SmartHawk

4.0

中危

2 个模型检测该样本为恶意！

重新分析

下载样本

17a2b49ae2537331fe507949c38359f8298d6a2fea54dcc714979f8d1ee53905

4b7f09e745458874b0ebb80f0b5e3a2e.exe

分析耗时

87s

最近分析

文件大小

7.6MB

静态报毒动态报毒 AIDETECTVM MALICIOUS MALWARE2 NAPOLAR

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
Alibaba	20190527	0.3.0.5
Baidu	20190318	1.0.0.2
Avast	20200418	18.4.3895.0
Kingsoft	20200419	2013.8.14.323
McAfee	20200417	6.0.6.653
Tencent	20200419	1.0.0.1
CrowdStrike	20190702	1.0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620975976.653625 GlobalMemoryStatusEx		success	1	0

Creates executable files on the filesystem (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\52441153\setup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\52441153\smooth.dll

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\52441153\setup.exe

Drops an executable to the user AppData folder (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\52441153\smooth.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\52441153\setup.exe

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)

Bkav	W32.AIDetectVM.malware2
APEX	Malicious

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620975976.716625 LookupPrivilegeValueW	system_name: privilege_name: SeShutdownPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Creates known Napolar files, registry keys and/or mutexes (2 个事件)

mutex	gcc-shmem-tdm2-use_fc_key
mutex	gcc-shmem-tdm2-fc_key

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2760 resumed a thread in remote process 2476
1620975975.559375 NtResumeThread	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2476	success	0	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-12-04 09:02:44

Imports

Library GDI32.dll:

• 0x416204 CreateFontA

• 0x416208 CreatePen

• 0x41620c CreateSolidBrush

• 0x416210 DeleteObject

• 0x416214 GetDeviceCaps

• 0x416218 GetTextExtentPoint32A

• 0x41621c LineTo

• 0x416220 MoveToEx

• 0x416224 SelectObject

• 0x416228 SetBkMode

• 0x41622c SetTextColor

Library KERNEL32.dll:

• 0x416234 DeleteCriticalSection

• 0x416238 EnterCriticalSection

• 0x41623c ExitProcess

• 0x416240 GetExitCodeProcess

• 0x416244 GetLastError

• 0x416248 GetModuleHandleA

• 0x41624c GetProcAddress

• 0x416250 GetTempPathA

• 0x416254 InitializeCriticalSection

• 0x416258 LeaveCriticalSection

• 0x41625c MulDiv

• 0x416260 SetUnhandledExceptionFilter

• 0x416264 Sleep

• 0x416268 TlsGetValue

• 0x41626c VirtualProtect

• 0x416270 VirtualQuery

• 0x416274 _hread

• 0x416278 _hwrite

• 0x41627c _lclose

• 0x416280 _lcreat

• 0x416284 _llseek

• 0x416288 _lopen

Library msvcrt.dll:

• 0x416290 _fdopen

• 0x416294 _itoa

• 0x416298 _mkdir

• 0x41629c _rmdir

• 0x4162a0 _stat

Library msvcrt.dll:

• 0x4162a8 __getmainargs

• 0x4162ac __p__environ

• 0x4162b0 __p__fmode

• 0x4162b4 __set_app_type

• 0x4162b8 _cexit

• 0x4162bc _errno

• 0x4162c0 _ftime

• 0x4162c4 _getcwd

• 0x4162c8 _iob

• 0x4162cc _onexit

• 0x4162d0 _setmode

• 0x4162d4 _vsnprintf

• 0x4162d8 abort

• 0x4162dc atexit

• 0x4162e0 calloc

• 0x4162e4 clearerr

• 0x4162e8 fclose

• 0x4162ec fflush

• 0x4162f0 fopen

• 0x4162f4 fprintf

• 0x4162f8 fputc

• 0x4162fc fread

• 0x416300 free

• 0x416304 fseek

• 0x416308 ftell

• 0x41630c fwrite

• 0x416310 malloc

• 0x416314 memcpy

• 0x416318 remove

• 0x41631c signal

• 0x416320 sprintf

• 0x416324 strcat

• 0x416328 strcmp

• 0x41632c strcpy

• 0x416330 strerror

• 0x416334 strncpy

• 0x416338 vfprintf

Library SHELL32.DLL:

• 0x416340 ShellExecuteExA

Library USER32.dll:

• 0x416348 CreateWindowExA

• 0x41634c DefWindowProcA

• 0x416350 DestroyWindow

• 0x416354 DrawTextExA

• 0x416358 FillRect

• 0x41635c GetSysColor

• 0x416360 GetSystemMetrics

• 0x416364 GetWindowDC

• 0x416368 RegisterClassExA

• 0x41636c ReleaseDC

• 0x416370 ShowWindow

• 0x416374 UnregisterClassA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.