SmartHawk

3.6

中危

1 个模型检测该样本为恶意！

重新分析

下载样本

de090632107cd0ab932dd38dd71c628c3eecbdbdad1cd2607b82e24b802c01b3

4de963c5d825a0ff615b058a48139e9c.exe

分析耗时

695s

查杀引擎	查杀时间	查杀版本
McAfee	20200212	6.0.6.653
Alibaba	20190527	0.3.0.5
Baidu	20190318	1.0.0.2
Avast	20200212	18.4.3895.0
Kingsoft	20200212	2013.8.14.323
Tencent	20200212	1.0.0.1
CrowdStrike	20190702	1.0

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2018-04-19 13:48:20

Imports

Library WS2_32.dll:

• 0x14001a438 send

• 0x14001a440 gethostbyname

• 0x14001a448 closesocket

• 0x14001a450 WSASetLastError

• 0x14001a458 socket

• 0x14001a460 bind

• 0x14001a468 listen

• 0x14001a470 accept

• 0x14001a478 ioctlsocket

• 0x14001a480 WSAStartup

• 0x14001a488 inet_addr

• 0x14001a490 WSAGetLastError

• 0x14001a498 htons

• 0x14001a4a0 shutdown

• 0x14001a4a8 recv

Library WTSAPI32.dll:

• 0x14001a4b8 WTSFreeMemory

• 0x14001a4c0 WTSEnumerateSessionsW

• 0x14001a4c8 WTSQueryUserToken

Library KERNEL32.dll:

• 0x14001a0e0 LoadLibraryW

• 0x14001a0e8 FormatMessageW

• 0x14001a0f0 LoadLibraryA

• 0x14001a0f8 GetPrivateProfileStringW

• 0x14001a100 FindClose

• 0x14001a108 PeekNamedPipe

• 0x14001a110 GetCurrentProcess

• 0x14001a118 TerminateProcess

• 0x14001a120 ReadFile

• 0x14001a128 GetModuleFileNameW

• 0x14001a130 CloseHandle

• 0x14001a138 FindFirstFileW

• 0x14001a140 ExpandEnvironmentStringsW

• 0x14001a148 CreateFileA

• 0x14001a150 SetFilePointer

• 0x14001a158 GetModuleHandleW

• 0x14001a160 WriteFile

• 0x14001a168 GetSystemTimeAsFileTime

• 0x14001a170 FileTimeToSystemTime

• 0x14001a178 CreateFileW

• 0x14001a180 MultiByteToWideChar

• 0x14001a188 GetProcAddress

• 0x14001a190 FileTimeToLocalFileTime

• 0x14001a198 GetTimeFormatA

• 0x14001a1a0 GetDateFormatA

• 0x14001a1a8 WideCharToMultiByte

• 0x14001a1b0 WaitNamedPipeW

• 0x14001a1b8 SetNamedPipeHandleState

• 0x14001a1c0 CreateEventW

• 0x14001a1c8 GetModuleHandleA

• 0x14001a1d0 QueryPerformanceCounter

• 0x14001a1d8 GetStartupInfoA

• 0x14001a1e0 GetFileType

• 0x14001a1e8 SetHandleCount

• 0x14001a1f0 GetCommandLineW

• 0x14001a1f8 GetEnvironmentStringsW

• 0x14001a200 FreeEnvironmentStringsW

• 0x14001a208 DecodePointer

• 0x14001a210 GetCurrentThread

• 0x14001a218 WaitForSingleObject

• 0x14001a220 LocalFree

• 0x14001a228 CreateThread

• 0x14001a230 GetExitCodeThread

• 0x14001a238 SetLastError

• 0x14001a240 GetLastError

• 0x14001a248 Sleep

• 0x14001a250 FlsGetValue

• 0x14001a258 FlsSetValue

• 0x14001a260 FlsFree

• 0x14001a268 GetTickCount

• 0x14001a270 GetCurrentProcessId

• 0x14001a278 GetConsoleCP

• 0x14001a280 GetConsoleMode

• 0x14001a288 LCMapStringA

• 0x14001a290 GetStringTypeA

• 0x14001a298 FreeLibrary

• 0x14001a2a0 EnterCriticalSection

• 0x14001a2a8 LeaveCriticalSection

• 0x14001a2b0 InitializeCriticalSection

• 0x14001a2b8 GetStringTypeW

• 0x14001a2c0 GetLocaleInfoA

• 0x14001a2c8 SetStdHandle

• 0x14001a2d0 WriteConsoleA

• 0x14001a2d8 GetConsoleOutputCP

• 0x14001a2e0 WriteConsoleW

• 0x14001a2e8 FlushFileBuffers

• 0x14001a2f0 GetCurrentThreadId

• 0x14001a2f8 FlsAlloc

• 0x14001a300 LCMapStringW

• 0x14001a308 RtlUnwindEx

• 0x14001a310 DeleteCriticalSection

• 0x14001a318 GetFileAttributesW

• 0x14001a320 InitializeCriticalSectionAndSpinCount

• 0x14001a328 EncodePointer

• 0x14001a330 IsValidCodePage

• 0x14001a338 GetOEMCP

• 0x14001a340 HeapDestroy

• 0x14001a348 HeapAlloc

• 0x14001a350 HeapFree

• 0x14001a358 HeapReAlloc

• 0x14001a360 HeapSize

• 0x14001a368 GetProcessHeap

• 0x14001a370 ExitProcess

• 0x14001a378 CreateDirectoryW

• 0x14001a380 UnhandledExceptionFilter

• 0x14001a388 SetUnhandledExceptionFilter

• 0x14001a390 IsDebuggerPresent

• 0x14001a398 RtlVirtualUnwind

• 0x14001a3a0 RtlLookupFunctionEntry

• 0x14001a3a8 RtlCaptureContext

• 0x14001a3b0 GetStartupInfoW

• 0x14001a3b8 HeapSetInformation

• 0x14001a3c0 HeapCreate

• 0x14001a3c8 GetStdHandle

• 0x14001a3d0 GetModuleFileNameA

• 0x14001a3d8 RaiseException

• 0x14001a3e0 RtlPcToFileHeader

• 0x14001a3e8 GetCPInfo

• 0x14001a3f0 GetACP

Library USER32.dll:

• 0x14001a410 TranslateMessage

• 0x14001a418 PeekMessageW

• 0x14001a420 MessageBoxW

• 0x14001a428 DispatchMessageW

Library ADVAPI32.dll:

• 0x14001a000 LookupAccountNameW

• 0x14001a008 SetServiceStatus

• 0x14001a010 RegisterServiceCtrlHandlerExW

• 0x14001a018 StartServiceCtrlDispatcherW

• 0x14001a020 ControlService

• 0x14001a028 QueryServiceStatus

• 0x14001a030 StartServiceW

• 0x14001a038 OpenServiceW

• 0x14001a040 OpenSCManagerW

• 0x14001a048 DeleteService

• 0x14001a050 CloseServiceHandle

• 0x14001a058 CreateServiceW

• 0x14001a060 RegQueryValueExW

• 0x14001a068 RegCreateKeyExW

• 0x14001a070 CheckTokenMembership

• 0x14001a078 FreeSid

• 0x14001a080 AllocateAndInitializeSid

• 0x14001a088 AdjustTokenPrivileges

• 0x14001a090 RevertToSelf

• 0x14001a098 ImpersonateLoggedOnUser

• 0x14001a0a0 DuplicateTokenEx

• 0x14001a0a8 LookupPrivilegeValueW

• 0x14001a0b0 GetUserNameW

• 0x14001a0b8 OpenProcessToken

• 0x14001a0c0 RegSetValueExW

• 0x14001a0c8 RegCloseKey

• 0x14001a0d0 RegOpenKeyExW

Library SHELL32.dll:

• 0x14001a400 SHGetFolderPathW

Exports

Ordinal	Address	Name
1	0x140001490	get_error_message_s

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 142.250.204.142	172.217.160.78
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49236	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.

dead_host	172.217.160.110:443
dead_host	142.250.204.142:443