SmartHawk

7.2

高危

6 个模型检测该样本为恶意！

重新分析

下载样本

414cc0291363b90a4d33ede8eb4b0b5820faa6808e1145993ec71fa0ccfa56f8

4b3f2802d9a4602e4f86a073c9193934.exe

分析耗时

132s

最近分析

文件大小

2.5MB

静态报毒动态报毒 ARTEMIS FILEREPMALWARE MALWARE@#XAEKZMBRJHLW PRESENOKER

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Baidu		20190318	1.0.0.2
Alibaba		20190527	0.3.0.5
Avast	FileRepMalware	20190711	18.4.3895.0
Kingsoft		20190711	2013.8.14.323
McAfee	Artemis!4B3F2802D9A4	20190710	6.0.6.653
Tencent		20190711	1.0.0.1
CrowdStrike		20190212	1.0

Queries for the computername (7 个事件)

Time & API	Arguments	Status	Return
1620973556.041751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620973556.603751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620973556.713751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620973556.838751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620973556.900751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620973556.947751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620973557.056751 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620973493.384751 IsDebuggerPresent		failed	0	0
1620973558.644243 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620973555.806751 GlobalMemoryStatusEx		success	1	0

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

One or more processes crashed (29 个事件)

Time & API	Arguments	Status
1620973558.363243 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 11927552 registers.eax: 0 registers.ebp: 1638240 registers.edx: 12100672 registers.ebx: 12036112 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 66 6b 14 b4 47 73 f3 eb 02 cd 20 67 64 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7a8ed	success
1620973558.363243 __exception__	stacktrace: 0xb77788 registers.esp: 1637892 registers.edi: 0 registers.eax: 12101418 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 12036112 registers.esi: 11665408 registers.ecx: 16777216 exception.instruction_r: 89 1f fd 67 64 8f 06 00 00 83 c4 04 03 ff 5f e8 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb79ed6	success
1620973558.550243 __exception__	stacktrace: 0xb77788 registers.esp: 1637892 registers.edi: 11927552 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 39819024 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 bc ec 6e 58 9d a1 f2 eb 01 e8 67 64 8f exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7a0e7	success
1620973558.550243 __exception__	stacktrace: 0xb77788 registers.esp: 1637892 registers.edi: 11927552 registers.eax: 12092736 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 710899 registers.esi: 281921161 registers.ecx: 2010527866 exception.instruction_r: 01 72 00 67 64 8f 06 00 00 83 c4 04 81 ea e0 9a exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7a225	success
1620973558.566243 __exception__	stacktrace: 0xb7a251 0xb77788 registers.esp: 1637848 registers.edi: 4294967295 registers.eax: 0 registers.ebp: 1637892 registers.edx: 1 registers.ebx: 328 registers.esi: 710899 registers.ecx: 11 exception.instruction_r: c7 00 cf f5 7f 7d 86 67 64 8f 06 00 00 83 c4 04 exception.instruction: mov dword ptr [eax], 0x7d7ff5cf exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb77d5b	success
1620973558.566243 __exception__	stacktrace: 0xb7a251 0xb77788 registers.esp: 1637848 registers.edi: 4294967295 registers.eax: 12092740 registers.ebp: 1637892 registers.edx: 1 registers.ebx: 0 registers.esi: 710899 registers.ecx: 11 exception.instruction_r: 89 3b 11 04 d0 7e 67 a9 ce 0c f0 37 04 eb 01 0f exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb77e76	success
1620973558.581243 __exception__	stacktrace: 0xb7a251 0xb77788 registers.esp: 1637848 registers.edi: 4294967295 registers.eax: 45744128 registers.ebp: 1637892 registers.edx: 2130566132 registers.ebx: 256 registers.esi: 0 registers.ecx: 584800 exception.instruction_r: 01 56 00 fd 6b 96 5f 29 a5 02 89 84 fc e6 46 46 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb77fcb	success
1620973558.613243 __exception__	stacktrace: 0xb7a251 0xb77788 registers.esp: 1637848 registers.edi: 45744384 registers.eax: 12092740 registers.ebp: 1637892 registers.edx: 0 registers.ebx: 11975516 registers.esi: 710899 registers.ecx: 0 exception.instruction_r: 01 72 00 7d 98 a5 f7 af d0 01 86 58 8c 8d fb bc exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb78145	success
1620973558.644243 __exception__	stacktrace: 0xb7a251 0xb77788 registers.esp: 1637848 registers.edi: 45744384 registers.eax: 1 registers.ebp: 1637892 registers.edx: 2130566132 registers.ebx: 11975516 registers.esi: 0 registers.ecx: 1092 exception.instruction_r: 01 56 00 84 1d 6a 67 64 8f 06 00 00 83 c4 04 8d exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb78221	success
1620973558.644243 __exception__	stacktrace: 0xb7a251 0xb77788 registers.esp: 1637848 registers.edi: 0 registers.eax: 1 registers.ebp: 1637892 registers.edx: 2130566132 registers.ebx: 11975516 registers.esi: 710899 registers.ecx: 1092 exception.instruction_r: 89 1f d7 9c de 67 64 8f 06 00 00 83 c4 04 81 c7 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb78392	success
1620973558.644243 __exception__	stacktrace: 0xb77788 registers.esp: 1637892 registers.edi: 11927552 registers.eax: 281921161 registers.ebp: 1638188 registers.edx: 2130566132 registers.ebx: 710899 registers.esi: 0 registers.ecx: 1092 exception.instruction_r: 01 56 00 56 aa 0d e8 3f 8b d5 cb 62 44 16 60 67 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7a3a9	success
1620973558.644243 __exception__	stacktrace: 0xb77788 registers.esp: 1637892 registers.edi: 11927552 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 710899 registers.esi: 281921161 registers.ecx: 0 exception.instruction_r: 01 72 00 e5 35 ea 41 da 79 39 5c fc d2 10 33 64 exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7a490	success
1620973558.644243 __exception__	stacktrace: 0xb77788 registers.esp: 1637892 registers.edi: 11927552 registers.eax: 2273580479 registers.ebp: 1638188 registers.edx: 12101408 registers.ebx: 1 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 0b 67 64 8f 06 00 00 83 c4 04 33 74 24 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7a5fd	success
1620973558.644243 __exception__	stacktrace: 0xb77788 registers.esp: 1637868 registers.edi: 11946573 registers.eax: 0 registers.ebp: 1638188 registers.edx: 12101408 registers.ebx: 0 registers.esi: 39798343 registers.ecx: 0 exception.instruction_r: cc 90 eb 01 69 66 81 fe 47 46 74 05 31 c0 40 eb exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0xb76afe	success
1620973558.644243 __exception__	stacktrace: registers.esp: 1638164 registers.edi: 11927552 registers.eax: 2281969087 registers.ebp: 1638240 registers.edx: 0 registers.ebx: 12036112 registers.esi: 11665408 registers.ecx: 1638188 exception.instruction_r: 01 72 00 67 64 8f 06 00 00 83 c4 04 81 ea e0 9a exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb77884	success
1620973558.660243 __exception__	stacktrace: registers.esp: 1638164 registers.edi: 91271 registers.eax: 0 registers.ebp: 11975620 registers.edx: 0 registers.ebx: 39819520 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 56 aa 0d e8 3f 8b d5 cb 62 44 16 60 67 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb77a7b	success
1620973558.660243 __exception__	stacktrace: 0xb79634 registers.esp: 1638152 registers.edi: 11927552 registers.eax: 2273580479 registers.ebp: 1638196 registers.edx: 12101408 registers.ebx: 0 registers.esi: 11665408 registers.ecx: 0 exception.instruction_r: 89 3b ef 25 40 f9 2e 31 2e a9 eb 01 9a 67 64 8f exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7871a	success
1620973558.706243 __exception__	stacktrace: 0xb79634 registers.esp: 1638152 registers.edi: 0 registers.eax: 0 registers.ebp: 1638196 registers.edx: 1 registers.ebx: 6564054 registers.esi: 39819520 registers.ecx: 0 exception.instruction_r: 89 1f 76 e5 d6 d7 23 3e 82 30 5e ab 5b 67 64 8f exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb78901	success
1620973558.722243 __exception__	stacktrace: registers.esp: 1638156 registers.edi: 11927552 registers.eax: 4194304 registers.ebp: 1638240 registers.edx: 0 registers.ebx: 1822720 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 d9 fa ae 39 d5 67 64 8f 06 00 00 83 c4 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7985e	success
1620973558.722243 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 11927552 registers.eax: 12101408 registers.ebp: 1638240 registers.edx: 0 registers.ebx: 4037138623 registers.esi: 39716032 registers.ecx: 0 exception.instruction_r: 01 72 00 5c 17 1b 8d af 17 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb78c31	success
1620973559.128243 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 39716086 registers.eax: 0 registers.ebp: 1638240 registers.edx: 0 registers.ebx: 39830761 registers.esi: 39716032 registers.ecx: 1638144 exception.instruction_r: c7 00 d7 6c 74 da 49 4e 97 35 4c 53 67 64 8f 06 exception.instruction: mov dword ptr [eax], 0xda746cd7 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb78e9a	success
1620973559.128243 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 8879 registers.eax: 1 registers.ebp: 39821886 registers.edx: 0 registers.ebx: 39821474 registers.esi: 0 registers.ecx: 3961177093 exception.instruction_r: 01 56 00 e3 f0 67 64 8f 06 00 00 83 c4 04 be 22 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb79101	success
1620973559.128243 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 0 registers.eax: 4294967295 registers.ebp: 39821886 registers.edx: 0 registers.ebx: 39821474 registers.esi: 39716032 registers.ecx: 3961177093 exception.instruction_r: 89 1f 6b 97 67 64 8f 06 00 00 26 eb 02 cd 20 83 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb792fa	success
1620973559.128243 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 8879 registers.eax: 39842049 registers.ebp: 39821886 registers.edx: 39842049 registers.ebx: 39842125 registers.esi: 0 registers.ecx: 32917593 exception.instruction_r: 01 56 00 8a 99 4a b2 21 39 c7 f1 f1 67 64 8f 06 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb79407	success
1620973559.160243 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 68467 registers.eax: 46247681 registers.ebp: 39821886 registers.edx: 0 registers.ebx: 39842561 registers.esi: 39716032 registers.ecx: 4165926912 exception.instruction_r: 01 72 00 5c 17 1b 8d af 17 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb79554	success
1620973559.160243 __exception__	stacktrace: 0xb6b98c registers.esp: 1638116 registers.edi: 12100684 registers.eax: 0 registers.ebp: 1638208 registers.edx: 60 registers.ebx: 12036112 registers.esi: 39716032 registers.ecx: 0 exception.instruction_r: c7 00 77 ac 25 b4 cd c6 05 8b 39 6f f2 67 64 8f exception.instruction: mov dword ptr [eax], 0xb425ac77 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7b3b0	success
1620973559.253243 __exception__	stacktrace: 0xb6b98c registers.esp: 1638116 registers.edi: 12100684 registers.eax: 12101436 registers.ebp: 1638208 registers.edx: 0 registers.ebx: 12036112 registers.esi: 0 registers.ecx: 2 exception.instruction_r: 01 56 00 cf 67 3d d2 0a fd a7 66 67 64 8f 06 00 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7b4ac	success
1620973559.269243 __exception__	stacktrace: 0xb6b98c registers.esp: 1638116 registers.edi: 12100684 registers.eax: 1638112 registers.ebp: 1638208 registers.edx: 0 registers.ebx: 39929140 registers.esi: 0 registers.ecx: 1638116 exception.instruction_r: 01 56 00 8a 99 4a b2 21 39 c7 f1 f1 67 64 8f 06 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7b833	success
1620973559.269243 __exception__	stacktrace: 0xb6b98c registers.esp: 1638116 registers.edi: 0 registers.eax: 12101008 registers.ebp: 1638208 registers.edx: 1088791893 registers.ebx: 39928187 registers.esi: 39716032 registers.ecx: 0 exception.instruction_r: 89 1f 56 10 55 40 c5 bf 66 63 92 e3 48 42 15 7b exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb7bab5	success

Allocates read-write-execute memory (usually to unpack itself) (50 out of 57 个事件)

Time & API	Arguments	Status
1620973492.916751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10011000	success
1620973492.916751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x764c1000	success
1620973492.916751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x754a1000	success
1620973494.228751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74691000	success
1620973555.588751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73d61000	success
1620973555.759751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74041000	success
1620973555.759751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76881000	success
1620973555.947751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74031000	success
1620973555.978751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73fc1000	success
1620973555.994751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74511000	success
1620973556.041751 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73fb1000	success
1620973132.777891 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004770000	success
1620973557.941243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b20000	success
1620973557.941243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b60000	success
1620973558.003243 NtProtectVirtualMemory	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77531000	success
1620973558.019243 NtProtectVirtualMemory	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75a01000	success
1620973558.363243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006f0000	success
1620973558.363243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b20000	success
1620973558.363243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b30000	success
1620973558.363243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b40000	success
1620973558.488243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b50000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba0000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00dc0000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02ad0000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02ae0000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02af0000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b00000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b10000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b20000	success
1620973558.503243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b30000	success
1620973558.535243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b40000	success
1620973558.535243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b50000	success
1620973558.550243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b60000	success
1620973559.128243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02ba0000	success
1620973559.128243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02bb0000	success
1620973559.128243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02bc0000	success
1620973559.128243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02bd0000	success
1620973559.128243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02be0000	success
1620973559.128243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02bf0000	success
1620973559.128243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c00000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c10000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c30000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c40000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c50000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c60000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c70000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c80000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c90000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02ca0000	success
1620973559.144243 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02cb0000	success

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 个事件)

Time & API	Arguments	Status	Return
1620973507.900751 GetDiskFreeSpaceExW	root_path: C:\ free_bytes_available: 19605635072 total_number_of_free_bytes: 19605635072 total_number_of_bytes: 34252779520	success	1
1620973507.916751 GetDiskFreeSpaceExW	root_path: C:\ free_bytes_available: 19605635072 total_number_of_free_bytes: 19605635072 total_number_of_bytes: 34252779520	success	1
1620973539.384751 GetDiskFreeSpaceExW	root_path: C:\ free_bytes_available: 19605684224 total_number_of_free_bytes: 19605684224 total_number_of_bytes: 34252779520	success	1
1620973559.253243 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4734584 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1620973559.253243 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4734584 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1

Creates executable files on the filesystem (14 个事件)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons HomePage.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons support.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons Help.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Stp60F7_TMP.EXE
file	C:\Program Files\Change Folder Icon\ishell.exe
file	C:\Program Files\Change Folder Icon\ushell.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Uninstall.lnk
file	C:\Program Files\Change Folder Icon\cfi.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Register Change Folder Icons.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ginstall.dll
file	C:\Program Files\Change Folder Icon\cfi8.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\English language file.lnk
file	C:\Program Files\Change Folder Icon\uninstall.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons.lnk

Creates a shortcut to an executable file (7 个事件)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons support.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons Help.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons HomePage.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Uninstall.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Register Change Folder Icons.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\English language file.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Change Folder Icons\Change Folder Icons.lnk

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Stp60F7_TMP.EXE

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Stp60F7_TMP.EXE

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 个事件)

Avast	FileRepMalware
Comodo	Malware@#xaekzmbrjhlw
McAfee-GW-Edition	Artemis
Microsoft	PUA:Win32/Presenoker
McAfee	Artemis!4B3F2802D9A4
AVG	FileRepMalware

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620973557.244751 LookupPrivilegeValueW	system_name: privilege_name: SeRestorePrivilege	success	1	0
1620973557.244751 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Queries information on disks, possibly for anti-virtualization (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620973559.160243 NtCreateFile	create_disposition: 1 (FILE_OPEN) file_handle: 0x0000014c filepath: \??\Scsi0: desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\Scsi0: create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	success	0	0
1620973559.160243 DeviceIoControl	input_buffer: SCSIDISK ì device_handle: 0x0000014c control_code: 315400 () output_buffer:	failed	0	0

Writes a potential ransom message to disk (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620973542.494751 NtWriteFile	file_handle: 0x00000160 filepath: C:\Program Files\Change Folder Icon\order.txt buffer: Ordering and Payment Methods We accept five types of payment: Online, Fax, Phone, Wire Transfer and Mail. Once you have purchased the product by filling in the online order form, a license will be sent to you via email to register the software for use. You may download the trial software before or after you complete the purchase process. Your license will be valid for all future versions of purchased products. You will never be charged for upgrades. If you do not receive your product license within a reasonable amount of time (usually two business days for credit card payments or two weeks for other payments), please notify us! We apologize for any inconvenience caused by such delays. Online Order This is the fastest and easiest way to order NeSoft products. Your credit card information is sent directly to the credit card processor in a highly secure manner. We protect you by ensuring that nobody but you and the automated credit card processor will see your credit card information. To purchase our products online you need to go to http://www.nesoft.org/order.shtml Fax or Phone Order European customers: If you do not want to submit your order and credit card information online, you can fax your order to us at +49-221-2407278, or call us at +49-221-2407279. US and Canadian customers: You may place your order by calling our order number 724-850-8186 (available on weekdays from 9am to 5pm). Toll-free orders phone also available: 1-800-903-4152. Orders may also be sent by fax to 724-850-8187. It is recommended that you use our online order form if you wish to make your purchase by fax. Check and Cash Orders Non-U.S. Customers: if you prefer to pay with cash or by check, please send payment to: element 5 AG / ShareIt! Vogelsanger Strasse 78 50823 Koeln Germany Please make checks payable to "element 5 AG." If you are sending a check from outside of the European Union, please make the check payable in either US-Dollars or EURO. Inside the European Union, please make the check payable in EURO only. U.S. Customers: you can send your check or money order to our U.S. office: ShareIt! Inc. PO Box 844 Greensburg PA 15601 Please make U.S. checks payable to "ShareIt! Inc." (U.S. customers: Please do not send cash. It is illegal to mail cash in the United States.) We regret that we cannot accept personal checks. Please send only guaranteed bank checks, such as Eurocheques or Cashier's checks. Thank you for your understanding. offset: 0	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

216.58.200.238:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2006-11-02 04:28:01

Imports

Library KERNEL32.dll:

• 0x406018 ReadFile

• 0x40601c SetFilePointer

• 0x406020 CloseHandle

• 0x406024 WriteFile

• 0x406028 GetTempPathA

• 0x40602c GetSystemTime

• 0x406030 lstrlenA

• 0x406034 GetTempFileNameA

• 0x406038 GetModuleFileNameA

• 0x40603c CreateProcessA

• 0x406040 GetStartupInfoA

• 0x406044 GetStringTypeW

• 0x406048 GetStringTypeA

• 0x40604c LCMapStringW

• 0x406050 LCMapStringA

• 0x406054 MultiByteToWideChar

• 0x406058 SetStdHandle

• 0x40605c CreateFileA

• 0x406060 GetFileSize

• 0x406064 GetLastError

• 0x406068 GetModuleHandleA

• 0x40606c WaitForSingleObject

• 0x406070 DeleteFileA

• 0x406074 GetCommandLineA

• 0x406078 GetVersion

• 0x40607c ExitProcess

• 0x406080 TerminateProcess

• 0x406084 GetCurrentProcess

• 0x406088 UnhandledExceptionFilter

• 0x40608c FreeEnvironmentStringsA

• 0x406090 FreeEnvironmentStringsW

• 0x406094 WideCharToMultiByte

• 0x406098 GetEnvironmentStrings

• 0x40609c GetEnvironmentStringsW

• 0x4060a0 SetHandleCount

• 0x4060a4 GetStdHandle

• 0x4060a8 GetFileType

• 0x4060ac HeapDestroy

• 0x4060b0 HeapCreate

• 0x4060b4 VirtualFree

• 0x4060b8 HeapFree

• 0x4060bc RtlUnwind

• 0x4060c0 GetCPInfo

• 0x4060c4 GetACP

• 0x4060c8 GetOEMCP

• 0x4060cc HeapAlloc

• 0x4060d0 VirtualAlloc

• 0x4060d4 HeapReAlloc

• 0x4060d8 GetProcAddress

• 0x4060dc LoadLibraryA

• 0x4060e0 FlushFileBuffers

Library USER32.dll:

• 0x4060e8 CreateDialogParamA

• 0x4060ec GetDlgItem

• 0x4060f0 SendMessageA

• 0x4060f4 UpdateWindow

• 0x4060f8 DestroyWindow

Library ADVAPI32.dll:

• 0x406000 RegCreateKeyExA

• 0x406004 RegSetValueExA

• 0x406008 RegCloseKey

Library COMCTL32.dll:

• 0x406010

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.