10.0
0-day
63 个模型检测该样本为恶意!
重新分析
更多

91b9e5401ca19ff3f45d8c3acce6a793f7cb713bc6920d9c5371197ad6a3b582

5518020384ceb599dd993c388c21acf3.exe

分析耗时

78s

最近分析

文件大小

560.0KB
静态报毒 动态报毒 100% A + TROJ AGENERIC AI SCORE=82 ALI1000029 CLASSIC CONFIDENCE DORPAL ELDORADO FPAR GEN7 GENERICRXAA HIGH CONFIDENCE HMQOYU JDE@5S4U9T JMW@AAEXHJC KCLOUD MALICIOUS PE MHUN NANCAT NANCRAT NANOBOT NANOCOR NANOCORE NOANCOOE ORBUS SCORE SMUPS STAM STATIC AI SUSGEN TSCOPE UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXAA-CZ!5518020384CE 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Malware:Win32/Dorpal.ali1000029 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast MSIL:NanoCore-B [Trj] 20201210 21.1.5827.0
Kingsoft Win32.Troj.Agent.FP.(kcloud) 20201211 2017.9.26.565
Tencent Msil.Trojan.Agent.Stam 20201211 1.0.0.1
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619426989.677279
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619440156.811249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619440159.421124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619426982.474279
IsDebuggerPresent
failed 0 0
Command line console output was observed (50 out of 127 个事件)
Time & API Arguments Status Return Repeated
1619426984.161279
WriteConsoleA
buffer: 2021Äê4ÔÂ26ÈÕ
console_handle: 0x00000007
success 1 0
1619426984.161279
WriteConsoleA
buffer: Builder settings loaded..
console_handle: 0x00000007
success 1 0
1619426984.161279
WriteConsoleA
buffer: KeyboardLogging = True
console_handle: 0x00000007
success 1 0
1619426984.161279
WriteConsoleA
buffer: BuildTime = 2020/7/13 12:14:14
console_handle: 0x00000007
success 1 0
1619426984.161279
WriteConsoleA
buffer: Version = 1.2.2.0
console_handle: 0x00000007
success 1 0
1619426984.161279
WriteConsoleA
buffer: Mutex = 985f1ad1-4494-4376-be77-8f930cfc9abb
console_handle: 0x00000007
success 1 0
1619426984.177279
WriteConsoleA
buffer: DefaultGroup = Default
console_handle: 0x00000007
success 1 0
1619426984.177279
WriteConsoleA
buffer: PrimaryConnectionHost = harry7potter7.ddns.net
console_handle: 0x00000007
success 1 0
1619426984.193279
WriteConsoleA
buffer: BackupConnectionHost = harrypotter2.ddns.net
console_handle: 0x00000007
success 1 0
1619426984.193279
WriteConsoleA
buffer: ConnectionPort = 1604
console_handle: 0x00000007
success 1 0
1619426984.193279
WriteConsoleA
buffer: RunOnStartup = True
console_handle: 0x00000007
success 1 0
1619426984.193279
WriteConsoleA
buffer: RequestElevation = True
console_handle: 0x00000007
success 1 0
1619426984.193279
WriteConsoleA
buffer: BypassUserAccountControl = True
console_handle: 0x00000007
success 1 0
1619426984.224279
WriteConsoleA
buffer: BypassUserAccountControlData = System.Byte[]
console_handle: 0x00000007
success 1 0
1619426984.224279
WriteConsoleA
buffer: ClearZoneIdentifier = True
console_handle: 0x00000007
success 1 0
1619426984.239279
WriteConsoleA
buffer: ClearAccessControl = True
console_handle: 0x00000007
success 1 0
1619426984.239279
WriteConsoleA
buffer: SetCriticalProcess = True
console_handle: 0x00000007
success 1 0
1619426984.255279
WriteConsoleA
buffer: PreventSystemSleep = True
console_handle: 0x00000007
success 1 0
1619426984.255279
WriteConsoleA
buffer: ActivateAwayMode = True
console_handle: 0x00000007
success 1 0
1619426984.255279
WriteConsoleA
buffer: EnableDebugMode = True
console_handle: 0x00000007
success 1 0
1619426984.255279
WriteConsoleA
buffer: RunDelay = 0
console_handle: 0x00000007
success 1 0
1619426984.255279
WriteConsoleA
buffer: ConnectDelay = 4000
console_handle: 0x00000007
success 1 0
1619426984.255279
WriteConsoleA
buffer: RestartDelay = 5000
console_handle: 0x00000007
success 1 0
1619426984.255279
WriteConsoleA
buffer: TimeoutInterval = 5000
console_handle: 0x00000007
success 1 0
1619426984.271279
WriteConsoleA
buffer: KeepAliveTimeout = 30000
console_handle: 0x00000007
success 1 0
1619426984.271279
WriteConsoleA
buffer: MutexTimeout = 5000
console_handle: 0x00000007
success 1 0
1619426984.271279
WriteConsoleA
buffer: LanTimeout = 2500
console_handle: 0x00000007
success 1 0
1619426984.286279
WriteConsoleA
buffer: WanTimeout = 8000
console_handle: 0x00000007
success 1 0
1619426984.286279
WriteConsoleA
buffer: BufferSize = 65535
console_handle: 0x00000007
success 1 0
1619426984.286279
WriteConsoleA
buffer: MaxPacketSize = 10485760
console_handle: 0x00000007
success 1 0
1619426984.286279
WriteConsoleA
buffer: GCThreshold = 10485760
console_handle: 0x00000007
success 1 0
1619426984.286279
WriteConsoleA
buffer: UseCustomDnsServer = True
console_handle: 0x00000007
success 1 0
1619426984.286279
WriteConsoleA
buffer: PrimaryDnsServer = 8.8.8.8
console_handle: 0x00000007
success 1 0
1619426984.302279
WriteConsoleA
buffer: BackupDnsServer = 8.8.4.4
console_handle: 0x00000007
success 1 0
1619426984.521279
WriteConsoleA
buffer: Client Exception (DeleteUserStartup):
console_handle: 0x00000007
success 1 0
1619426984.661279
WriteConsoleA
buffer: δÄÜÕÒµ½Â·¾¶¡°C:\Users\Administrator.Oskar-PC\AppData\Roaming\F86F21BC-E5D8-4E58-9FCE-2AE2B7F127EE\DSL Service\dslsvc.exe¡±µÄÒ»²¿·Ö¡£ ÔÚ System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) ÔÚ System.IO.File.Delete(String path) ÔÚ #=qjIje6jGWLd2E
console_handle: 0x00000007
success 1 0
1619426984.661279
WriteConsoleA
buffer: OkfZXKqBbg==.#=qJqkjp9g96yoxpNS2E$BC00FKleto7dZfN9N5mtLDF4g=()
console_handle: 0x00000007
success 1 0
1619426989.052279
WriteConsoleA
buffer: Reading client settings from 'settings.bin'..
console_handle: 0x00000007
success 1 0
1619426989.068279
WriteConsoleA
buffer: Client Exception (LoadSettings):
console_handle: 0x00000007
success 1 0
1619426989.099279
WriteConsoleA
buffer: Settings file 'settings.bin' could not be found. ÔÚ #=qjIje6jGWLd2EOkfZXKqBbg==.#=qRxR4aJg8TX8oM$OpeoviZQ==(String #=q2n0wwv9OpsrMrxVUVHoqGw==)
console_handle: 0x00000007
success 1 0
1619426989.114279
WriteConsoleA
buffer: Reading client settings from 'settings.bak'..
console_handle: 0x00000007
success 1 0
1619426989.130279
WriteConsoleA
buffer: Client Exception (LoadSettings):
console_handle: 0x00000007
success 1 0
1619426989.146279
WriteConsoleA
buffer: Settings file 'settings.bak' could not be found. ÔÚ #=qjIje6jGWLd2EOkfZXKqBbg==.#=qRxR4aJg8TX8oM$OpeoviZQ==(String #=q2n0wwv9OpsrMrxVUVHoqGw==)
console_handle: 0x00000007
success 1 0
1619426989.161279
WriteConsoleA
buffer: Initializing cached plugins..
console_handle: 0x00000007
success 1 0
1619426989.193279
WriteConsoleA
buffer: Plugin: Core Plugin, Cache: True
console_handle: 0x00000007
success 1 0
1619426989.239279
WriteConsoleA
buffer: Plugin: Management Plugin, Cache: True
console_handle: 0x00000007
success 1 0
1619426989.255279
WriteConsoleA
buffer: Plugin: Misc Tools, Cache: True
console_handle: 0x00000007
success 1 0
1619426989.255279
WriteConsoleA
buffer: Plugin: MultiCore, Cache: True
console_handle: 0x00000007
success 1 0
1619426989.271279
WriteConsoleA
buffer: Plugin: NanoBrowser, Cache: True
console_handle: 0x00000007
success 1 0
1619426989.271279
WriteConsoleA
buffer: Plugin: NanoCoreSwiss, Cache: True
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619426989.411279
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (2 个事件)
domain harry7potter7.ddns.net
domain harrypotter2.ddns.net
Allocates read-write-execute memory (usually to unpack itself) (50 out of 118 个事件)
Time & API Arguments Status Return Repeated
1619426981.661279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1619426981.661279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ad0000
success 0 0
1619426982.302279
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619426982.489279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ca000
success 0 0
1619426982.489279
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619426982.489279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c2000
success 0 0
1619426982.677279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d2000
success 0 0
1619426982.771279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d3000
success 0 0
1619426982.771279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0060b000
success 0 0
1619426982.771279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00607000
success 0 0
1619426983.068279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d4000
success 0 0
1619426983.068279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d5000
success 0 0
1619426983.114279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d6000
success 0 0
1619426983.114279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005dc000
success 0 0
1619426983.271279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a0000
success 0 0
1619426983.333279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef50000
success 0 0
1619426983.333279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef50000
success 0 0
1619426983.333279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef50000
success 0 0
1619426983.333279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1619426983.333279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619426983.364279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005fa000
success 0 0
1619426983.380279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d7000
success 0 0
1619426983.411279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ea000
success 0 0
1619426983.411279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e7000
success 0 0
1619426983.458279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1619426983.536279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e6000
success 0 0
1619426983.599279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d8000
success 0 0
1619426983.661279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005da000
success 0 0
1619426983.724279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00830000
success 0 0
1619426983.755279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a1000
success 0 0
1619426983.755279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00605000
success 0 0
1619426983.802279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a2000
success 0 0
1619426983.849279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04c10000
success 0 0
1619426983.849279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dd0000
success 0 0
1619426983.849279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dd1000
success 0 0
1619426983.880279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dd2000
success 0 0
1619426983.896279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dd3000
success 0 0
1619426983.911279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dd4000
success 0 0
1619426983.911279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dd8000
success 0 0
1619426983.911279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04de9000
success 0 0
1619426983.911279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dea000
success 0 0
1619426983.911279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dec000
success 0 0
1619426983.911279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ded000
success 0 0
1619426983.911279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d9000
success 0 0
1619426983.927279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dee000
success 0 0
1619426983.927279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04def000
success 0 0
1619426983.943279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a3000
success 0 0
1619426983.974279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a4000
success 0 0
1619426984.083279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a5000
success 0 0
1619426984.099279
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f2000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a suspicious process (2 个事件)
cmdline "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CA2.tmp"
cmdline "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp66D4.tmp"
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619426984.880279
CreateProcessInternalW
thread_identifier: 1060
thread_handle: 0x00000224
process_identifier: 2424
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CA2.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000228
inherit_handles: 1
success 1 0
1619426987.427279
CreateProcessInternalW
thread_identifier: 2260
thread_handle: 0x00000224
process_identifier: 2536
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp66D4.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000002a4
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.999589898992862 section {'size_of_data': '0x0006f400', 'virtual_address': '0x00022000', 'entropy': 7.999589898992862, 'name': '.rsrc', 'virtual_size': '0x0006f230'} description A section with a high entropy has been found
entropy 0.7953529937444147 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1619426988.943279
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619426988.943279
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619426988.958279
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CA2.tmp"
cmdline "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp66D4.tmp"
网络通信
One or more of the buffers contains an embedded PE file (15 个事件)
buffer Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
buffer Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer Buffer with sha1: c443b32577fadc62280cdbd08de5e038eb377c31
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619426989.708279
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 5518020384ceb599dd993c388c21acf3.exe tried to sleep 5456579 seconds, actually delayed analysis time by 5456579 seconds
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service reg_value C:\Program Files (x86)\DSL Service\dslsvc.exe
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CA2.tmp
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5518020384ceb599dd993c388c21acf3.exe:Zone.Identifier
File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Backdoor.MSIL.Agent.GD
FireEye Generic.mg.5518020384ceb599
CAT-QuickHeal Trojan.Orbus.C3
Qihoo-360 Generic/Trojan.f3a
McAfee GenericRXAA-CZ!5518020384CE
Cylance Unsafe
Zillya Trojan.Agent.Win32.1351222
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Malware:Win32/Dorpal.ali1000029
K7GW Trojan ( 700000121 )
K7AntiVirus Trojan ( 700000121 )
Arcabit Backdoor.MSIL.Agent.GD
Cyren W32/NanoCore.C.gen!Eldorado
Symantec Trojan.Nancrat
APEX Malicious
Avast MSIL:NanoCore-B [Trj]
ClamAV Win.Trojan.Nanocore-5
Kaspersky Trojan.MSIL.Agent.fpar
BitDefender Backdoor.MSIL.Agent.GD
NANO-Antivirus Trojan.Win32.NanoBot.hmqoyu
Paloalto generic.ml
ViRobot Backdoor.Win32.NanoCore.Gen.A
Rising Backdoor.NanoCore!1.B6F9 (CLASSIC)
Ad-Aware Backdoor.MSIL.Agent.GD
Emsisoft Trojan.NanoCore (A)
Comodo Backdoor.MSIL.Noancooe.JDE@5s4u9t
F-Secure Trojan.TR/Dropper.MSIL.Gen7
DrWeb Trojan.Nanocore.23
VIPRE Trojan.MSIL.NanoCore.B (fs)
TrendMicro BKDR_NOANCOOE.SMUPS
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Sophos ML/PE-A + Troj/NanoCor-BT
Ikarus Backdoor.Rat.Nanocore
Jiangmin Backdoor.Generic.zwu
Avira TR/Dropper.MSIL.Gen7
Antiy-AVL Trojan[Backdoor]/Win32.AGeneric
Kingsoft Win32.Troj.Agent.FP.(kcloud)
Gridinsoft Backdoor.Win32.Noancooe.cc!ni
Microsoft Backdoor:MSIL/Nanocore.S!MTB
AegisLab Trojan.Win32.Generic.mhUN
ZoneAlarm Trojan.MSIL.Agent.fpar
GData MSIL.Backdoor.Nancat.A
Cynet Malicious (score: 100)
AhnLab-V3 Win-Trojan/Nanocore.Exp
Acronis suspicious
BitDefenderTheta Gen:NN.ZemsilF.34670.JmW@aaexHjc
ALYac Backdoor.MSIL.Agent.GD
MAX malware (ai score=82)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-02-22 08:49:37

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.