885499
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072e000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.7099043415794455 section {'size_of_data': '0x00094a00', 'virtual_address': '0x00002000', 'entropy': 7.7099043415794455, 'name': '.text', 'virtual_size': '0x000948d0'} description A section with a high entropy has been found
entropy 0.786896095301125 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619521500.776499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619521516.213626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.41.34
host 203.208.41.65
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619521504.073499
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00009f14
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619521504.073499
WriteProcessMemory
process_identifier: 2196
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELSÞ^à \¾z €@ À@…dzW€è   H.textÄZ \ `.rsrcè€^@@.reloc  b@B
process_handle: 0x00009f14
base_address: 0x00400000
success 1 0
1619521504.088499
WriteProcessMemory
process_identifier: 2196
buffer: €0€HX€ŒŒ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamevuTbCLDKveZSJqSbnqvgrsQmO.exe(LegalCopyright dOriginalFilenamevuTbCLDKveZSJqSbnqvgrsQmO.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00009f14
base_address: 0x00448000
success 1 0
1619521504.088499
WriteProcessMemory
process_identifier: 2196
buffer: p À:
process_handle: 0x00009f14
base_address: 0x0044a000
success 1 0
1619521504.088499
WriteProcessMemory
process_identifier: 2196
buffer: @
process_handle: 0x00009f14
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619521504.073499
WriteProcessMemory
process_identifier: 2196
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELSÞ^à \¾z €@ À@…dzW€è   H.textÄZ \ `.rsrcè€^@@.reloc  b@B
process_handle: 0x00009f14
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2520 called NtSetContextThread to modify thread in remote process 2196
Time & API Arguments Status Return Repeated
1619521504.088499
NtSetContextThread
thread_handle: 0x00006998
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4487870
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2196
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2520 resumed a thread in remote process 2196
Time & API Arguments Status Return Repeated
1619521504.151499
NtResumeThread
thread_handle: 0x00006998
suspend_count: 1
process_identifier: 2196
success 0 0
Executed a process and injected code into it, probably while unpacking (20 个事件)
Time & API Arguments Status Return Repeated
1619521459.994499
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2520
success 0 0
1619521459.994499
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2520
success 0 0
1619521460.010499
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2520
success 0 0
1619521504.026499
NtResumeThread
thread_handle: 0x00009f10
suspend_count: 1
process_identifier: 2520
success 0 0
1619521504.026499
NtResumeThread
thread_handle: 0x0000ae34
suspend_count: 1
process_identifier: 2520
success 0 0
1619521504.073499
CreateProcessInternalW
thread_identifier: 2604
thread_handle: 0x00006998
process_identifier: 2196
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f2fb738959ba95f544d01464d4a32a.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f2fb738959ba95f544d01464d4a32a.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00009f14
inherit_handles: 0
success 1 0
1619521504.073499
NtGetContextThread
thread_handle: 0x00006998
success 0 0
1619521504.073499
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00009f14
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619521504.073499
WriteProcessMemory
process_identifier: 2196
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELSÞ^à \¾z €@ À@…dzW€è   H.textÄZ \ `.rsrcè€^@@.reloc  b@B
process_handle: 0x00009f14
base_address: 0x00400000
success 1 0
1619521504.073499
WriteProcessMemory
process_identifier: 2196
buffer:
process_handle: 0x00009f14
base_address: 0x00402000
success 1 0
1619521504.088499
WriteProcessMemory
process_identifier: 2196
buffer: €0€HX€ŒŒ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamevuTbCLDKveZSJqSbnqvgrsQmO.exe(LegalCopyright dOriginalFilenamevuTbCLDKveZSJqSbnqvgrsQmO.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00009f14
base_address: 0x00448000
success 1 0
1619521504.088499
WriteProcessMemory
process_identifier: 2196
buffer: p À:
process_handle: 0x00009f14
base_address: 0x0044a000
success 1 0
1619521504.088499
WriteProcessMemory
process_identifier: 2196
buffer: @
process_handle: 0x00009f14
base_address: 0x7efde008
success 1 0
1619521504.088499
NtSetContextThread
thread_handle: 0x00006998
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4487870
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2196
success 0 0
1619521504.151499
NtResumeThread
thread_handle: 0x00006998
suspend_count: 1
process_identifier: 2196
success 0 0
1619521504.338626
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2196
success 0 0
1619521504.338626
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2196
success 0 0
1619521504.354626
NtResumeThread
thread_handle: 0x00000198
suspend_count: 1
process_identifier: 2196
success 0 0
1619521518.698626
NtResumeThread
thread_handle: 0x000002e4
suspend_count: 1
process_identifier: 2196
success 0 0
1619521518.729626
NtResumeThread
thread_handle: 0x00000318
suspend_count: 1
process_identifier: 2196
success 0 0
File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 个事件)
Elastic malicious (high confidence)
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056b6591 )
Alibaba Trojan:MSIL/MassLogger.5f555349
K7GW Trojan ( 0056b6591 )
Cybereason malicious.38959b
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.34254632
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Emsisoft Trojan.GenericKD.34254632 (B)
Comodo Malware@#1d0uiw4zv4yjz
DrWeb Trojan.PackedNET.373
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Fareit-FXU!47F2FB738959
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Crypt
Webroot W32.Adware.Gen
Avira TR/Kryptik.usxzy
MAX malware (ai score=80)
Antiy-AVL Trojan/MSIL.Crypt
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:MSIL/MassLogger.GN!MTB
Gridinsoft Trojan.Win32.Kryptik.oa
Arcabit Trojan.Generic.D20AAF28
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
Cynet Malicious (score: 90)
AhnLab-V3 Malware/Win32.Generic.R346301
VBA32 TScope.Trojan.MSIL
ALYac Trojan.GenericKD.34254632
Malwarebytes Spyware.MassLogger
ESET-NOD32 a variant of MSIL/Kryptik.XCS
Tencent Msil.Trojan.Crypt.Pgde
Yandex Trojan.AvsEtecer.bUbcVg
Fortinet MSIL/Agent.BMW!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
Qihoo-360 Generic/HEUR/QVM03.0.E3AC.Malware.Gen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-29 10:51:25

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.