10.4
0-day
53 个模型检测该样本为恶意!
重新分析
更多

3e58111450129327ec78aca888dade3083b188f92d21934a2c1104a5b5c0a9f3

4b6dbebda46381a3a9062e690102669f.exe

分析耗时

98s

最近分析

文件大小

406.0KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=89 ATTRIBUTE BT8KEV CONFIDENCE ELDORADO ENCODED FAREIT FORMBOOK GDSDA GENERICKDZ HIGH CONFIDENCE HIGHCONFIDENCE HOTERU IGENT KCLOUD KRYPTIK MALWARE@#P1UF0D7VC6L9 MALWAREX MASSLOGGER R345673 REMCOS SCORE SIGGEN2 SWOTTER TSCOPE UNSAFE XZCHN YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVT!4B6DBEBDA463 20201211 6.0.6.653
Alibaba Trojan:MSIL/AgentTesla.9032fbd8 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20201210 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619486506.497875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619486465.514
IsDebuggerPresent
failed 0 0
1619486465.514
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619486511.435875
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\wbnVxBwJkOpRmW"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619486465.53
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 个事件)
Time & API Arguments Status Return Repeated
1619486464.514
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a90000
success 0 0
1619486464.514
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c40000
success 0 0
1619486465.123
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00330000
success 0 0
1619486465.123
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00390000
success 0 0
1619486465.155
NtProtectVirtualMemory
process_identifier: 1916
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619486465.514
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02200000
success 0 0
1619486465.514
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02370000
success 0 0
1619486465.514
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0036a000
success 0 0
1619486465.514
NtProtectVirtualMemory
process_identifier: 1916
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619486465.514
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00362000
success 0 0
1619486465.717
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00372000
success 0 0
1619486465.764
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d5000
success 0 0
1619486465.764
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003db000
success 0 0
1619486465.764
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619486465.92
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00373000
success 0 0
1619486465.936
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00374000
success 0 0
1619486465.952
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0037c000
success 0 0
1619486466.577
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00375000
success 0 0
1619486466.577
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00376000
success 0 0
1619486466.655
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00377000
success 0 0
1619486466.655
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1619486466.702
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00378000
success 0 0
1619486466.936
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00379000
success 0 0
1619486466.936
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00386000
success 0 0
1619486466.952
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a30000
success 0 0
1619486466.952
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0038a000
success 0 0
1619486466.952
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00387000
success 0 0
1619486466.952
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00711000
success 0 0
1619486466.967
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a31000
success 0 0
1619486466.983
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00712000
success 0 0
1619486505.014
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00715000
success 0 0
1619486505.389
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0036c000
success 0 0
1619486505.452
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a32000
success 0 0
1619486505.452
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00716000
success 0 0
1619486505.467
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02371000
success 0 0
1619486505.483
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02372000
success 0 0
1619486505.498
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02373000
success 0 0
1619486505.498
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02374000
success 0 0
1619486505.498
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02375000
success 0 0
1619486505.498
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02376000
success 0 0
1619486505.498
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0237a000
success 0 0
1619486505.498
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a33000
success 0 0
1619486505.608
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00717000
success 0 0
1619486505.608
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0238b000
success 0 0
1619486505.608
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0238c000
success 0 0
1619486505.623
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0238d000
success 0 0
1619486505.623
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00718000
success 0 0
1619486505.655
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00719000
success 0 0
1619486505.67
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0037d000
success 0 0
1619486512.061
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0071a000
success 0 0
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wbnVxBwJkOpRmW" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
cmdline schtasks.exe /Create /TN "Updates\wbnVxBwJkOpRmW" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619486506.28
ShellExecuteExW
parameters: /Create /TN "Updates\wbnVxBwJkOpRmW" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.663139378193736 section {'size_of_data': '0x00060000', 'virtual_address': '0x00002000', 'entropy': 7.663139378193736, 'name': '.text', 'virtual_size': '0x0005fee4'} description A section with a high entropy has been found
entropy 0.9469790382244143 description Overall entropy of this PE file is high
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wbnVxBwJkOpRmW" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
cmdline schtasks.exe /Create /TN "Updates\wbnVxBwJkOpRmW" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619486512.155
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 184320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000035c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619486512.155
WriteProcessMemory
process_identifier: 2292
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂðW¢ì£W¢ì£W¢ì£8ÔG£¢ì£8Ôr£T¢ì£8Ôq£V¢ì£RichW¢ì£PEL¤Ý¥Uà  ºãÐ@Ð@.text´¸º `
process_handle: 0x0000035c
base_address: 0x00400000
success 1 0
1619486512.155
WriteProcessMemory
process_identifier: 2292
buffer: @
process_handle: 0x0000035c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619486512.155
WriteProcessMemory
process_identifier: 2292
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂðW¢ì£W¢ì£W¢ì£8ÔG£¢ì£8Ôr£T¢ì£8Ôq£V¢ì£RichW¢ì£PEL¤Ý¥Uà  ºãÐ@Ð@.text´¸º `
process_handle: 0x0000035c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1916 called NtSetContextThread to modify thread in remote process 2292
Time & API Arguments Status Return Repeated
1619486512.155
NtSetContextThread
thread_handle: 0x00000250
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4317968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2292
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1916 resumed a thread in remote process 2292
Time & API Arguments Status Return Repeated
1619486512.217
NtResumeThread
thread_handle: 0x00000250
suspend_count: 1
process_identifier: 2292
success 0 0
Executed a process and injected code into it, probably while unpacking (13 个事件)
Time & API Arguments Status Return Repeated
1619486465.514
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1916
success 0 0
1619486465.53
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1916
success 0 0
1619486465.545
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 1916
success 0 0
1619486505.811
NtResumeThread
thread_handle: 0x0000024c
suspend_count: 1
process_identifier: 1916
success 0 0
1619486506.28
CreateProcessInternalW
thread_identifier: 2496
thread_handle: 0x00000344
process_identifier: 1752
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wbnVxBwJkOpRmW" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000388
inherit_handles: 0
success 1 0
1619486512.155
CreateProcessInternalW
thread_identifier: 1160
thread_handle: 0x00000250
process_identifier: 2292
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b6dbebda46381a3a9062e690102669f.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4b6dbebda46381a3a9062e690102669f.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000035c
inherit_handles: 0
success 1 0
1619486512.155
NtGetContextThread
thread_handle: 0x00000250
success 0 0
1619486512.155
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 184320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000035c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619486512.155
WriteProcessMemory
process_identifier: 2292
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂðW¢ì£W¢ì£W¢ì£8ÔG£¢ì£8Ôr£T¢ì£8Ôq£V¢ì£RichW¢ì£PEL¤Ý¥Uà  ºãÐ@Ð@.text´¸º `
process_handle: 0x0000035c
base_address: 0x00400000
success 1 0
1619486512.155
WriteProcessMemory
process_identifier: 2292
buffer:
process_handle: 0x0000035c
base_address: 0x00401000
success 1 0
1619486512.155
WriteProcessMemory
process_identifier: 2292
buffer: @
process_handle: 0x0000035c
base_address: 0x7efde008
success 1 0
1619486512.155
NtSetContextThread
thread_handle: 0x00000250
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4317968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2292
success 0 0
1619486512.217
NtResumeThread
thread_handle: 0x00000250
suspend_count: 1
process_identifier: 2292
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.68912
FireEye Generic.mg.4b6dbebda46381a3
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FVT!4B6DBEBDA463
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2303691
Sangfor Malware
K7AntiVirus Trojan ( 0056afc41 )
Alibaba Trojan:MSIL/AgentTesla.9032fbd8
K7GW Trojan ( 0056afc41 )
CrowdStrike win/malicious_confidence_60% (W)
Arcabit Trojan.Generic.D10D30
Cyren W32/MSIL_Troj.XS.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKDZ.68912
NANO-Antivirus Trojan.Win32.Crypt.hoteru
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Ad-Aware Trojan.GenericKDZ.68912
Sophos Mal/Generic-S
Comodo Malware@#p1uf0d7vc6l9
F-Secure Trojan.TR/AD.Swotter.xzchn
DrWeb Trojan.PWS.Siggen2.52306
VIPRE Trojan.Win32.Generic!BT
TrendMicro Backdoor.MSIL.REMCOS.SM
McAfee-GW-Edition Fareit-FVT!4B6DBEBDA463
Emsisoft Trojan.Crypt (A)
Ikarus Trojan-Spy.MassLogger
Avira TR/AD.Swotter.xzchn
Antiy-AVL Trojan/MSIL.Crypt
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft SUSP.Encoded_EXE.bot!yf
Microsoft Trojan:MSIL/AgentTesla.AR!MTB
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Trojan.GenericKDZ.68912
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Formbook.R345673
ALYac Trojan.GenericKDZ.68912
MAX malware (ai score=89)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
ESET-NOD32 a variant of MSIL/Kryptik.WZA
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Yandex Trojan.Igent.bT8kEV.3
eGambit Unsafe.AI_Score_80%
Fortinet MSIL/Kryptik.WZA!tr
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-22 08:19:45

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.