SmartHawk

7.6

高危

23 个模型检测该样本为恶意！

重新分析

下载样本

8d3e1524f58f0432d0031b49218350faf5f936e1eb7b0394c58e316337e2c831

5e4f6f9342dd61cb750a2bf2462e82a9.exe

分析耗时

92s

最近分析

文件大小

2.5MB

静态报毒动态报毒 100% ATTRIBUTE BSCOPE CONFIDENCE DGZLOGVDSWKF4HYRYW ELDORADO FLYSTUDIO GRAYWARE HACKTOOL HIGHCONFIDENCE LNCT MALICIOUS PE MODERATE MODERATE CONFIDENCE SCORE TONMYE UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee		20190626	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (D)	20190212	1.0
Baidu		20190318	1.0.0.2
Alibaba		20190527	0.3.0.5
Kingsoft		20190626	2013.8.14.323
Tencent		20190626	1.0.0.1
Avast		20190626	18.4.3895.0

The executable uses a known packer (1 个事件)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)

resource name	TEXTINCLUDE
resource name	WAVE

Performs some HTTP requests (10 个事件)

request	GET http://wpa.qq.com/pa?p=2:3300138363:41
request	GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D
request	GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEAWVZ9XVvXmt3%2BlanInd0PE%3D
request	GET http://pub.idqqimg.com/qconn/wpa/button/button_11.gif
request	GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
request	GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEA1FKMVdJ6wGke4ziXRF0c4%3D
request	GET http://wpa.qq.com/pa?p=2:2104863141:41
request	GET https://wpa.qq.com/pa?p=2:3300138363:41
request	GET https://pub.idqqimg.com/qconn/wpa/button/button_11.gif
request	GET https://wpa.qq.com/pa?p=2:2104863141:41

Allocates read-write-execute memory (usually to unpack itself) (50 out of 65 个事件)

Time & API	Arguments	Status	Return
1620762725.771186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10001000	failed	3221225713
1620762725.771186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10028000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x7786d000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77868000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775ad000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b6000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a8000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a6000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b1000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b1000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a8000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b1000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b4000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b4000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b9000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775b3000	success	0
1620762725.786186 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10009000	success	0

Foreign language identified in PE resource (50 out of 57 个事件)

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x005f9e80

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x005f9e80

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

offset

0x005f9e80

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000151

name

WAVE

language

LANG_CHINESE

offset

0x005f9fd4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00001448

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005fb9a0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005fb9a0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005fb9a0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005fb9a0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005fb9a0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

offset

0x005fb9a0

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

offset

0x005fd294

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

offset

0x0060826c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

offset

0x0060826c

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

offset

0x006094b4

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

offset

0x00609efc

filetype

PGP\011Secret Sub-key -

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

offset

0x00609f70

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

offset

0x00609f70

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x00000022

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762726.380186 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.911185240941805

section

{'size_of_data': '0x0027f400', 'virtual_address': '0x0038f000', 'entropy': 7.911185240941805, 'name': 'UPX1', 'virtual_size': '0x00280000'}

description

A section with a high entropy has been found

entropy

0.9813855306083286

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (5 个事件)

host	104.17.37.25
host	124.225.105.97
host	151.139.128.14
host	172.217.24.14
host	205.185.208.154

Queries information on disks, possibly for anti-virtualization (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762725.692186 NtCreateFile	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000244 filepath: \??\PhysicalDrive0 desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	success	0	0
1620762725.708186 DeviceIoControl	input_buffer: SCSIDISK'ì device_handle: 0x00000244 control_code: 315400 () output_buffer: <INVALID POINTER>	failed	0	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620762731.911186 RegSetValueExA	key_handle: 0x000003cc value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620762731.911186 RegSetValueExA	key_handle: 0x000003cc value: Pî¡F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620762731.911186 RegSetValueExA	key_handle: 0x000003cc value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620762731.911186 RegSetValueExW	key_handle: 0x000003cc value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620762731.911186 RegSetValueExA	key_handle: 0x000003e4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620762731.911186 RegSetValueExA	key_handle: 0x000003e4 value: Pî¡F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620762731.911186 RegSetValueExA	key_handle: 0x000003e4 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620762731.942186 RegSetValueExW	key_handle: 0x000003c8 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620762774.411186 RegSetValueExA	key_handle: 0x00000680 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620762774.411186 RegSetValueExA	key_handle: 0x00000680 value: À=M¢F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620762774.427186 RegSetValueExA	key_handle: 0x00000680 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620762774.427186 RegSetValueExW	key_handle: 0x00000680 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620762774.427186 RegSetValueExA	key_handle: 0x000006a4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620762774.427186 RegSetValueExA	key_handle: 0x000006a4 value: À=M¢F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620762774.427186 RegSetValueExA	key_handle: 0x000006a4 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Network activity contains more than one unique useragent (2 个事件)

process	5e4f6f9342dd61cb750a2bf2462e82a9.exe				useragent	cctv.mtv
process	5e4f6f9342dd61cb750a2bf2462e82a9.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 个事件)

FireEye	Generic.mg.5e4f6f9342dd61cb
CAT-QuickHeal	Downloader.AdLoad.12395
Cylance	Unsafe
AegisLab	Trojan.Win32.Patched.lnCt
CrowdStrike	win/malicious_confidence_100% (D)
F-Prot	W32/Trojan.CLL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Rising	Trojan.Tonmye!8.510 (TFE:dGZlOgVdSWkf4hYryw)
Endgame	malicious (moderate confidence)
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Trapmine	malicious.moderate.ml.score
SentinelOne	DFI - Malicious PE
Cyren	W32/Trojan.CLL.gen!Eldorado
Antiy-AVL	GrayWare/Win32.FlyStudio.a
Microsoft	Trojan:Win32/Tonmye.gen!A
GData	Win32.Application.FlyStudio.F
Acronis	suspicious
VBA32	BScope.Trojan.FlyStudio
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
eGambit	HackTool.Generic
Fortinet	W32/Agent.65CA!tr
Cybereason	malicious.851ec4

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.24.14:443
dead_host	124.225.105.97:80
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-06-25 20:19:52

Imports

Library KERNEL32.DLL:

• 0xa1aefc LoadLibraryA

• 0xa1af00 GetProcAddress

• 0xa1af04 VirtualProtect

• 0xa1af08 VirtualAlloc

• 0xa1af0c VirtualFree

• 0xa1af10 ExitProcess

Library ADVAPI32.dll:

• 0xa1af18 RegCloseKey

Library AVIFIL32.dll:

• 0xa1af20 AVIStreamInfoA

Library COMCTL32.dll:

• 0xa1af28

Library comdlg32.dll:

• 0xa1af30 ChooseFontA

Library GDI32.dll:

• 0xa1af38 PatBlt

Library MSVFW32.dll:

• 0xa1af40 DrawDibDraw

Library ole32.dll:

• 0xa1af48 OleRun

Library OLEAUT32.dll:

• 0xa1af50 SysAllocStringByteLen

Library oledlg.dll:

• 0xa1af58

Library RASAPI32.dll:

• 0xa1af60 RasHangUpA

Library SHELL32.dll:

• 0xa1af68 ShellExecuteA

Library USER32.dll:

• 0xa1af70 GetDC

Library WININET.dll:

• 0xa1af78 InternetOpenA

Library WINMM.dll:

• 0xa1af80 PlaySoundA

Library WINSPOOL.DRV:

• 0xa1af88 ClosePrinter

Library WS2_32.dll:

• 0xa1af90 WSACleanup

Library WSOCK32.dll:

• 0xa1af98 getservbyname

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
ocsp.digicert.cn	A 58.216.118.230 CNAME ocsp.digicert.cn.w.cdngslb.com	124.225.167.211
ocsp.dcocsp.cn	CNAME ocsp.dcocsp.cn.w.kunlunar.com A 58.216.4.244 A 58.216.4.243 A 58.216.4.248 A 58.216.4.242 A 58.216.4.241 A 58.216.4.240 A 58.216.4.238 A 58.216.4.239	124.225.166.47
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	216.58.200.238
pub.idqqimg.com	A 113.105.165.99 CNAME pub.idqqimg.com.sched.p1v6.tdnsv6.com A 124.225.105.72 CNAME pub.idqqimg.com.tc.qq.com A 110.81.153.149 A 113.105.154.38	124.225.105.72
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
wpa.qq.com	A 14.215.158.24	14.215.158.24
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
104.17.37.25	80	192.168.56.101	49199
192.168.56.101	49184	110.81.153.149 pub.idqqimg.com	80
192.168.56.101	49185	110.81.153.149 pub.idqqimg.com	443
192.168.56.101	49177	14.215.158.24 wpa.qq.com	80
192.168.56.101	49178	14.215.158.24 wpa.qq.com	443
192.168.56.101	49186	58.216.118.230 ocsp.digicert.cn	80
192.168.56.101	49179	58.216.4.242 ocsp.dcocsp.cn	80
205.185.208.154	443	192.168.56.101	49242
205.185.208.154	443	192.168.56.101	49243

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57367	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	50849	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53500	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	54991	224.0.0.252	5355
192.168.56.101	55169	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.cn
http://pub.idqqimg.com/qconn/wpa/button/button_11.gif	GET /qconn/wpa/button/button_11.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: / Cache-Control: no-cache Connection: Keep-Alive Host: pub.idqqimg.com
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEA1FKMVdJ6wGke4ziXRF0c4%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEA1FKMVdJ6wGke4ziXRF0c4%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.cn
http://wpa.qq.com/pa?p=2:3300138363:41	GET /pa?p=2:3300138363:41 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: / Host: wpa.qq.com Cache-Control: no-cache
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEAWVZ9XVvXmt3%2BlanInd0PE%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEAWVZ9XVvXmt3%2BlanInd0PE%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.dcocsp.cn
http://wpa.qq.com/pa?p=2:2104863141:41	GET /pa?p=2:2104863141:41 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: / Host: wpa.qq.com Cache-Control: no-cache
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.dcocsp.cn

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.