12.6
0-day
56 个模型检测该样本为恶意!
重新分析
更多

e3e667f5f3f179990bcb4616c8e5d56eeb8399bd867799c4bc68fac82c9b0a0f

4d6faa4b74340610fd2ae29186cb9ed0.exe

分析耗时

118s

最近分析

文件大小

556.5KB
静态报毒 动态报毒 100% AI SCORE=83 ATTRIBUTE CLOUD CONFIDENCE CRYPTINJECT ELDORADO EQMX FAREIT GDSDA GEN@0 GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HSIRYU IM0@A8FOIYI INJECT3 KRYPTIK MALICIOUS PE MSILKRYPT NVWJK PFAD R002C0WHI20 R348272 SCORE SUSGEN TASKUN TROJANX TSCOPE UNCLASSIFIED UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FYE!4D6FAA4B7434 20200826 6.0.6.653
Alibaba Trojan:MSIL/CryptInject.8251e32e 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20200826 18.4.3895.0
Kingsoft 20200826 2013.8.14.323
Tencent Msil.Trojan.Taskun.Pfad 20200826 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619479761.132063
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (39 个事件)
Time & API Arguments Status Return Repeated
1619479708.3365
IsDebuggerPresent
failed 0 0
1619479708.3365
IsDebuggerPresent
failed 0 0
1619479760.0085
IsDebuggerPresent
failed 0 0
1619479760.5555
IsDebuggerPresent
failed 0 0
1619479761.0555
IsDebuggerPresent
failed 0 0
1619479761.5555
IsDebuggerPresent
failed 0 0
1619479762.0555
IsDebuggerPresent
failed 0 0
1619479762.5555
IsDebuggerPresent
failed 0 0
1619479763.0555
IsDebuggerPresent
failed 0 0
1619479763.5555
IsDebuggerPresent
failed 0 0
1619479764.0555
IsDebuggerPresent
failed 0 0
1619479764.5555
IsDebuggerPresent
failed 0 0
1619479765.0715
IsDebuggerPresent
failed 0 0
1619479765.5555
IsDebuggerPresent
failed 0 0
1619479766.0715
IsDebuggerPresent
failed 0 0
1619479766.5555
IsDebuggerPresent
failed 0 0
1619479767.0715
IsDebuggerPresent
failed 0 0
1619479767.5555
IsDebuggerPresent
failed 0 0
1619479768.0715
IsDebuggerPresent
failed 0 0
1619479768.5555
IsDebuggerPresent
failed 0 0
1619479769.0715
IsDebuggerPresent
failed 0 0
1619479769.5555
IsDebuggerPresent
failed 0 0
1619479770.0715
IsDebuggerPresent
failed 0 0
1619479770.5555
IsDebuggerPresent
failed 0 0
1619479771.0715
IsDebuggerPresent
failed 0 0
1619479771.5555
IsDebuggerPresent
failed 0 0
1619479772.0715
IsDebuggerPresent
failed 0 0
1619479772.5555
IsDebuggerPresent
failed 0 0
1619479773.0715
IsDebuggerPresent
failed 0 0
1619479773.5555
IsDebuggerPresent
failed 0 0
1619479774.0715
IsDebuggerPresent
failed 0 0
1619479774.5555
IsDebuggerPresent
failed 0 0
1619479775.0715
IsDebuggerPresent
failed 0 0
1619479775.5555
IsDebuggerPresent
failed 0 0
1619479776.0715
IsDebuggerPresent
failed 0 0
1619479776.5555
IsDebuggerPresent
failed 0 0
1619479777.0715
IsDebuggerPresent
failed 0 0
1619479777.968772
IsDebuggerPresent
failed 0 0
1619479777.968772
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619479765.148063
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\uQhDADKaPUaZ"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619479708.3525
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2211883993&cup2hreq=0f9d5df1a27451d1d3a810b3290e30aff6c73ff528c70e0b263031adab6e532c
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=71661967836e2119&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=71661967836e2119&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:2211883993&cup2hreq=0f9d5df1a27451d1d3a810b3290e30aff6c73ff528c70e0b263031adab6e532c
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2211883993&cup2hreq=0f9d5df1a27451d1d3a810b3290e30aff6c73ff528c70e0b263031adab6e532c
Allocates read-write-execute memory (usually to unpack itself) (50 out of 128 个事件)
Time & API Arguments Status Return Repeated
1619479705.4155
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00910000
success 0 0
1619479705.4155
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a70000
success 0 0
1619479708.2115
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02360000
success 0 0
1619479708.2115
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x024b0000
success 0 0
1619479708.2435
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619479708.3365
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x024f0000
success 0 0
1619479708.3365
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026a0000
success 0 0
1619479708.3365
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041a000
success 0 0
1619479708.3365
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619479708.3365
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00412000
success 0 0
1619479708.6185
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619479708.7115
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00445000
success 0 0
1619479708.7115
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044b000
success 0 0
1619479708.7115
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619479708.8215
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00423000
success 0 0
1619479708.8525
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042c000
success 0 0
1619479708.9465
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00790000
success 0 0
1619479708.9465
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00424000
success 0 0
1619479708.9615
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00791000
success 0 0
1619479709.1025
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00792000
success 0 0
1619479709.8215
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00425000
success 0 0
1619479709.8365
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00427000
success 0 0
1619479711.6495
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619479711.6495
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00437000
success 0 0
1619479711.7585
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00428000
success 0 0
1619479711.7585
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00793000
success 0 0
1619479711.9615
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00795000
success 0 0
1619479712.0715
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00429000
success 0 0
1619479712.1965
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00730000
success 0 0
1619479712.1965
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00796000
success 0 0
1619479712.2435
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00731000
success 0 0
1619479712.2435
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00436000
success 0 0
1619479712.2905
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00732000
success 0 0
1619479712.3055
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00797000
success 0 0
1619479712.3215
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00798000
success 0 0
1619479712.3365
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042d000
success 0 0
1619479753.8525
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079b000
success 0 0
1619479754.8995
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079c000
success 0 0
1619479755.1025
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041c000
success 0 0
1619479755.1335
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00733000
success 0 0
1619479755.2275
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079d000
success 0 0
1619479755.2435
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00734000
success 0 0
1619479755.2435
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079e000
success 0 0
1619479755.4465
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 358912
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05620400
failed 3221225550 0
1619479759.2275
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079f000
success 0 0
1619479759.2275
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02560000
success 0 0
1619479759.2745
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02561000
success 0 0
1619479759.2745
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02562000
success 0 0
1619479759.2745
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02563000
success 0 0
1619479759.6025
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00735000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\uQhDADKaPUaZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6845.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQhDADKaPUaZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6845.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619479760.7745
ShellExecuteExW
parameters: /Create /TN "Updates\uQhDADKaPUaZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6845.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.871568286132594 section {'size_of_data': '0x0008a800', 'virtual_address': '0x00002000', 'entropy': 7.871568286132594, 'name': '.text', 'virtual_size': '0x0008a7a4'} description A section with a high entropy has been found
entropy 0.9964028776978417 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619479755.4305
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\uQhDADKaPUaZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6845.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQhDADKaPUaZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6845.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619479776.8215
NtAllocateVirtualMemory
process_identifier: 3244
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004e70
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6845.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619479776.8215
WriteProcessMemory
process_identifier: 3244
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELžý:_à ì~  @ `@…( S  @  H.text„ë ì `.rsrc  î@@.reloc @ò@B
process_handle: 0x00004e70
base_address: 0x00400000
success 1 0
1619479776.8365
WriteProcessMemory
process_identifier: 3244
buffer: €0€HX ÄÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x+InternalNameJOMCOQKPmCpBSKcbONUhgIBaUPybdQUBlYGNBl.exe(LegalCopyright €+OriginalFilenameJOMCOQKPmCpBSKcbONUhgIBaUPybdQUBlYGNBl.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00004e70
base_address: 0x00462000
success 1 0
1619479776.8365
WriteProcessMemory
process_identifier: 3244
buffer:  €;
process_handle: 0x00004e70
base_address: 0x00464000
success 1 0
1619479776.8365
WriteProcessMemory
process_identifier: 3244
buffer: @
process_handle: 0x00004e70
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619479776.8215
WriteProcessMemory
process_identifier: 3244
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELžý:_à ì~  @ `@…( S  @  H.text„ë ì `.rsrc  î@@.reloc @ò@B
process_handle: 0x00004e70
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1804 called NtSetContextThread to modify thread in remote process 3244
Time & API Arguments Status Return Repeated
1619479776.8365
NtSetContextThread
thread_handle: 0x0000a26c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4590462
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3244
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1804 resumed a thread in remote process 3244
Time & API Arguments Status Return Repeated
1619479776.8995
NtResumeThread
thread_handle: 0x0000a26c
suspend_count: 1
process_identifier: 3244
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619479708.3365
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1804
success 0 0
1619479708.3365
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1804
success 0 0
1619479708.3525
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 1804
success 0 0
1619479759.9465
NtResumeThread
thread_handle: 0x0000b6e4
suspend_count: 1
process_identifier: 1804
success 0 0
1619479760.0085
NtResumeThread
thread_handle: 0x00005f78
suspend_count: 1
process_identifier: 1804
success 0 0
1619479760.7745
CreateProcessInternalW
thread_identifier: 3092
thread_handle: 0x0000e0a8
process_identifier: 3088
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQhDADKaPUaZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6845.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000118d8
inherit_handles: 0
success 1 0
1619479776.8215
CreateProcessInternalW
thread_identifier: 3248
thread_handle: 0x0000a26c
process_identifier: 3244
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00004e70
inherit_handles: 0
success 1 0
1619479776.8215
NtGetContextThread
thread_handle: 0x0000a26c
success 0 0
1619479776.8215
NtAllocateVirtualMemory
process_identifier: 3244
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004e70
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619479776.8215
WriteProcessMemory
process_identifier: 3244
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELžý:_à ì~  @ `@…( S  @  H.text„ë ì `.rsrc  î@@.reloc @ò@B
process_handle: 0x00004e70
base_address: 0x00400000
success 1 0
1619479776.8215
WriteProcessMemory
process_identifier: 3244
buffer:
process_handle: 0x00004e70
base_address: 0x00402000
success 1 0
1619479776.8365
WriteProcessMemory
process_identifier: 3244
buffer: €0€HX ÄÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x+InternalNameJOMCOQKPmCpBSKcbONUhgIBaUPybdQUBlYGNBl.exe(LegalCopyright €+OriginalFilenameJOMCOQKPmCpBSKcbONUhgIBaUPybdQUBlYGNBl.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00004e70
base_address: 0x00462000
success 1 0
1619479776.8365
WriteProcessMemory
process_identifier: 3244
buffer:  €;
process_handle: 0x00004e70
base_address: 0x00464000
success 1 0
1619479776.8365
WriteProcessMemory
process_identifier: 3244
buffer: @
process_handle: 0x00004e70
base_address: 0x7efde008
success 1 0
1619479776.8365
NtSetContextThread
thread_handle: 0x0000a26c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4590462
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3244
success 0 0
1619479776.8995
NtResumeThread
thread_handle: 0x0000a26c
suspend_count: 1
process_identifier: 3244
success 0 0
1619479777.968772
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3244
success 0 0
1619479777.968772
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 3244
success 0 0
1619479777.968772
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 3244
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
Cynet Malicious (score: 85)
CAT-QuickHeal Trojan.MSIL
Qihoo-360 Generic/Trojan.477
McAfee Fareit-FYE!4D6FAA4B7434
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056cba21 )
Alibaba Trojan:MSIL/CryptInject.8251e32e
K7GW Trojan ( 0056cba21 )
Cybereason malicious.4988b0
Invincea heuristic
Cyren W32/MSIL_Kryptik.BKV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.Taskun.gen
BitDefender Trojan.GenericKD.34380772
NANO-Antivirus Trojan.Win32.Taskun.hsiryu
ViRobot Trojan.Win32.Z.Kryptik.569856.S
MicroWorld-eScan Trojan.GenericKD.34380772
Avast Win32:TrojanX-gen [Trj]
Rising Trojan.Kryptik!8.8 (CLOUD)
Ad-Aware Trojan.GenericKD.34380772
Comodo TrojWare.Win32.Unclassified.gen@0
F-Secure Trojan.TR/Kryptik.nvwjk
DrWeb Trojan.Inject3.51987
Zillya Trojan.Kryptik.Win32.2369851
TrendMicro TROJ_GEN.R002C0WHI20
FireEye Generic.mg.4d6faa4b74340610
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Crypt
GData Trojan.GenericKD.34380772
Avira TR/Kryptik.nvwjk
Antiy-AVL Trojan/MSIL.Taskun
Arcabit Trojan.Generic.D20C9BE4
AegisLab Trojan.MSIL.Taskun.4!c
ZoneAlarm HEUR:Trojan.MSIL.Taskun.gen
Microsoft Trojan:MSIL/CryptInject.AR!MTB
AhnLab-V3 Trojan/Win32.MSILKrypt.R348272
VBA32 TScope.Trojan.MSIL
ALYac Trojan.GenericKD.34380772
MAX malware (ai score=83)
Malwarebytes Trojan.MalPack
ESET-NOD32 a variant of MSIL/Kryptik.XJJ
TrendMicro-HouseCall TROJ_GEN.R002C0WHI20
Tencent Msil.Trojan.Taskun.Pfad
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_95%
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-18 07:25:34

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49194 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49195 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49191 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49190 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=71661967836e2119&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=71661967836e2119&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=71661967836e2119&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=71661967836e2119&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619450423&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6901
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.