SmartHawk

12.0

0-day

19 个模型检测该样本为恶意！

重新分析

下载样本

87eadb32086d7f67adfc95e11b09b5a6418bbab5fc5792b16e13dede852b8282

5f091bfaa3a2703fd0b24ae2d24d8d10.exe

分析耗时

120s

最近分析

文件大小

16.4MB

静态报毒动态报毒 AUSLOGICS FUSIONCORE GENERIC@ML HIGH CONFIDENCE ITCUR JHFP MALWARE@#1D74NW06P5HS8 MARDSM3VTNRRCT8K+Q RDML REDCAP SCORE TWEAK BIT FIXMYPC TWEAKBIT UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20190820	18.4.3895.0
Kingsoft		20190820	2013.8.14.323
McAfee		20190820	6.0.6.653
Tencent		20190820	1.0.0.1
CrowdStrike		20190212	1.0

Queries for the computername (6 个事件)

Time & API	Arguments	Status	Return
1620772917.1045 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620772919.5575 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620772920.2925 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620772920.3545 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620772495.763146 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620772907.135375 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772878.30725 IsDebuggerPresent		failed	0	0
1620772884.3075 IsDebuggerPresent		failed	0	0
1620772906.276375 IsDebuggerPresent		failed	0	0
1620772906.322875 IsDebuggerPresent		failed	0	0

Command line console output was observed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772906.276375 WriteConsoleA	buffer: Cookie: "E24AE960-E6CF-4F69-B37D-A4E5D4D3F7BD" "TweakBit_pc-repair-kit_E24AE960-E6CF-4F69-B37D-A4E5D4D3F7BD" console_handle: 0x00000007	success	1	0
1620772911.213375 WriteConsoleA	buffer: Find browser: "" console_handle: 0x00000007	success	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate

This executable is signed

Tries to locate where the browsers are installed (3 个事件)

file	C:\Program Files\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox ESR

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.itext

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772492.701519 __exception__	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdc5a49d DllGetClassObject-0x699aa browsercarehelper+0x9516 @ 0x2259516 DllGetClassObject-0x69974 browsercarehelper+0x954c @ 0x225954c DllGetClassObject-0x690a2 browsercarehelper+0x9e1e @ 0x2259e1e DllGetClassObject-0x68e5f browsercarehelper+0xa061 @ 0x225a061 DllInstall+0x78ed browsercarehelper+0x7a8dd @ 0x22ca8dd TpAllocTimer+0xb08 RtlInitializeCriticalSectionEx-0x318 ntdll+0x3b0d8 @ 0x77b8b0d8 RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x77b7784a LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x77b77b2e New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7480f9f8 LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefdc5a05c regsvr32+0x12c1 @ 0xff7012c1 regsvr32+0x1028 @ 0xff701028 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521 registers.r14: 0 registers.r9: 0 registers.rcx: 2347840 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rdi: 0 registers.r11: 2349456 registers.r8: 0 registers.rdx: 328 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 2357520 registers.rax: 2011778775 registers.r13: 0 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 42141 exception.address: 0x7fefdc5a49d	success	0	0

Time & API

Arguments

Status

Return

Repeated

1620772492.701519
__exception__

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdc5a49d
DllGetClassObject-0x699aa browsercarehelper+0x9516 @ 0x2259516
DllGetClassObject-0x69974 browsercarehelper+0x954c @ 0x225954c
DllGetClassObject-0x690a2 browsercarehelper+0x9e1e @ 0x2259e1e
DllGetClassObject-0x68e5f browsercarehelper+0xa061 @ 0x225a061
DllInstall+0x78ed browsercarehelper+0x7a8dd @ 0x22ca8dd
TpAllocTimer+0xb08 RtlInitializeCriticalSectionEx-0x318 ntdll+0x3b0d8 @ 0x77b8b0d8
RtlCreateUnicodeStringFromAsciiz+0xea LdrLoadDll-0x246 ntdll+0x2784a @ 0x77b7784a
LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x77b77b2e
New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7480f9f8
LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefdc5a05c
regsvr32+0x12c1 @ 0xff7012c1
regsvr32+0x1028 @ 0xff701028
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 2347840
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rdi: 0
registers.r11: 2349456
registers.r8: 0
registers.rdx: 328
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 2357520
registers.rax: 2011778775
registers.r13: 0
exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 42141
exception.address: 0x7fefdc5a49d

success

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)

suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://www.google-analytics.com/collect
suspicious_features	GET method with no useragent header				suspicious_request	GET https://tweakbit.com/tools/userdata?product=pc-repair-kit

Performs some HTTP requests (4 个事件)

request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAeYNgOt45kIIZygDCe8imw%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0tOcjGcdlkhVARHvHzj6Qwhh26wQUpI3lvnx55HAjbS4pNK0jWNz1MX8CEAjE82vx2OzwyOlqyq%2BHwZE%3D
request	POST http://www.google-analytics.com/collect
request	GET https://tweakbit.com/tools/userdata?product=pc-repair-kit

Sends data using the HTTP POST Method (1 个事件)

request

POST http://www.google-analytics.com/collect

Allocates read-write-execute memory (usually to unpack itself) (8 个事件)

Time & API	Arguments	Status
1620772878.05725 NtProtectVirtualMemory	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1620772878.05725 NtProtectVirtualMemory	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1620772878.05725 NtProtectVirtualMemory	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 344064 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0041b000	success
1620772879.1205 NtAllocateVirtualMemory	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f30000	success
1620772884.3235 NtAllocateVirtualMemory	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x07a00000	success
1620772507.748146 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000007690000	success
1620772492.607519 NtProtectVirtualMemory	process_identifier: 3200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x00000000022e3000	success
1620772492.607519 NtProtectVirtualMemory	process_identifier: 3200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007feff53d000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 个事件)

Time & API	Arguments	Status	Return
1620772884.6825 GetDiskFreeSpaceExW	root_path: C:\Users\Administrator.Oskar-PC\AppData\Roaming\ free_bytes_available: 19429912576 total_number_of_free_bytes: 0 total_number_of_bytes: 34252779520	success	1
1620772916.9635 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\TweakBit\PCRepairKit\ free_bytes_available: 8472884136047574816 total_number_of_free_bytes: 0 total_number_of_bytes: 7023010264907828	failed	0
1620772916.9635 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\TweakBit\ free_bytes_available: 8472884136047574816 total_number_of_free_bytes: 0 total_number_of_bytes: 7023010264907828	failed	0
1620772916.9635 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\ free_bytes_available: 19432448000 total_number_of_free_bytes: 0 total_number_of_bytes: 34252779520	success	1
1620772496.045146 GetDiskFreeSpaceExW	root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer free_bytes_available: 19371761664 total_number_of_free_bytes: 0 total_number_of_bytes: 0	success	1

Steals private information from local Internet browsers (14 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Pepper Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\IndexedDB
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\Application\chrome.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Local Storage
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History-journal
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox ESR
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (14 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\sqlite3.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\reader.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweakBit\PCRepairKit\Uninstall PCRepairKit.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweakBit\PCRepairKit\TweakBit PCRepairKit.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\CommonForms.Site.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\DefaultBrowserFinder.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\downloader.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\Localizer.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\CFAHelper.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\AxBrowsers.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\WizardHelper.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\GoogleAnalyticsHelper.dll
file	C:\Users\Administrator.Oskar-PC\Desktop\TweakBit PCRepairKit.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\PCRepairKit.exe

Creates a shortcut to an executable file (5 个事件)

file	C:\Users\Administrator.Oskar-PC\Desktop\TweakBit PCRepairKit.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweakBit\PCRepairKit\TweakBit PCRepairKit.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweakBit\PCRepairKit\TweakBit PCRepairKit on the Web.lnk
file	C:\Users\Public\Desktop\Google Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweakBit\PCRepairKit\Uninstall PCRepairKit.lnk

Creates a suspicious process (1 个事件)

cmdline

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TweakBit\PCRepairKit\BrowserCareHelper.Agent.x64.dll"

Drops a binary and executes it (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\DefaultBrowserFinder.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\reader.exe

Drops an executable to the user AppData folder (9 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\CommonForms.Site.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\PCRepairKit.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\AxComponentsVCL.bpl
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\reader.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\DefaultBrowserFinder.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\GoogleAnalyticsHelper.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\Localizer.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\WizardHelper.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\sqlite3.dll

A process created a hidden window (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772906.0735 ShellExecuteExW	parameters: "TweakBit" "PCRepairKit" "pc-repair-kit" "1.x" filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\DefaultBrowserFinder.exe filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\is-5T7IR.tmp\DefaultBrowserFinder.exe show_type: 0	success	1	0
1620772906.1675 ShellExecuteExW	parameters: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5f091bfaa3a2703fd0b24ae2d24d8d10.exe" "(x32)HKEY_LOCAL_MACHINE\Software\\TweakBit\\PCRepairKit\\1.x\\Settings" filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5T7IR.tmp\reader.exe filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\is-5T7IR.tmp\reader.exe show_type: 0	success	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772884.9325 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 40960 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x09441000	success	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772886.2135 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Queries for potentially installed applications (8 个事件)

Time & API	Arguments	Status	Return
1620772879.7295 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 options: 0	failed	2
1620772879.7295 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 options: 0	failed	2
1620772904.7925 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000670 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0
1620772905.5885 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 options: 0	failed	2
1620772905.7295 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1\ regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1\ options: 0	failed	2
1620772915.7455 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 options: 0	failed	2
1620772915.7455 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AEA8CFE-B238-4D0A-9362-D55F38ECB795}_is1 options: 0	failed	2
1620772906.307375 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x000000fc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks the version of Bios, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 个事件)

Cylance	Unsafe
K7AntiVirus	Riskware ( dec002921 )
K7GW	Riskware ( dec002921 )
Cyren	W32/Trojan.JHFP-8908
ESET-NOD32	a variant of Win32/Auslogics.T potentially unwanted
GData	Win32.Application.Tweakbit.A
Avast	Win32:Malware-gen
Rising	Trojan.Generic@ML.100 (RDML:1Vd/mARDsm3VtnRRCT8K+Q)
Comodo	Malware@#1d74nw06p5hs8
F-Secure	Trojan.TR/RedCap.itcur
DrWeb	Program.Unwanted.2790
Sophos	Tweak Bit FixMyPC (PUA)
Avira	TR/RedCap.itcur
Microsoft	PUA:Win32/FusionCore
Endgame	malicious (high confidence)
Malwarebytes	PUP.Optional.TweakBit
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Auslogics.T
AVG	Win32:Malware-gen

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620772888.8075 RegSetValueExA	key_handle: 0x0000048c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620772888.8075 RegSetValueExA	key_handle: 0x0000048c value: pWwf®F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620772888.8075 RegSetValueExA	key_handle: 0x0000048c value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620772888.8075 RegSetValueExW	key_handle: 0x0000048c value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620772888.8075 RegSetValueExA	key_handle: 0x000004a4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620772888.8075 RegSetValueExA	key_handle: 0x000004a4 value: pWwf®F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620772888.8075 RegSetValueExA	key_handle: 0x000004a4 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620772888.8385 RegSetValueExW	key_handle: 0x00000488 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620772904.6825 RegSetValueExA	key_handle: 0x0000044c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620772904.6825 RegSetValueExA	key_handle: 0x0000044c value: ¬ío®F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620772904.6825 RegSetValueExA	key_handle: 0x0000044c value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620772904.6825 RegSetValueExW	key_handle: 0x0000044c value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620772904.6825 RegSetValueExA	key_handle: 0x00000670 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620772904.6825 RegSetValueExA	key_handle: 0x00000670 value: ¬ío®F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620772904.6825 RegSetValueExA	key_handle: 0x00000670 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 个事件)

dead_host	192.168.56.101:49180
dead_host	172.217.24.14:443
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49183

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-04-06 22:39:04

Imports

Library oleaut32.dll:

• 0x419304 SysFreeString

• 0x419308 SysReAllocStringLen

• 0x41930c SysAllocStringLen

Library advapi32.dll:

• 0x419314 RegQueryValueExW

• 0x419318 RegOpenKeyExW

• 0x41931c RegCloseKey

Library user32.dll:

• 0x419324 GetKeyboardType

• 0x419328 LoadStringW

• 0x41932c MessageBoxA

• 0x419330 CharNextW

Library kernel32.dll:

• 0x419338 GetACP

• 0x41933c Sleep

• 0x419340 VirtualFree

• 0x419344 VirtualAlloc

• 0x419348 GetSystemInfo

• 0x41934c GetTickCount

• 0x419350 QueryPerformanceCounter

• 0x419354 GetVersion

• 0x419358 GetCurrentThreadId

• 0x41935c VirtualQuery

• 0x419360 WideCharToMultiByte

• 0x419364 MultiByteToWideChar

• 0x419368 lstrlenW

• 0x41936c lstrcpynW

• 0x419370 LoadLibraryExW

• 0x419374 GetThreadLocale

• 0x419378 GetStartupInfoA

• 0x41937c GetProcAddress

• 0x419380 GetModuleHandleW

• 0x419384 GetModuleFileNameW

• 0x419388 GetLocaleInfoW

• 0x41938c GetCommandLineW

• 0x419390 FreeLibrary

• 0x419394 FindFirstFileW

• 0x419398 FindClose

• 0x41939c ExitProcess

• 0x4193a0 WriteFile

• 0x4193a4 UnhandledExceptionFilter

• 0x4193a8 RtlUnwind

• 0x4193ac RaiseException

• 0x4193b0 GetStdHandle

• 0x4193b4 CloseHandle

Library kernel32.dll:

• 0x4193bc TlsSetValue

• 0x4193c0 TlsGetValue

• 0x4193c4 LocalAlloc

• 0x4193c8 GetModuleHandleW

Library user32.dll:

• 0x4193d0 CreateWindowExW

• 0x4193d4 TranslateMessage

• 0x4193d8 SetWindowLongW

• 0x4193dc PeekMessageW

• 0x4193e0 MsgWaitForMultipleObjects

• 0x4193e4 MessageBoxW

• 0x4193e8 LoadStringW

• 0x4193ec GetSystemMetrics

• 0x4193f0 ExitWindowsEx

• 0x4193f4 DispatchMessageW

• 0x4193f8 DestroyWindow

• 0x4193fc CharUpperBuffW

• 0x419400 CallWindowProcW

Library kernel32.dll:

• 0x419408 WriteFile

• 0x41940c WideCharToMultiByte

• 0x419410 WaitForSingleObject

• 0x419414 VirtualQuery

• 0x419418 VirtualProtect

• 0x41941c VirtualFree

• 0x419420 VirtualAlloc

• 0x419424 SizeofResource

• 0x419428 SignalObjectAndWait

• 0x41942c SetLastError

• 0x419430 SetFilePointer

• 0x419434 SetEvent

• 0x419438 SetErrorMode

• 0x41943c SetEndOfFile

• 0x419440 ResetEvent

• 0x419444 RemoveDirectoryW

• 0x419448 ReadFile

• 0x41944c MultiByteToWideChar

• 0x419450 LockResource

• 0x419454 LoadResource

• 0x419458 LoadLibraryW

• 0x41945c GetWindowsDirectoryW

• 0x419460 GetVersionExW

• 0x419464 GetVersion

• 0x419468 GetUserDefaultLangID

• 0x41946c GetThreadLocale

• 0x419470 GetSystemInfo

• 0x419474 GetSystemDirectoryW

• 0x419478 GetStdHandle

• 0x41947c GetProcAddress

• 0x419480 GetModuleHandleW

• 0x419484 GetModuleFileNameW

• 0x419488 GetLocaleInfoW

• 0x41948c GetLastError

• 0x419490 GetFullPathNameW

• 0x419494 GetFileSize

• 0x419498 GetFileAttributesW

• 0x41949c GetExitCodeProcess

• 0x4194a0 GetEnvironmentVariableW

• 0x4194a4 GetDiskFreeSpaceW

• 0x4194a8 GetCurrentProcess

• 0x4194ac GetCommandLineW

• 0x4194b0 GetCPInfo

• 0x4194b4 InterlockedExchange

• 0x4194b8 InterlockedCompareExchange

• 0x4194bc FreeLibrary

• 0x4194c0 FormatMessageW

• 0x4194c4 FindResourceW

• 0x4194c8 EnumCalendarInfoW

• 0x4194cc DeleteFileW

• 0x4194d0 CreateProcessW

• 0x4194d4 CreateFileW

• 0x4194d8 CreateEventW

• 0x4194dc CreateDirectoryW

• 0x4194e0 CloseHandle

Library advapi32.dll:

• 0x4194e8 RegQueryValueExW

• 0x4194ec RegOpenKeyExW

• 0x4194f0 RegCloseKey

• 0x4194f4 OpenProcessToken

• 0x4194f8 LookupPrivilegeValueW

Library comctl32.dll:

• 0x419500 InitCommonControls

Library kernel32.dll:

• 0x419508 Sleep

Library advapi32.dll:

• 0x419510 AdjustTokenPrivileges

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
www.google-analytics.com	CNAME www-google-analytics.l.google.com A 58.63.233.33	58.63.233.33
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 216.58.200.78	216.58.200.78
tweakbit.com	A 104.237.131.139	104.237.131.139
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
ocsp.digicert.com	A 93.184.220.29 CNAME cs9.wac.phicdn.net	93.184.220.29
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49181	104.237.131.139 tweakbit.com	443
192.168.56.101	49180	216.58.200.78 clients2.google.com	443
192.168.56.101	49183	216.58.200.78 clients2.google.com	443
192.168.56.101	49188	216.58.200.78 clients2.google.com	443
192.168.56.101	49201	216.58.200.78 clients2.google.com	443
192.168.56.101	49206	216.58.200.78 clients2.google.com	443
192.168.56.101	49207	216.58.200.78 clients2.google.com	443
192.168.56.101	49210	216.58.200.78 clients2.google.com	443
192.168.56.101	49212	216.58.200.78 clients2.google.com	443
192.168.56.101	49214	216.58.200.78 clients2.google.com	443
192.168.56.101	49191	58.63.233.33 www.google-analytics.com	80
192.168.56.101	49182	93.184.220.29 ocsp.digicert.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	54260	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57236	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://www.google-analytics.com/collect	POST /collect HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google-analytics.com Content-Length: 133 Cache-Control: no-cache v=1&tid=UA-49608409-13&cid={591317AF-3865-486F-A668-ABC02F5D1EB1}&t=event&ec=1.8.4.6_ui_lite&ea=Installer_Install_1_Init*&el=enu&ev=0
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0tOcjGcdlkhVARHvHzj6Qwhh26wQUpI3lvnx55HAjbS4pNK0jWNz1MX8CEAjE82vx2OzwyOlqyq%2BHwZE%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0tOcjGcdlkhVARHvHzj6Qwhh26wQUpI3lvnx55HAjbS4pNK0jWNz1MX8CEAjE82vx2OzwyOlqyq%2BHwZE%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
http://www.google-analytics.com/collect	POST /collect HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google-analytics.com Content-Length: 136 Cache-Control: no-cache v=1&tid=UA-49608409-18&cid={591317AF-3865-486F-A668-ABC02F5D1EB1}&t=event&ec=1.8.4.6_ui_lite&ea=installer_launched_lite*&el=ui_lite&ev=0
http://www.google-analytics.com/collect	POST /collect HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google-analytics.com Content-Length: 133 Cache-Control: no-cache v=1&tid=UA-49608409-18&cid={591317AF-3865-486F-A668-ABC02F5D1EB1}&t=event&ec=1.8.4.6_ui_lite&ea=install_started_lite*&el=ui_lite&ev=0
http://www.google-analytics.com/collect	POST /collect HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google-analytics.com Content-Length: 159 Cache-Control: no-cache v=1&tid=UA-49608409-13&cid={591317AF-3865-486F-A668-ABC02F5D1EB1}&t=event&ec=1.8.4.6_ui_lite&ea=Installer_SystemInfo_OS*&el=Windows 7 x64, 800x600, 32, 96&ev=0
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAeYNgOt45kIIZygDCe8imw%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAeYNgOt45kIIZygDCe8imw%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
http://www.google-analytics.com/collect	POST /collect HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google-analytics.com Content-Length: 147 Cache-Control: no-cache v=1&tid=UA-49608409-13&cid={591317AF-3865-486F-A668-ABC02F5D1EB1}&t=event&ec=1.8.4.6_ui_lite&ea=Installer_SystemInfo_Browser*&el=Google Chrome&ev=0
http://www.google-analytics.com/collect	POST /collect HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.google-analytics.com Content-Length: 140 Cache-Control: no-cache v=1&tid=UA-49608409-13&cid={591317AF-3865-486F-A668-ABC02F5D1EB1}&t=event&ec=1.8.4.6_ui_lite&ea=Installer_Install_2_FileCopyInit&el=Yes&ev=0

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.