SmartHawk

5.2

中危

60 个模型检测该样本为恶意！

重新分析

下载样本

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461

62ae12ef05bb6ad38cf30d8c35efd416.exe

分析耗时

81s

最近分析

文件大小

994.0KB

静态报毒动态报毒 100% AI SCORE=100 AIDETECTVM AMNESIAE BSCOPE CLASSIC CONFIDENCE DEEPSCAN DELSHAD ELDORADO FILECODER GENCIRC GENETIC HIGH CONFIDENCE HRLNKM MALWARE1 MALWARE@#OAK5LEQA449F OUROBOROS R002C0PHE20 R340210 RANSOMX SCORE SUSGEN UNSAFE UW@AOG8T@KI VOIDCRYPT VTOYI Y0THD ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Ransom	20201103	6.0.6.653
Alibaba	Ransom:Win32/Ouroboros.bb5cd198	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RansomX-gen [Ransom]	20201103	20.10.5736.0
Tencent	Malware.Win32.Gencirc.11af375e	20201103	1.0.0.1
Kingsoft		20201103	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Command line console output was observed (22 个事件)

Time & API	Arguments	Status	Return
1620964069.627375 WriteConsoleW	buffer: 服务名无效。 console_handle: 0x0000000b	success	1
1620964069.674375 WriteConsoleW	buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964074.8925 WriteConsoleW	buffer: 服务名无效。 console_handle: 0x0000000b	success	1
1620964074.8925 WriteConsoleW	buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964079.15875 WriteConsoleW	buffer: 服务名无效。 console_handle: 0x0000000b	success	1
1620964079.15875 WriteConsoleW	buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964083.51725 WriteConsoleW	buffer: 服务名无效。 console_handle: 0x0000000b	success	1
1620964083.51725 WriteConsoleW	buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964088.017875 WriteConsoleW	buffer: 没有启动 Distributed Transaction Coordinator 服务。 console_handle: 0x0000000b	success	1
1620964088.017875 WriteConsoleW	buffer: 请键入 NET HELPMSG 3521 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964091.68975 WriteConsoleW	buffer: 'bcdedit' 不是内部或外部命令，也不是可运行的程序或批处理文件。 console_handle: 0x0000000b	success	1
1620964093.330125 WriteConsoleW	buffer: 'bcdedit' 不是内部或外部命令，也不是可运行的程序或批处理文件。 console_handle: 0x0000000b	success	1
1620964095.049875 WriteConsoleW	buffer: 'wbadmin' 不是内部或外部命令，也不是可运行的程序或批处理文件。 console_handle: 0x0000000b	success	1
1620964097.674 WriteConsoleW	buffer: 服务名无效。 console_handle: 0x0000000b	success	1
1620964097.674 WriteConsoleW	buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964103.080125 WriteConsoleW	buffer: 服务名无效。 console_handle: 0x0000000b	success	1
1620964103.095125 WriteConsoleW	buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964109.439125 WriteConsoleW	buffer: 没有启动 Virtual Disk 服务。 console_handle: 0x0000000b	success	1
1620964109.439125 WriteConsoleW	buffer: 请键入 NET HELPMSG 3521 以获得更多的帮助。 console_handle: 0x0000000b	success	1
1620964117.1585 WriteConsoleA	buffer: È·¶¨¡£ console_handle: 0x00000007	success	1
1620964123.40875 WriteConsoleA	buffer: ÖØÒªÐÅÏ¢: ÒÑ³É¹¦Ö´ÐÐÃüÁî¡£ µ«²»ÔÞ³ÉÊ¹ÓÃ "netsh firewall"£» ¶øÓ¦¸ÃÊ¹ÓÃ "netsh advfirewall firewall"¡£ ÓÐ¹ØÊ¹ÓÃ "netsh advfirewall firewall" ÃüÁî ¶ø·Ç "netsh firewall" µÄÏêÏ¸ÐÅÏ¢£¬Çë²ÎÔÄ http://go.microsoft.com/fwlink/?linkid=121488 ÉÏµÄ KB ÎÄÕÂ 947709¡£ console_handle: 0x00000007	success	1
1620964123.40875 WriteConsoleA	buffer: È·¶¨¡£ console_handle: 0x00000007	success	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620964126.439125 GetDiskFreeSpaceExW	root_path: C:\ free_bytes_available: 19596120064 total_number_of_free_bytes: 19596120064 total_number_of_bytes: 34252779520	success	1	0

Creates a suspicious process (12 个事件)

cmdline	C:\Windows\system32\cmd.exe /c net stop MSDTC
cmdline	C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
cmdline	C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
cmdline	C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmdline	C:\Windows\system32\cmd.exe /c net stop vds
cmdline	C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
cmdline	C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
cmdline	C:\Windows\system32\cmd.exe /c net stop SQLWriter
cmdline	C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
cmdline	C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
cmdline	C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
cmdline	C:\Windows\system32\cmd.exe /c net stop SQLBrowser

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620964126.314125 Process32NextW	process_name: conhost.exe snapshot_handle: 0x0000006c process_identifier: 3996	success	1	0
1620964126.314125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000006c process_identifier: 3172	success	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (9 个事件)

Time & API	Arguments	Status
1620964126.314125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000006c process_identifier: 3172	failed
1620964126.345125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000002c process_identifier: 3172	failed
1620964126.377125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000006c process_identifier: 3172	failed
1620964126.392125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000002c process_identifier: 3172	failed
1620964126.392125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000006c process_identifier: 3172	failed
1620964126.408125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000002c process_identifier: 3172	failed
1620964126.424125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000006c process_identifier: 3172	failed
1620964126.424125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000002c process_identifier: 3172	failed
1620964126.439125 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000006c process_identifier: 3172	failed

Uses Windows utilities for basic Windows functionality (18 个事件)

cmdline	C:\Windows\system32\cmd.exe /c net stop MSDTC
cmdline	net stop SQLSERVERAGENT
cmdline	net stop MSSQL$CONTOSO1
cmdline	net stop vds
cmdline	netsh firewall set opmode mode=disable
cmdline	C:\Windows\system32\cmd.exe /c net stop vds
cmdline	C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
cmdline	netsh advfirewall set currentprofile state off
cmdline	net stop MSDTC
cmdline	C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
cmdline	C:\Windows\system32\cmd.exe /c net stop SQLWriter
cmdline	net stop MSSQLSERVER
cmdline	net stop SQLBrowser
cmdline	C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
cmdline	C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
cmdline	C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
cmdline	C:\Windows\system32\cmd.exe /c net stop SQLBrowser
cmdline	net stop SQLWriter

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Operates on local firewall's policies and settings (2 个事件)

cmdline	netsh advfirewall set currentprofile state off
cmdline	C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off

Modifies boot configuration settings (2 个事件)

command	c:\windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
command	c:\windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	DeepScan:Generic.Ransom.AmnesiaE.D96CE88E
FireEye	Generic.mg.62ae12ef05bb6ad3
CAT-QuickHeal	Trojanransom.Generic
McAfee	RDN/Ransom
Cylance	Unsafe
Zillya	Trojan.Filecoder.Win32.15618
Sangfor	Malware
K7AntiVirus	Trojan ( 005640be1 )
Alibaba	Ransom:Win32/Ouroboros.bb5cd198
K7GW	Trojan ( 005640be1 )
Cybereason	malicious.f05bb6
Arcabit	DeepScan:Generic.Ransom.AmnesiaE.D96CE88E
TrendMicro	TROJ_GEN.R002C0PHE20
Cyren	W32/Ransom.MQ.gen!Eldorado
Symantec	Downloader
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Ransom.Win32.Generic
BitDefender	DeepScan:Generic.Ransom.AmnesiaE.D96CE88E
NANO-Antivirus	Trojan.Win32.Encoder.hrlnkm
Avast	Win32:RansomX-gen [Ransom]
Tencent	Malware.Win32.Gencirc.11af375e
Ad-Aware	DeepScan:Generic.Ransom.AmnesiaE.D96CE88E
Sophos	Mal/Generic-S
Comodo	Malware@#oak5leqa449f
F-Secure	Trojan.TR/FileCoder.vtoyi
DrWeb	Trojan.Encoder.32312
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-S
McAfee-GW-Edition	RDN/Ransom
Emsisoft	DeepScan:Generic.Ransom.AmnesiaE.D96CE88E (B)
Ikarus	Trojan-Ransom.Ouroboros
Jiangmin	Trojan.DelShad.fq
eGambit	Unsafe.AI_Score_99%
Avira	TR/FileCoder.vtoyi
Antiy-AVL	Trojan[Ransom]/Win32.Ouroboros
Gridinsoft	Ransom.Win32.Ransom.oa
Microsoft	Ransom:Win32/Ouroboros.SBR!MTB
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Generic
GData	DeepScan:Generic.Ransom.AmnesiaE.D96CE88E
Cynet	Malicious (score: 90)
AhnLab-V3	Trojan/Win32.RL_FileCoder.R340210
BitDefenderTheta	Gen:NN.ZexaF.34590.!uW@aOg8T@ki
ALYac	Trojan.Ransom.VoidCrypt
MAX	malware (ai score=100)
VBA32	BScope.Trojan.DelShad
Malwarebytes	Ransom.Ouroboros
ESET-NOD32	a variant of Win32/Filecoder.Ouroboros.E

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-31 08:50:30

Imports

Library KERNEL32.dll:

• 0x4b8010 TerminateProcess

• 0x4b8014 GetDriveTypeA

• 0x4b8018 FindClose

• 0x4b801c OpenProcess

• 0x4b8020 CreateToolhelp32Snapshot

• 0x4b8024 Process32Next

• 0x4b8028 CloseHandle

• 0x4b802c FreeConsole

• 0x4b8030 lstrcmpW

• 0x4b8034 GetLastError

• 0x4b8038 SetLastError

• 0x4b803c QueryPerformanceCounter

• 0x4b8040 QueryPerformanceFrequency

• 0x4b8044 GetCurrentThread

• 0x4b8048 GetThreadTimes

• 0x4b804c SetEndOfFile

• 0x4b8050 WriteConsoleW

• 0x4b8054 FindNextFileW

• 0x4b8058 SetEnvironmentVariableA

• 0x4b805c FreeEnvironmentStringsW

• 0x4b8060 GetEnvironmentStringsW

• 0x4b8064 GetOEMCP

• 0x4b8068 IsValidCodePage

• 0x4b806c FindNextFileA

• 0x4b8070 FindFirstFileExA

• 0x4b8074 HeapSize

• 0x4b8078 HeapReAlloc

• 0x4b807c SetFilePointerEx

• 0x4b8080 ReadConsoleW

• 0x4b8084 ReadFile

• 0x4b8088 SetStdHandle

• 0x4b808c CreateProcessA

• 0x4b8090 GetExitCodeProcess

• 0x4b8094 Process32First

• 0x4b8098 FindFirstFileW

• 0x4b809c GetProcessHeap

• 0x4b80a0 GetLogicalDrives

• 0x4b80a4 MultiByteToWideChar

• 0x4b80a8 CreateDirectoryW

• 0x4b80ac CreateFileW

• 0x4b80b0 DeleteFileW

• 0x4b80b4 FindFirstFileExW

• 0x4b80b8 GetDiskFreeSpaceExW

• 0x4b80bc GetFileAttributesExW

• 0x4b80c0 GetFileInformationByHandle

• 0x4b80c4 AreFileApisANSI

• 0x4b80c8 GetModuleHandleW

• 0x4b80cc GetProcAddress

• 0x4b80d0 MoveFileExW

• 0x4b80d4 WideCharToMultiByte

• 0x4b80d8 FormatMessageW

• 0x4b80dc GetStringTypeW

• 0x4b80e0 EnterCriticalSection

• 0x4b80e4 LeaveCriticalSection

• 0x4b80e8 TryEnterCriticalSection

• 0x4b80ec DeleteCriticalSection

• 0x4b80f0 GetCurrentThreadId

• 0x4b80f4 DuplicateHandle

• 0x4b80f8 WaitForSingleObjectEx

• 0x4b80fc Sleep

• 0x4b8100 GetCurrentProcess

• 0x4b8104 SwitchToThread

• 0x4b8108 GetExitCodeThread

• 0x4b810c InitializeCriticalSectionAndSpinCount

• 0x4b8110 CreateEventW

• 0x4b8114 TlsAlloc

• 0x4b8118 TlsGetValue

• 0x4b811c TlsSetValue

• 0x4b8120 TlsFree

• 0x4b8124 GetSystemTimeAsFileTime

• 0x4b8128 GetTickCount

• 0x4b812c EncodePointer

• 0x4b8130 DecodePointer

• 0x4b8134 CompareStringW

• 0x4b8138 LCMapStringW

• 0x4b813c GetLocaleInfoW

• 0x4b8140 GetCPInfo

• 0x4b8144 SetEvent

• 0x4b8148 ResetEvent

• 0x4b814c InitializeSListHead

• 0x4b8150 IsProcessorFeaturePresent

• 0x4b8154 UnhandledExceptionFilter

• 0x4b8158 SetUnhandledExceptionFilter

• 0x4b815c IsDebuggerPresent

• 0x4b8160 GetStartupInfoW

• 0x4b8164 GetCurrentProcessId

• 0x4b8168 CreateTimerQueue

• 0x4b816c SignalObjectAndWait

• 0x4b8170 CreateThread

• 0x4b8174 SetThreadPriority

• 0x4b8178 GetThreadPriority

• 0x4b817c GetLogicalProcessorInformation

• 0x4b8180 CreateTimerQueueTimer

• 0x4b8184 ChangeTimerQueueTimer

• 0x4b8188 DeleteTimerQueueTimer

• 0x4b818c GetNumaHighestNodeNumber

• 0x4b8190 GetProcessAffinityMask

• 0x4b8194 SetThreadAffinityMask

• 0x4b8198 RegisterWaitForSingleObject

• 0x4b819c UnregisterWait

• 0x4b81a0 FreeLibrary

• 0x4b81a4 FreeLibraryAndExitThread

• 0x4b81a8 GetModuleFileNameW

• 0x4b81ac GetModuleHandleA

• 0x4b81b0 LoadLibraryExW

• 0x4b81b4 GetVersionExW

• 0x4b81b8 VirtualAlloc

• 0x4b81bc VirtualProtect

• 0x4b81c0 VirtualFree

• 0x4b81c4 ReleaseSemaphore

• 0x4b81c8 InterlockedPopEntrySList

• 0x4b81cc InterlockedPushEntrySList

• 0x4b81d0 InterlockedFlushSList

• 0x4b81d4 QueryDepthSList

• 0x4b81d8 UnregisterWaitEx

• 0x4b81dc LoadLibraryW

• 0x4b81e0 WaitForSingleObject

• 0x4b81e4 RtlUnwind

• 0x4b81e8 RaiseException

• 0x4b81ec ExitProcess

• 0x4b81f0 GetModuleHandleExW

• 0x4b81f4 ExitThread

• 0x4b81f8 GetModuleFileNameA

• 0x4b81fc GetStdHandle

• 0x4b8200 WriteFile

• 0x4b8204 GetCommandLineA

• 0x4b8208 GetCommandLineW

• 0x4b820c GetACP

• 0x4b8210 IsValidLocale

• 0x4b8214 GetUserDefaultLCID

• 0x4b8218 EnumSystemLocalesW

• 0x4b821c GetFileType

• 0x4b8220 HeapAlloc

• 0x4b8224 HeapFree

• 0x4b8228 FlushFileBuffers

• 0x4b822c GetConsoleCP

• 0x4b8230 GetConsoleMode

Library WS2_32.dll:

• 0x4b8238 select

• 0x4b823c recv

• 0x4b8240 getpeername

• 0x4b8244 WSAGetLastError

• 0x4b8248 WSACleanup

• 0x4b824c WSAStartup

• 0x4b8250 htons

• 0x4b8254 ioctlsocket

• 0x4b8258 send

• 0x4b825c freeaddrinfo

• 0x4b8260 getaddrinfo

• 0x4b8264 ntohl

• 0x4b8268 inet_ntoa

• 0x4b826c inet_addr

• 0x4b8270 htonl

• 0x4b8274 connect

• 0x4b8278 socket

• 0x4b827c setsockopt

• 0x4b8280 closesocket

Library ADVAPI32.dll:

• 0x4b8000 CryptReleaseContext

• 0x4b8004 CryptAcquireContextA

• 0x4b8008 CryptGenRandom

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
www.sfml-dev.org		78.47.82.133
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	51966	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.