SmartHawk

7.6

高危

55 个模型检测该样本为恶意！

重新分析

下载样本

5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1

528803eb79a155fc433c390a194ae344.exe

分析耗时

94s

最近分析

文件大小

430.0KB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=87 AM0@ASJXKWL ATTRIBUTE AVSARHER BUBVT6 CONFIDENCE ELDORADO FAREIT FORMBOOK GDSDA GENERICKDZ HIGH CONFIDENCE HIGHCONFIDENCE HPWNEY KCLOUD KRYPTIK MALICIOUS PE MALWARE@#2NYVQL9HUOERA MALWAREX R002C0DH120 REMCOS SCORE SIGGEN2 STATIC AI SUNW SUSGEN UNSAFE XEIQX YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXU!528803EB79A1	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Alibaba	Trojan:MSIL/AgentTesla.9c31e84b	20190527	0.3.0.5
Kingsoft	Win32.Troj.Undef.(kcloud)	20201211	2017.9.26.565
Tencent	Msil.Trojan.Crypt.Sunw	20201211	1.0.0.1
Avast	Win32:MalwareX-gen [Trj]	20201210	21.1.5827.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619454844.693 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (12 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426985.393924 IsDebuggerPresent		failed	0	0
1619426985.393924 IsDebuggerPresent		failed	0	0
1619427035.768924 IsDebuggerPresent		failed	0	0
1619427036.268924 IsDebuggerPresent		failed	0	0
1619427036.784924 IsDebuggerPresent		failed	0	0
1619427037.268924 IsDebuggerPresent		failed	0	0
1619427037.784924 IsDebuggerPresent		failed	0	0
1619427038.268924 IsDebuggerPresent		failed	0	0
1619427038.784924 IsDebuggerPresent		failed	0	0
1619427039.268924 IsDebuggerPresent		failed	0	0
1619427039.784924 IsDebuggerPresent		failed	0	0
1619427040.268924 IsDebuggerPresent		failed	0	0

Command line console output was observed (3 个事件)

Time & API	Arguments	Status	Return
1619454844.74 WriteConsoleW	buffer: 错误: console_handle: 0x0000000b	success	1
1619454844.74 WriteConsoleW	buffer: 任务 XML 格式错误。 console_handle: 0x0000000b	success	1
1619454844.755 WriteConsoleW	buffer: (44,80):Command: console_handle: 0x0000000b	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619426985.455924 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 个事件)

Time & API	Arguments	Status	Return
1619426984.580924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x009b0000	success	0
1619426984.580924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba0000	success	0
1619426985.002924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a20000	success	0
1619426985.002924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a80000	success	0
1619426985.174924 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619426985.393924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01fe0000	success	0
1619426985.393924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02190000	success	0
1619426985.409924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047a000	success	0
1619426985.409924 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619426985.409924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00472000	success	0
1619426985.846924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00482000	success	0
1619426986.018924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00855000	success	0
1619426986.034924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0085b000	success	0
1619426986.034924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00857000	success	0
1619426986.174924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00483000	success	0
1619426986.190924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048c000	success	0
1619426986.565924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00484000	success	0
1619426986.580924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00486000	success	0
1619426986.674924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe0000	success	0
1619426986.768924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success	0
1619426986.799924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049a000	success	0
1619426986.799924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00497000	success	0
1619426987.190924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00488000	success	0
1619426987.190924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00496000	success	0
1619426987.221924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success	0
1619426987.409924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00489000	success	0
1619426987.580924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f0000	success	0
1619426987.596924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe1000	success	0
1619426987.643924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f1000	success	0
1619426987.690924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe2000	success	0
1619426987.705924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f2000	success	0
1619426987.721924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe3000	success	0
1619426987.737924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe5000	success	0
1619427028.752924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe6000	success	0
1619427028.768924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a81000	success	0
1619427028.830924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe7000	success	0
1619427028.940924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048d000	success	0
1619427028.940924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047c000	success	0
1619427028.971924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe8000	success	0
1619427029.002924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f3000	success	0
1619427029.002924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f4000	success	0
1619427029.018924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fe9000	success	0
1619427029.127924 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 268288 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x06050400	failed	3221225550
1619427035.315924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fea000	success	0
1619427035.315924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01feb000	success	0
1619427035.330924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f5000	success	0
1619427035.362924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fec000	success	0
1619427035.377924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fed000	success	0
1619427035.471924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fee000	success	0
1619427035.549924 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01fef000	success	0

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp18FC.tmp"
cmdline	schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp18FC.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619427036.518924 ShellExecuteExW	parameters: /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp18FC.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.822163793324907

section

{'size_of_data': '0x0006ae00', 'virtual_address': '0x00002000', 'entropy': 7.822163793324907, 'name': '.text', 'virtual_size': '0x0006ac30'}

description

A section with a high entropy has been found

entropy

0.9953434225844005

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619427029.112924 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619427039.127924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2168 process_handle: 0x00003950	failed
1619427039.127924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2168 process_handle: 0x00003950	success
1619427039.455924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 920 process_handle: 0x0000a52c	failed
1619427039.455924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 920 process_handle: 0x0000a52c	success
1619427039.768924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 360 process_handle: 0x0000b424	failed
1619427039.768924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 360 process_handle: 0x0000b424	success
1619427040.096924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1244 process_handle: 0x00010304	failed
1619427040.096924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1244 process_handle: 0x00010304	success
1619427040.393924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00010628	failed
1619427040.393924 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00010628	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp18FC.tmp"
cmdline	schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp18FC.tmp"

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619427038.846924 NtAllocateVirtualMemory	process_identifier: 2168 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006508 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427039.237924 NtAllocateVirtualMemory	process_identifier: 920 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00003ad8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427039.565924 NtAllocateVirtualMemory	process_identifier: 360 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d6d8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427039.877924 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000b754 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427040.190924 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000efc8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp18FC.tmp

Manipulates memory of a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 manipulating memory of non-child process 2168
Process injection	Process 2128 manipulating memory of non-child process 920
Process injection	Process 2128 manipulating memory of non-child process 360
Process injection	Process 2128 manipulating memory of non-child process 1244
Process injection	Process 2128 manipulating memory of non-child process 2760
1619427038.846924 NtAllocateVirtualMemory	process_identifier: 2168 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006508 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619427039.237924 NtAllocateVirtualMemory	process_identifier: 920 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00003ad8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619427039.565924 NtAllocateVirtualMemory	process_identifier: 360 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d6d8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619427039.877924 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000b754 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619427040.190924 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000efc8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619426985.393924 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2128	success	0
1619426985.424924 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2128	success	0
1619426985.502924 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2128	success	0
1619427035.737924 NtResumeThread	thread_handle: 0x00010e80 suspend_count: 1 process_identifier: 2128	success	0
1619427035.752924 NtResumeThread	thread_handle: 0x0000083c suspend_count: 1 process_identifier: 2128	success	0
1619427036.518924 CreateProcessInternalW	thread_identifier: 2944 thread_handle: 0x00005294 process_identifier: 2968 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp18FC.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00002768 inherit_handles: 0	success	1
1619427038.830924 CreateProcessInternalW	thread_identifier: 2516 thread_handle: 0x00000bf8 process_identifier: 2168 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00006508 inherit_handles: 0	success	1
1619427038.846924 NtGetContextThread	thread_handle: 0x00000bf8	success	0
1619427038.846924 NtAllocateVirtualMemory	process_identifier: 2168 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00006508 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427039.237924 CreateProcessInternalW	thread_identifier: 1824 thread_handle: 0x00003950 process_identifier: 920 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00003ad8 inherit_handles: 0	success	1
1619427039.237924 NtGetContextThread	thread_handle: 0x00003950	success	0
1619427039.237924 NtAllocateVirtualMemory	process_identifier: 920 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00003ad8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427039.565924 CreateProcessInternalW	thread_identifier: 1760 thread_handle: 0x0000a52c process_identifier: 360 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000d6d8 inherit_handles: 0	success	1
1619427039.565924 NtGetContextThread	thread_handle: 0x0000a52c	success	0
1619427039.565924 NtAllocateVirtualMemory	process_identifier: 360 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d6d8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427039.877924 CreateProcessInternalW	thread_identifier: 3004 thread_handle: 0x0000b424 process_identifier: 1244 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000b754 inherit_handles: 0	success	1
1619427039.877924 NtGetContextThread	thread_handle: 0x0000b424	success	0
1619427039.877924 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000b754 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619427040.190924 CreateProcessInternalW	thread_identifier: 2216 thread_handle: 0x00010304 process_identifier: 2760 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\528803eb79a155fc433c390a194ae344.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000efc8 inherit_handles: 0	success	1
1619427040.190924 NtGetContextThread	thread_handle: 0x00010304	success	0
1619427040.190924 NtAllocateVirtualMemory	process_identifier: 2760 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000efc8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69154
FireEye	Generic.mg.528803eb79a155fc
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FXU!528803EB79A1
Cylance	Unsafe
Sangfor	Malware
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKDZ.69154
K7GW	Trojan ( 0056ba881 )
K7AntiVirus	Trojan ( 0056ba881 )
Cyren	W32/MSIL_Troj.SX.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Formbook-9215845-0
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
Alibaba	Trojan:MSIL/AgentTesla.9c31e84b
NANO-Antivirus	Trojan.Win32.Crypt.hpwney
Ad-Aware	Trojan.GenericKDZ.69154
Emsisoft	Trojan.GenericKDZ.69154 (B)
Comodo	Malware@#2nyvql9huoera
F-Secure	Trojan.TR/Dropper.MSIL.xeiqx
DrWeb	Trojan.PWS.Siggen2.52918
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DH120
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
GData	Trojan.GenericKDZ.69154
Avira	TR/Dropper.MSIL.xeiqx
MAX	malware (ai score=87)
Antiy-AVL	Trojan/MSIL.Crypt
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.cc
Arcabit	Trojan.Generic.D10E22
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.AgentTesla.C4173453
BitDefenderTheta	Gen:NN.ZemsilF.34670.Am0@aSJxkWl
ALYac	Trojan.GenericKDZ.69154
Malwarebytes	Trojan.MalPack
Panda	Trj/GdSda.A
ESET-NOD32	a variant of MSIL/Kryptik.XDP
TrendMicro-HouseCall	Backdoor.MSIL.REMCOS.SM
Tencent	Msil.Trojan.Crypt.Sunw
Yandex	Trojan.AvsArher.bUbVT6
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.XFP!tr

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-31 10:57:44

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com	172.217.24.14
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.