SmartHawk

6.2

高危

57 个模型检测该样本为恶意！

重新分析

下载样本

02cb34da6e620d9428f9c8f375fe96a397464d272f723abd8296c4b420fb0e77

4e59fba21c5e9ec603f28a92d9efd8d0.exe

分析耗时

32s

最近分析

文件大小

69.0KB

静态报毒动态报毒 100% AGEN AI SCORE=100 AIDETECT BSCOPE CMRTAZQRPSI4CLMBM+VWBUNLDEUG CONFIDENCE DELSHAD ELDORADO FILECODER GENCIRC HIGH CONFIDENCE HJROUC HXQBQV8A MAILTO MALWARE1 MALWARE@#1TKNNOYXJUZ77 MULTIPLUG NETW NETWALKER R + MAL R374144 RANSOMWARE RANSOMX RDMK SCORE SMTH STATIC AI SUSGEN SUSPICIOUS PE TROJANPSW UNSAFE W6C4UTZR3JE WALKER ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Ransom:Win32/NetWalker.65f960c7	20190527	0.3.0.5
Avast	Win32:RansomX-gen [Ransom]	20210404	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10b9c422	20210404	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20210404	2017.9.26.565
McAfee	Ransom-NetW!4E59FBA21C5E	20210404	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426984.953727 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619449170.607146 WriteConsoleW	buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp. console_handle: 0x0000000000000007	success	1	0

Tries to locate where the browsers are installed (1 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

Creates (office) documents on the filesystem (5 个事件)

file	C:\Users\Administrator.Oskar-PC\Documents\xTCiuhhOKc.docm
file	C:\Users\Administrator.Oskar-PC\Documents\TqxIRhKVrl.doc
file	C:\Users\Administrator.Oskar-PC\Documents\zxragkNxCtGzuiRDc.doc
file	C:\Users\Administrator.Oskar-PC\Documents\bHtEwKHzgMSrOpR.docm
file	C:\Users\Administrator.Oskar-PC\Documents\nBeCaOtdCEEDni.pptx

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.907526306723195

section

{'size_of_data': '0x00001600', 'virtual_address': '0x00012000', 'entropy': 7.907526306723195, 'name': '.rsrc', 'virtual_size': '0x00002000'}

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426984.937727 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619449170.591146 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to detect Cuckoo Sandbox through the presence of a file (2 个事件)

file	C:\Python27\agent.pyw
file	C:\tmpsij43m\analyzer.py

Writes a potential ransom message to disk (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426987.172727 NtWriteFile	file_handle: 0x000002dc filepath: C:\Python27\07E7DE-Readme.txt buffer: Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .07e7de -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_07e7de: 57BPb63rRi2zEn9rRKPYWQtXdAwcKlbOyjhCGmJBjGPw7VpRDk wymafVamn3JazTgOV73lrkZFQKPbK5s9nVGVlqzZ42fjQ0TAuG pG8Sur4X5e7F8MLkN9fY1xSgGYnbnyxJ4urdacp1+KhPX9oGCO c8OnaptkETPrfP4xn1FDVEVTvr9icUfPtJv/dsp6uPpzaRwaVv Af4cNjlV4mqi0MT3JwB7nD+NNc2Wp7OM72IP0tPEQBDYsaIv76 jl3y0tOnwVIHTrDTFLunLl3BLp/kuKkV6gDq11/Q==} offset: 0	success	0	0
1619426988.203727 NtWriteFile	file_handle: 0x0000107c filepath: C:\tmpsij43m\07E7DE-Readme.txt buffer: Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .07e7de -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_07e7de: 57BPb63rRi2zEn9rRKPYWQtXdAwcKlbOyjhCGmJBjGPw7VpRDk wymafVamn3JazTgOV73lrkZFQKPbK5s9nVGVlqzZ42fjQ0TAuG pG8Sur4X5e7F8MLkN9fY1xSgGYnbnyxJ4urdacp1+KhPX9oGCO c8OnaptkETPrfP4xn1FDVEVTvr9icUfPtJv/dsp6uPpzaRwaVv Af4cNjlV4mqi0MT3JwB7nD+NNc2Wp7OM72IP0tPEQBDYsaIv76 jl3y0tOnwVIHTrDTFLunLl3BLp/kuKkV6gDq11/Q==} offset: 0	success	0	0

Uses suspicious command line tools or Windows utilities (1 个事件)

cmdline

C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Detects VirtualBox through the presence of a file (3 个事件)

file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Encoder.32281
MicroWorld-eScan	Gen:Variant.Zusy.303374
FireEye	Generic.mg.4e59fba21c5e9ec6
ALYac	Trojan.Ransom.Mailto
Cylance	Unsafe
Zillya	Trojan.DelShad.Win32.468
Sangfor	Ransom.Win32.NetWalker.H!rsm
K7AntiVirus	Trojan ( 0056b6ab1 )
Alibaba	Ransom:Win32/NetWalker.65f960c7
K7GW	Trojan ( 0056b6ab1 )
Cybereason	malicious.21c5e9
Arcabit	Trojan.Zusy.D4A10E
BitDefenderTheta	AI:Packer.277DB83B1E
Cyren	W32/Netwalker.A.gen!Eldorado
Symantec	Downloader
ESET-NOD32	a variant of Win32/Filecoder.NetWalker.D
APEX	Malicious
Avast	Win32:RansomX-gen [Ransom]
ClamAV	Win.Ransomware.Netwalker-7671868-0
Kaspersky	HEUR:Trojan-Ransom.Win32.Mailto.gen
BitDefender	Gen:Variant.Zusy.303374
NANO-Antivirus	Trojan.Win32.Filecoder.hjrouc
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.10b9c422
Ad-Aware	Gen:Variant.Zusy.303374
Emsisoft	Gen:Variant.Zusy.303374 (B)
Comodo	Malware@#1tknnoyxjuz77
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win32.NETWALKER.SMTH
McAfee-GW-Edition	BehavesLike.Win32.MultiPlug.kh
Sophos	Mal/Generic-R + Mal/Ransom-FW
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.DelShad.wh
Avira	HEUR/AGEN.1115135
Gridinsoft	Ransom.Win32.Ransom.vb!s1
Microsoft	Ransom:Win32/NetWalker.H!rsm
AegisLab	Trojan.Win32.DelShad.4!c
GData	Gen:Variant.Zusy.303374
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.RansomCrypt.R374144
McAfee	Ransom-NetW!4E59FBA21C5E
MAX	malware (ai score=100)
VBA32	BScope.TrojanPSW.Spy
Malwarebytes	Ransom.NetWalker
TrendMicro-HouseCall	Ransom.Win32.NETWALKER.SMTH
Rising	Ransom.NetWalker!1.CFC6 (RDMK:cmRtazqrpsI4clMBM+VwBuNldeUg)
Yandex	Trojan.Filecoder!w6c4UtZR3jE
Ikarus	Trojan-Ransom.NetWalker

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-26 23:20:15

Imports

Library KERNEL32.dll:

• 0x410000 Sleep

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	59704	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.