SmartHawk

5.6

高危

4 个模型检测该样本为恶意！

重新分析

下载样本

87e0811035a8a79a2a871a8c6e97e53298ce3f9c83ca9b7a4673d17dbb4b4465

5e92d2a93375184b4e2a890ea1234978.exe

分析耗时

83s

最近分析

文件大小

803.3KB

静态报毒动态报毒 R306257 SCORE SUSGEN UNSAFE

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
CrowdStrike	20210203	1.0
Alibaba	20190527	0.3.0.5
Baidu	20190318	1.0.0.2
Avast	20210427	21.1.5827.0
Tencent	20210427	1.0.0.1
Kingsoft	20210427	2017.9.26.565
McAfee	20210427	6.0.6.653

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1620762797.6095 GetComputerNameA	computer_name: OSKAR-PC	success	1
1620762797.6255 GetComputerNameA	computer_name: OSKAR-PC	success	1
1620762797.6405 GetComputerNameA	computer_name: OSKAR-PC	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable is signed

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

AVI

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 个事件)

Webroot	W32.Trojan.Gen
eGambit	Unsafe.AI_Score_86%
AhnLab-V3	PUP/Win32.RL_Generic.R306257
MaxSecure	Trojan.Malware.74483506.susgen

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762797.5945 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Appends a known multi-family ransomware file extension to files that have been encrypted (1 个事件)

file	C:\ProgramData\1C631DA0.lock

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (4 个事件)

Time & API	Arguments	Status	Return
1620762797.6255 CryptHashData	buffer: OSKAR-PCFEE7D62138C63B41 flags: 0 hash_handle: 0x00561b30	success	1
1620762797.6255 CryptHashData	buffer: OSKAR-PCFEE7D62138C63B41 flags: 0 hash_handle: 0x00561b30	success	1
1620762797.6255 CryptHashData	buffer: OSKAR-PC51718C0738C63B41 flags: 0 hash_handle: 0x005630a0	success	1
1620762797.6255 CryptHashData	buffer: OSKAR-PC51718C0738C63B41 flags: 0 hash_handle: 0x005630a0	success	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-08-01 17:58:12

Imports

Library KERNEL32.dll:

• 0x43c090 CreateMutexA

• 0x43c094 Module32First

• 0x43c098 FindClose

• 0x43c09c FindNextFileW

• 0x43c0a0 DeleteFileW

• 0x43c0a4 MoveFileExW

• 0x43c0a8 FindFirstFileW

• 0x43c0ac MultiByteToWideChar

• 0x43c0b0 GetTickCount

• 0x43c0b4 HeapFree

• 0x43c0b8 HeapAlloc

• 0x43c0bc GetProcessHeap

• 0x43c0c0 LocalFree

• 0x43c0c4 GetVolumeInformationW

• 0x43c0c8 GetSystemDirectoryW

• 0x43c0cc CreateDirectoryA

• 0x43c0d0 CreateFileA

• 0x43c0d4 TerminateProcess

• 0x43c0d8 FormatMessageA

• 0x43c0dc ProcessIdToSessionId

• 0x43c0e0 GetVersion

• 0x43c0e4 OpenMutexA

• 0x43c0e8 GetLocaleInfoW

• 0x43c0ec SetConsoleCtrlHandler

• 0x43c0f0 ReadFile

• 0x43c0f4 SetEndOfFile

• 0x43c0f8 GetOEMCP

• 0x43c0fc GetACP

• 0x43c100 IsBadCodePtr

• 0x43c104 IsBadReadPtr

• 0x43c108 WaitForSingleObject

• 0x43c10c ReadProcessMemory

• 0x43c110 ExitThread

• 0x43c114 VirtualQueryEx

• 0x43c118 GetComputerNameA

• 0x43c11c CreateThread

• 0x43c120 Sleep

• 0x43c124 GetSystemDirectoryA

• 0x43c128 Process32First

• 0x43c12c Process32Next

• 0x43c130 ResumeThread

• 0x43c134 CreateToolhelp32Snapshot

• 0x43c138 Thread32First

• 0x43c13c OpenThread

• 0x43c140 TerminateThread

• 0x43c144 SuspendThread

• 0x43c148 Thread32Next

• 0x43c14c OpenProcess

• 0x43c150 GetProcAddress

• 0x43c154 WinExec

• 0x43c158 MoveFileExA

• 0x43c15c CopyFileA

• 0x43c160 WritePrivateProfileStringA

• 0x43c164 GetPrivateProfileStringA

• 0x43c168 DeleteFileA

• 0x43c16c GetVersionExA

• 0x43c170 GetLastError

• 0x43c174 DuplicateHandle

• 0x43c178 SetLastError

• 0x43c17c CreateProcessA

• 0x43c180 CloseHandle

• 0x43c184 GetLocalTime

• 0x43c188 GetModuleHandleA

• 0x43c18c GetCurrentProcess

• 0x43c190 FlushFileBuffers

• 0x43c194 SetStdHandle

• 0x43c198 SetFilePointer

• 0x43c19c LoadLibraryA

• 0x43c1a0 GetVolumeInformationA

• 0x43c1a4 GetStringTypeW

• 0x43c1a8 GetStringTypeA

• 0x43c1ac GetUserDefaultLCID

• 0x43c1b0 EnumSystemLocalesA

• 0x43c1b4 GetLocaleInfoA

• 0x43c1b8 IsValidCodePage

• 0x43c1bc IsValidLocale

• 0x43c1c0 WriteFile

• 0x43c1c4 GetFileType

• 0x43c1c8 GetStdHandle

• 0x43c1cc SetHandleCount

• 0x43c1d0 GetEnvironmentStringsW

• 0x43c1d4 GetEnvironmentStrings

• 0x43c1d8 FreeEnvironmentStringsW

• 0x43c1dc WideCharToMultiByte

• 0x43c1e0 RtlUnwind

• 0x43c1e4 MoveFileA

• 0x43c1e8 ExitProcess

• 0x43c1ec RaiseException

• 0x43c1f0 GetStartupInfoA

• 0x43c1f4 GetCommandLineA

• 0x43c1f8 HeapReAlloc

• 0x43c1fc LCMapStringA

• 0x43c200 LCMapStringW

• 0x43c204 GetCPInfo

• 0x43c208 CompareStringA

• 0x43c20c CompareStringW

• 0x43c210 GetTimeZoneInformation

• 0x43c214 HeapDestroy

• 0x43c218 HeapCreate

• 0x43c21c VirtualFree

• 0x43c220 VirtualAlloc

• 0x43c224 IsBadWritePtr

• 0x43c228 SetUnhandledExceptionFilter

• 0x43c22c HeapSize

• 0x43c230 UnhandledExceptionFilter

• 0x43c234 GetModuleFileNameA

• 0x43c238 FreeEnvironmentStringsA

• 0x43c23c SetEnvironmentVariableA

Library USER32.dll:

• 0x43c270 SetTimer

• 0x43c274 DialogBoxParamA

• 0x43c278 EndDialog

• 0x43c27c SendMessageA

• 0x43c280 LoadBitmapA

• 0x43c284 GetDlgItem

• 0x43c288 SetWindowTextA

Library GDI32.dll:

• 0x43c07c SetBkColor

• 0x43c080 CreateFontA

• 0x43c084 CreatePen

• 0x43c088 SetTextColor

Library ADVAPI32.dll:

• 0x43c000 CloseServiceHandle

• 0x43c004 RegQueryValueExA

• 0x43c008 RegOpenKeyExA

• 0x43c00c CryptAcquireContextA

• 0x43c010 CryptCreateHash

• 0x43c014 CryptHashData

• 0x43c018 CryptGetHashParam

• 0x43c01c CryptDestroyHash

• 0x43c020 CryptReleaseContext

• 0x43c024 SetNamedSecurityInfoA

• 0x43c028 AllocateAndInitializeSid

• 0x43c02c SetEntriesInAclA

• 0x43c030 FreeSid

• 0x43c034 EnumDependentServicesA

• 0x43c038 OpenSCManagerA

• 0x43c03c OpenServiceA

• 0x43c040 QueryServiceStatusEx

• 0x43c044 ControlService

• 0x43c048 InitializeSecurityDescriptor

• 0x43c04c SetSecurityDescriptorDacl

• 0x43c050 GetTokenInformation

• 0x43c054 LookupAccountSidA

• 0x43c058 GetUserNameA

• 0x43c05c OpenProcessToken

• 0x43c060 LookupPrivilegeValueA

• 0x43c064 AdjustTokenPrivileges

• 0x43c068 RegOpenKeyA

• 0x43c06c RegCloseKey

Library SHELL32.dll:

• 0x43c24c ShellExecuteExA

• 0x43c250 SHGetSpecialFolderPathA

Library COMCTL32.dll:

• 0x43c074

Library SHLWAPI.dll:

• 0x43c258 StrStrIA

• 0x43c25c PathFileExistsA

• 0x43c260 PathFindFileNameA

• 0x43c264 PathRemoveFileSpecA

• 0x43c268 SHGetValueA

Library PSAPI.DLL:

• 0x43c244 GetModuleFileNameExA

Library WTSAPI32.dll:

• 0x43c29c WTSQuerySessionInformationA

• 0x43c2a0 WTSFreeMemory

Library WS2_32.dll:

• 0x43c290 ntohl

• 0x43c294 ntohs

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	216.58.200.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.