10
0-day
该样本未表现出任何异常!
重新分析
更多

1d94630382e11c3a21f941a56b843b56a59a3199205c6f877a509e1ae3cf220e

59eb031f2da8ee9d5499c9147c2253fb.exe

分析耗时

89s

最近分析

文件大小

336.0KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1620801151.628249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620801150.909124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620801150.909124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620801150.894124
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)
section CODE
section DATA
section BSS
section .aspack
section .adata
The executable uses a known packer (1 个事件)
packer ASPack v2.12 -> Alexey Solodovnikov
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620762826.344375
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1620762836.828375
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004d1000
success 0 0
1620762836.859375
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00600000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\z6NePsMNYPKFwFZAnp3Jk1b1XqKTVW5bWUz.vbs
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\z6NePsMNYPKFwFZAnp3Jk1b1XqKTVW5bWUz.vbs
Executes one or more WMI queries (2 个事件)
wmi Select * from Win32_VideoController
wmi Select * from Win32_Processor
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620801151.628124
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (5 个事件)
entropy 7.998449724230893 section {'size_of_data': '0x00024c00', 'virtual_address': '0x00001000', 'entropy': 7.998449724230893, 'name': 'CODE', 'virtual_size': '0x00059000'} description A section with a high entropy has been found
entropy 7.935618705066261 section {'size_of_data': '0x00004600', 'virtual_address': '0x0005a000', 'entropy': 7.935618705066261, 'name': 'DATA', 'virtual_size': '0x0000d000'} description A section with a high entropy has been found
entropy 7.8850047743568945 section {'size_of_data': '0x00000c00', 'virtual_address': '0x00068000', 'entropy': 7.8850047743568945, 'name': '.idata', 'virtual_size': '0x00003000'} description A section with a high entropy has been found
entropy 7.882205762135981 section {'size_of_data': '0x00017a00', 'virtual_address': '0x00074000', 'entropy': 7.882205762135981, 'name': '.rsrc', 'virtual_size': '0x0003a000'} description A section with a high entropy has been found
entropy 0.7820895522388059 description Overall entropy of this PE file is high
Executes one or more WMI queries which can be used to identify virtual machines (1 个事件)
wmi Select * from Win32_Processor
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 185.244.130.194
Wscript.exe initiated network communications indicative of a script based payload download (4 个事件)
Time & API Arguments Status Return Repeated
1620801158.362249
InternetCrackUrlW
url: https://2no.co/1C8u67
flags: 0
success 1 0
1620801159.925249
HttpOpenRequestW
connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /1C8u67
success 13369356 0
1620801159.972249
InternetCrackUrlA
url: https://2no.co
flags: 268435456
success 1 0
1620801160.003249
InternetCrackUrlA
url: https://2no.co
flags: 268435456
success 1 0
Attempts to identify installed AV products by installation directory (6 个事件)
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\McAfee
file C:\ProgramData\Avg
file C:\ProgramData\Doctor Web
file C:\ProgramData\Malwarebytes
wscript.exe-based dropper (JScript, VBS) (1 个事件)
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620801154.347124
RegSetValueExA
key_handle: 0x0000036c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620801154.347124
RegSetValueExA
key_handle: 0x0000036c
value: °ÄjíF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620801154.347124
RegSetValueExA
key_handle: 0x0000036c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620801154.347124
RegSetValueExW
key_handle: 0x0000036c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620801154.347124
RegSetValueExA
key_handle: 0x00000384
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620801154.347124
RegSetValueExA
key_handle: 0x00000384
value: °ÄjíF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620801154.347124
RegSetValueExA
key_handle: 0x00000384
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620801154.362124
RegSetValueExW
key_handle: 0x00000368
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process wscript.exe useragent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
process 59eb031f2da8ee9d5499c9147c2253fb.exe useragent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (6 个事件)
Time & API Arguments Status Return Repeated
1620801158.362249
InternetCrackUrlW
url: https://2no.co/1C8u67
flags: 0
success 1 0
1620801159.925249
HttpOpenRequestW
connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /1C8u67
success 13369356 0
1620801159.972249
InternetCrackUrlA
url: https://2no.co
flags: 268435456
success 1 0
1620801160.003249
InternetCrackUrlA
url: https://2no.co
flags: 268435456
success 1 0
1620801160.269249
send
buffer: !
socket: 896
sent: 1
success 1 0
1620801161.081249
send
buffer:
socket: 1104
sent: 4294967295
failed 4294967295 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2632 called NtSetContextThread to modify thread in remote process 1108
Time & API Arguments Status Return Repeated
1620762839.563375
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1108
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2632 resumed a thread in remote process 1108
Time & API Arguments Status Return Repeated
1620762839.594375
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 1108
success 0 0
The process wscript.exe wrote an executable file to disk (1 个事件)
file C:\Windows\SysWOW64\wscript.exe
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (11 个事件)
Time & API Arguments Status Return Repeated
1620762839.172375
NtResumeThread
thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2632
success 0 0
1620762839.531375
CreateProcessInternalW
thread_identifier: 1760
thread_handle: 0x00000198
process_identifier: 2732
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\z6NePsMNYPKFwFZAnp3Jk1b1XqKTVW5bWUz.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000001b0
inherit_handles: 0
success 1 0
1620762839.563375
CreateProcessInternalW
thread_identifier: 420
thread_handle: 0x0000010c
process_identifier: 1108
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\59eb031f2da8ee9d5499c9147c2253fb.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001dc
inherit_handles: 0
success 1 0
1620762839.563375
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1620762839.563375
NtUnmapViewOfSection
process_identifier: 1108
region_size: 4096
process_handle: 0x000001dc
base_address: 0x00400000
success 0 0
1620762839.563375
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 1108
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000001dc
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1620762839.563375
NtMapViewOfSection
section_handle: 0x000001e0
process_identifier: 1108
commit_size: 4096
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000001dc
allocation_type: 0 ()
section_offset: 0
view_size: 4096
base_address: 0x001e0000
success 0 0
1620762839.563375
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1108
success 0 0
1620762839.594375
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 1108
success 0 0
1620801159.972249
NtResumeThread
thread_handle: 0x00000420
suspend_count: 1
process_identifier: 2732
success 0 0
1620801150.909124
NtResumeThread
thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1108
success 0 0
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-05-30 19:47:55

Imports

Library kernel32.dll:
0x4aefb8 GetProcAddress
0x4aefbc GetModuleHandleA
0x4aefc0 LoadLibraryA
Library user32.dll:
0x4af16f GetKeyboardType
Library advapi32.dll:
0x4af177 RegQueryValueExA
Library oleaut32.dll:
0x4af17f SysFreeString
Library advapi32.dll:
0x4af187 RegQueryValueExA
Library version.dll:
0x4af18f VerQueryValueA
Library gdi32.dll:
0x4af197 UnrealizeObject
Library user32.dll:
0x4af19f WindowFromPoint
Library oleaut32.dll:
0x4af1a7 SafeArrayPtrOfIndex
Library comctl32.dll:
Library winmm.dll:
0x4af1b7 mciSendCommandA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49181 185.244.130.194 80
192.168.56.101 49188 185.244.130.194 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.