12.2
0-day
56 个模型检测该样本为恶意!
重新分析
更多

2919fa110980fedf9851a425d093b7d9657050e2b7d9cf7fff639c9c3e6aad87

5881a975e8b6511fe0ee137bf21e93c9.exe

分析耗时

97s

最近分析

文件大小

367.7KB
静态报毒 动态报毒 6MGKS7BNKGW AGEN AI SCORE=85 ATTRIBUTE AZRE@4XKXXY AZXO BSCOPE BULTA CLOUD CONFIDENCE CQYDJA ENCPK FUGRAFA GENCIRC GENETIC HIGH HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK LUDER MALICIOUS PE QVM20 R64077 SCORE SMODN TEPFER TSPY UNSAFE WC1@AK8H51BS ZBOT ZEUS ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Kryptik-LMN [Trj] 20200719 18.4.3895.0
Tencent Malware.Win32.Gencirc.114c2763 20200719 1.0.0.1
Kingsoft 20200719 2013.8.14.323
McAfee Agent-FCC!5881A975E8B6 20200719 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619513309.079879
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (50 out of 61 个事件)
Time & API Arguments Status Return Repeated
1619540144.418125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540144.449125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540144.558125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540144.574125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540144.668125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540144.683125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540144.793125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540144.808125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540144.933125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540144.933125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.027125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.043125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.105125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.121125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.215125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.230125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.293125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.308125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.386125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.386125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.433125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.433125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.511125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.511125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.605125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.621125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.715125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.715125
WriteConsoleW
buffer: 另一个程序正在使用此文件,进程无法访问。
console_handle: 0x0000000b
success 1 0
1619540145.793125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.793125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540145.886125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540145.902125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540146.058125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540146.058125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540146.152125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540146.183125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540146.590125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540146.652125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540146.902125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540146.918125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540147.215125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540147.230125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540147.293125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540147.308125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540147.418125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540147.433125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540147.465125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540147.465125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619540147.777125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
console_handle: 0x00000007
success 1 0
1619540147.777125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619513309.063879
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619540195.35475
__exception__
stacktrace: 
ASN1_CreateModule+0xce ASN1DecSetError-0xe9 msasn1+0x24f0 @ 0x77d024f0
ASN1_CreateModule+0x15 ASN1DecSetError-0x1a2 msasn1+0x2437 @ 0x77d02437
WinVerifyTrust+0xae3 TrustFreeDecode-0x765 wintrust+0x3157 @ 0x75c43157
WinVerifyTrust+0x5e0 TrustFreeDecode-0xc68 wintrust+0x2c54 @ 0x75c42c54
WinVerifyTrust+0x1f8 TrustFreeDecode-0x1050 wintrust+0x286c @ 0x75c4286c
WinVerifyTrust+0x387 TrustFreeDecode-0xec1 wintrust+0x29fb @ 0x75c429fb
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x77d69930
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7533d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x778f1d7a
SetupDiGetClassImageListExW+0x1070c SetupGetBackupInformationA-0x1318a setupapi+0x44a75 @ 0x75a54a75
SetupDiGetClassDevsW+0x37a UnicodeToMultiByte-0x57 setupapi+0xb60a @ 0x75a1b60a
SetupDiGetClassDevsW+0x3c1 UnicodeToMultiByte-0x10 setupapi+0xb651 @ 0x75a1b651
SetupDiDestroyDeviceInfoList+0xe3 pSetupDiInvalidateHelperModules-0x17e setupapi+0xaf60 @ 0x75a1af60
SetupDiDestroyDeviceInfoList+0x44 pSetupDiInvalidateHelperModules-0x21d setupapi+0xaec1 @ 0x75a1aec1
DllGetClassObject+0xdc34 DllRegisterServer-0x1172c mmdevapi+0x10b01 @ 0x745b0b01
DllGetClassObject+0xdba6 DllRegisterServer-0x117ba mmdevapi+0x10a73 @ 0x745b0a73
DllGetClassObject+0xdb51 DllRegisterServer-0x1180f mmdevapi+0x10a1e @ 0x745b0a1e
DllGetClassObject+0xdb3a DllRegisterServer-0x11826 mmdevapi+0x10a07 @ 0x745b0a07
DllGetClassObject+0xdab4 DllRegisterServer-0x118ac mmdevapi+0x10981 @ 0x745b0981
DllGetClassObject+0xda5f DllRegisterServer-0x11901 mmdevapi+0x1092c @ 0x745b092c
DllGetClassObject+0xda0f DllRegisterServer-0x11951 mmdevapi+0x108dc @ 0x745b08dc
DllGetClassObject+0xd874 DllRegisterServer-0x11aec mmdevapi+0x10741 @ 0x745b0741
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x77d69930
LdrShutdownProcess+0x141 RtlDetectHeapLeaks-0x111 ntdll+0x58fba @ 0x77d88fba
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77d88e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x76357a25
_threadEntry+0x138 @ 0x218dd2c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38270000
registers.edi: 1975947576
registers.eax: 38270064
registers.ebp: 38270004
registers.edx: 0
registers.ebx: 1975779328
registers.esi: 0
registers.ecx: 1969237513
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xe9a45bc3
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 个事件)
Time & API Arguments Status Return Repeated
1619513307.219879
NtAllocateVirtualMemory
process_identifier: 732
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619513307.235879
NtAllocateVirtualMemory
process_identifier: 732
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619513307.251879
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 438272
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619513307.344879
NtAllocateVirtualMemory
process_identifier: 732
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1619539782.530271
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004840000
success 0 0
1619540143.402125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619540143.402125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619540143.433125
NtProtectVirtualMemory
process_identifier: 1164
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 438272
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619540143.465125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00550000
success 0 0
1619540143.543125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02590000
success 0 0
1619540143.543125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x025a0000
success 0 0
1619540143.543125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b00000
success 0 0
1619540143.543125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02560000
success 0 0
1619540143.543125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02570000
success 0 0
1619540143.558125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02580000
success 0 0
1619540143.558125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02be0000
success 0 0
1619540143.574125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02bf0000
success 0 0
1619540143.574125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c00000
success 0 0
1619540143.590125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c10000
success 0 0
1619540143.590125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c20000
success 0 0
1619540143.590125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c30000
success 0 0
1619540143.590125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c40000
success 0 0
1619540143.590125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c50000
success 0 0
1619540143.605125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c60000
success 0 0
1619540143.605125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c70000
success 0 0
1619540143.621125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c80000
success 0 0
1619540143.621125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c90000
success 0 0
1619540143.636125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ca0000
success 0 0
1619540143.636125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cb0000
success 0 0
1619540143.636125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cc0000
success 0 0
1619540143.652125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cd0000
success 0 0
1619540143.652125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02bb0000
success 0 0
1619540143.652125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02bc0000
success 0 0
1619540143.652125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02bd0000
success 0 0
1619540143.668125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ce0000
success 0 0
1619540143.668125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cf0000
success 0 0
1619540143.668125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d00000
success 0 0
1619540143.668125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d10000
success 0 0
1619540143.668125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d20000
success 0 0
1619540143.668125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d30000
success 0 0
1619540143.668125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d40000
success 0 0
1619540143.683125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d50000
success 0 0
1619540143.683125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d60000
success 0 0
1619540143.683125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d70000
success 0 0
1619540143.683125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d80000
success 0 0
1619540143.699125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02d90000
success 0 0
1619540143.699125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02da0000
success 0 0
1619540143.699125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02db0000
success 0 0
1619540143.699125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b10000
success 0 0
1619540143.715125
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b20000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp733c3176.bat
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619513311.219879
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x005b5c78
display_name: Security Center Server - 613128791
error_control: 1
service_name: SecurityCenterServer613128791
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe"
filepath_r: "C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe"
service_manager_handle: 0x005b5e30
desired_access: 983551
service_type: 16
password:
success 5987448 0
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\tmp733c3176.bat"
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5881a975e8b6511fe0ee137bf21e93c9.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619540152.16775
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)
entropy 7.9022603883937945 section {'size_of_data': '0x0002e800', 'virtual_address': '0x00001000', 'entropy': 7.9022603883937945, 'name': '.text', 'virtual_size': '0x0002e702'} description A section with a high entropy has been found
entropy 7.789112719647005 section {'size_of_data': '0x00004a00', 'virtual_address': '0x00035000', 'entropy': 7.789112719647005, 'name': '.data', 'virtual_size': '0x0003d584'} description A section with a high entropy has been found
entropy 7.21475433838157 section {'size_of_data': '0x0000c800', 'virtual_address': '0x0008d000', 'entropy': 7.21475433838157, 'name': '.data', 'virtual_size': '0x0000c7b4'} description A section with a high entropy has been found
entropy 0.6963064295485636 description Overall entropy of this PE file is high
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619540201.933125
InternetOpenA
proxy_bypass:
access_type: 1
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619540176.35475
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3176
process_handle: 0x00000550
failed 0 0
1619540176.35475
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3176
process_handle: 0x00000550
success 0 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 203.208.41.98
Installs itself for autorun at Windows startup (50 out of 1092 个事件)
service_name SecurityCenterServer613128791 service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe"
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ipegetsabiutygi reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ufvyimec\ezsipo.exe
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1619540151.79275
RegSetValueExA
key_handle: 0x000003b8
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619540154.72975
RegSetValueExA
key_handle: 0x000004e4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619540154.72975
RegSetValueExA
key_handle: 0x000004e4
value:  Ô²7x;×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619540154.72975
RegSetValueExA
key_handle: 0x000004e4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619540154.72975
RegSetValueExW
key_handle: 0x000004e4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619540154.72975
RegSetValueExA
key_handle: 0x000004d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619540154.72975
RegSetValueExA
key_handle: 0x000004d0
value:  Ô²7x;×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619540154.72975
RegSetValueExA
key_handle: 0x000004d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619540154.76075
RegSetValueExW
key_handle: 0x000004cc
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1164 resumed a thread in remote process 2868
Time & API Arguments Status Return Repeated
1619540144.261125
NtResumeThread
thread_handle: 0x00000240
suspend_count: 1
process_identifier: 2868
success 0 0
Creates and runs a batch file to remove the original binary (1 个事件)
file a464987a567661fd_tmp733c3176.bat
Zeus P2P (Banking Trojan) (18 个事件)
mutex Global\{2BED897B-3CC9-9551-0FD6-63D6397F3F4B}
mutex Global\{2EA1CAD8-7F6A-901D-3DBE-D3560B178FCB}
mutex Global\{DEF83CB6-8904-6044-3DBE-D3560B178FCB}
mutex Local\{94B8EF93-5A21-2A04-3DBE-D3560B178FCB}
mutex Local\{BF1E8AA1-3F13-01A2-3DBE-D3560B178FCB}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 12509, 'time': 6.64684796333313, 'dport': 5355, 'sport': 51808}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 12845, 'time': 4.445310831069946, 'dport': 5355, 'sport': 51963}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 13173, 'time': 22.04513192176819, 'dport': 5355, 'sport': 53237}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 13493, 'time': 88.30807900428772, 'dport': 5355, 'sport': 53380}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 13813, 'time': 2.725461959838867, 'dport': 5355, 'sport': 56804}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 14141, 'time': 2.969959020614624, 'dport': 5355, 'sport': 62191}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 14469, 'time': 4.080525875091553, 'dport': 5355, 'sport': 63429}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 14805, 'time': 6.646248817443848, 'dport': 5355, 'sport': 65004}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 15133, 'time': 4.23306679725647, 'dport': 1900, 'sport': 1900}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 34543, 'time': 9.243335962295532, 'dport': 3702, 'sport': 51379}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 37399, 'time': 5.645334959030151, 'dport': 3702, 'sport': 55369}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 40127, 'time': 4.410655975341797, 'dport': 3702, 'sport': 58707}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 48511, 'time': 6.785645961761475, 'dport': 1900, 'sport': 63432}
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 147.75.95.72:80
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
MicroWorld-eScan Gen:Variant.Fugrafa.1676
FireEye Generic.mg.5881a975e8b6511f
CAT-QuickHeal Trojan.Bulta.29685
BitDefenderTheta Gen:NN.ZexaF.34136.wC1@aK8h51bS
ALYac Gen:Variant.Fugrafa.1676
Zillya Worm.Luder.Win32.255
SUPERAntiSpyware Trojan.Agent/Gen-Autorun
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
K7GW Riskware ( 0040eff71 )
Cybereason malicious.5e8b65
Invincea heuristic
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.AZXO
APEX Malicious
Avast Win32:Kryptik-LMN [Trj]
GData Gen:Variant.Fugrafa.1676
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Gen:Variant.Fugrafa.1676
NANO-Antivirus Trojan.Win32.Luder.cqydja
Paloalto generic.ml
Tencent Malware.Win32.Gencirc.114c2763
Endgame malicious (high confidence)
Sophos Troj/Zbot-EUA
Comodo TrojWare.Win32.Kryptik.AZRE@4xkxxy
F-Secure Heuristic.HEUR/AGEN.1118839
DrWeb Trojan.Packed.2952
VIPRE Trojan.Win32.Encpk.abf (v)
TrendMicro TSPY_ZBOT.SMODN
Trapmine malicious.high.ml.score
Emsisoft Gen:Variant.Fugrafa.1676 (B)
Ikarus Worm.Win32.Luder
Webroot W32.Infostealer.Zeus
Avira HEUR/AGEN.1118839
MAX malware (ai score=85)
Antiy-AVL Worm/Win32.Luder
Microsoft PWS:Win32/Zbot
Arcabit Trojan.Fugrafa.D68C
ZoneAlarm HEUR:Trojan.Win32.Generic
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Tepfer.R64077
Acronis suspicious
McAfee Agent-FCC!5881A975E8B6
VBA32 BScope.Trojan.Packed
Malwarebytes Backdoor.Agent.RND
TrendMicro-HouseCall TSPY_ZBOT.SMODN
Rising Trojan.Bulta!8.35D (CLOUD)
Yandex Worm.Luder!6Mgks7Bnkgw
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_79%
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-11-30 15:01:12

Imports

Library SETUPAPI.dll:
0x434010 CM_Get_Device_IDW
0x43401c CM_Locate_DevNodeW
0x43402c CM_Get_Parent_Ex
Library KERNEL32.dll:
0x434034 GetProcessHeap
0x434038 GetVersionExA
0x43403c GetThreadLocale
0x434040 FindResourceExW
0x434044 GetCPInfo
0x434048 GetProcAddress
0x43404c OutputDebugStringA
0x434050 GetModuleFileNameW
0x434054 ResetEvent
0x434058 FreeLibrary
0x434060 CreateEventW
0x434068 HeapReAlloc
0x43406c GetSystemInfo
0x434074 SetThreadLocale
0x434078 CreateFileW
0x43407c LoadLibraryA
0x434080 HeapFree
0x434084 GetCurrentProcessId
0x434088 CancelIo
0x43408c DeviceIoControl
0x434098 RaiseException
0x4340b0 GetTickCount
0x4340b4 lstrlenW
0x4340b8 CreateThread
0x4340bc lstrcmpiW
0x4340c0 GetCurrentProcess
0x4340c4 GetLastError
0x4340c8 HeapAlloc
0x4340cc CloseHandle
0x4340d0 GetOverlappedResult
0x4340d4 MultiByteToWideChar
0x4340d8 SizeofResource
0x4340dc LoadResource
0x4340e0 InterlockedExchange
0x4340e8 WaitForSingleObject
0x4340ec LoadLibraryExW
0x4340f0 HeapDestroy
0x4340f4 LockResource
0x4340f8 GlobalAlloc
0x4340fc HeapSize
0x434100 FindResourceW
0x434104 GetDriveTypeW
Library OLE32.dll:
0x43410c CoTaskMemAlloc
0x434114 CoCreateInstance
0x434118 StringFromGUID2
0x43411c CoUninitialize
0x434120 CoGetMalloc
0x434124 CoInitializeEx
0x434128 CoTaskMemRealloc
0x43412c CoTaskMemFree
0x434130 PropVariantClear
Library MSVCRT.dll:
0x434138 __p__commode
0x43413c ??2@YAPAXI@Z
0x434140 __getmainargs
0x434144 _initterm
0x434148 memset
0x43414c ??_V@YAXPAX@Z
0x434154 _onexit
0x434158 _amsg_exit
0x43415c calloc
0x434160 ??_U@YAPAXI@Z
0x434164 _errno
0x434168 realloc
0x43416c ??3@YAXPAX@Z
0x434170 _purecall
0x434174 _unlock
0x434178 _lock
0x43417c _XcptFilter
0x434180 __set_app_type
0x434184 _vsnwprintf
0x434188 malloc
0x43418c _CxxThrowException
0x434190 free
0x434194 __dllonexit
0x434198 exit
Library ADVAPI32.dll:
0x4341a0 RegSetValueExW
0x4341a4 RegOpenKeyExW
0x4341a8 RegDeleteValueW
0x4341ac RegQueryInfoKeyW
0x4341b0 RegisterTraceGuidsW
0x4341b4 RegEnumKeyExW
0x4341b8 RegCloseKey
0x4341c0 TraceMessage
0x4341c4 GetTraceEnableFlags
0x4341cc RegCreateKeyExW
0x4341d0 RegOpenKeyW
0x4341d4 GetTraceEnableLevel
Library SHLWAPI.dll:
0x4341dc SHStrDupW
0x4341e0 PathGetDriveNumberW
Library USER32.dll:
0x4341e8 LoadStringW
0x4341ec UnregisterClassA
0x4341f0 CharNextW
Library SHELL32.dll:
0x4341f8 ShellExecuteExW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.