SmartHawk

8.2

高危

53 个模型检测该样本为恶意！

重新分析

下载样本

29aef790399029029e0443455d72a8b928854a0706f2e211ae7a03bba0e3d4f4

645c720ff0eb7d946ec3b4a6f609b7bc.exe

分析耗时

80s

最近分析

文件大小

69.0KB

静态报毒动态报毒 100% AGEN AI SCORE=100 AIDETECT BSCOPE CLOUD CONFIDENCE CRYPMOD FILECODER GENCIRC HIGH CONFIDENCE HJROUC HXQBQV8A MAILTO MALWARE1 NETW NETWALKER R + MAL R374144 RANSOMWARE RANSOMX SCORE SD@8RQQOE SMTH STATIC AI SUSGEN SUSPICIOUS PE TROJANPSW UNSAFE WBNA ZSBUVNGS950 ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Ransom:Win32/Filecoder.1eef891c	20190527	0.3.0.5
Avast	Win32:RansomX-gen [Ransom]	20210404	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10cdcb86	20210404	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20210404	2017.9.26.565
McAfee	Ransom-NetW!645C720FF0EB	20210404	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610590.609125 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610169.630208 WriteConsoleW	buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp. console_handle: 0x0000000000000007	success	1	0

Tries to locate where the browsers are installed (1 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610628.859125 __exception__	stacktrace: path_get_full_pathW+0x2b path_get_full_path_handle-0x4f1 @ 0x745ed2a2 path_get_full_path_objattr+0x3d reg_get_key-0x3d2 @ 0x745ed8d6 New_ntdll_NtSetInformationFile@20+0x171 New_ntdll_NtSetValueKey@24-0x140 @ 0x74602fba 645c720ff0eb7d946ec3b4a6f609b7bc+0xe167 @ 0x8ee167 registers.esp: 1798109476 registers.edi: 0 registers.eax: 0 registers.ebp: 1798109516 registers.edx: 16 registers.ebx: 1661272080 registers.esi: 106 registers.ecx: 1950559753 exception.instruction_r: 66 c7 00 00 00 8b 45 ec 8d 14 85 00 00 00 00 8b exception.symbol: get_unicode_buffer+0x140 free_unicode_buffer-0x4f exception.address: 0x745ec88f exception.module: monitor-x86.dll exception.exception_code: 0xc0000005 exception.offset: 51343	success	0	0

Steals private information from local Internet browsers (50 out of 53 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LOCK
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\PreferredApps
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13262619407470436
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\QuotaManager
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LOG
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\font_unique_name_table.pb
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Media History-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F047-6D8.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Media History
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Top Sites
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F217-D54.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Shortcuts
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Favicons
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\History-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F20C-274.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_0
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000003.log
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma

Creates (office) documents on the filesystem (8 个事件)

file	C:\Users\Administrator.Oskar-PC\Documents\BVjwOmeUMLxB.ppt
file	C:\Users\Administrator.Oskar-PC\Documents\wnVdBZePGg.docm
file	C:\Users\Administrator.Oskar-PC\Documents\okSXbuBFoaX.ppt
file	C:\Users\Administrator.Oskar-PC\Documents\XkyDQROpFhvQITdkY.pptx
file	C:\Users\Administrator.Oskar-PC\Documents\iyExvoHSaOJDv.doc
file	C:\Users\Administrator.Oskar-PC\Documents\NASdnSvAXvi.docx
file	C:\Users\Administrator.Oskar-PC\Documents\kqVbORQtJtrQy.pptx
file	C:\Users\Administrator.Oskar-PC\Documents\HdtTFEwHtGe.ppt

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.93935167688487

section

{'size_of_data': '0x00001600', 'virtual_address': '0x00012000', 'entropy': 7.93935167688487, 'name': '.rsrc', 'virtual_size': '0x00002000'}

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619610590.578125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619610169.302208 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.41.98

Attempts to detect Cuckoo Sandbox through the presence of a file (2 个事件)

file	C:\Python27\agent.pyw
file	C:\tmpsij43m\analyzer.py

Appends a known multi-family ransomware file extension to files that have been encrypted (1 个事件)

file	C:\Python27\tcl\tcl8.5\encoding\ascii.enc

Uses suspicious command line tools or Windows utilities (1 个事件)

cmdline

C:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Detects VirtualBox through the presence of a file (3 个事件)

file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Encoder.32281
MicroWorld-eScan	Gen:Variant.Zusy.303374
FireEye	Generic.mg.645c720ff0eb7d94
ALYac	Trojan.Ransom.Mailto
Cylance	Unsafe
Zillya	Trojan.Filecoder.Win32.14605
Sangfor	Ransom.Win32.NetWalker.S!MTB
K7AntiVirus	Trojan ( 0056b6ab1 )
Alibaba	Ransom:Win32/Filecoder.1eef891c
K7GW	Trojan ( 0056b6ab1 )
Cybereason	malicious.ff0eb7
BitDefenderTheta	AI:Packer.6637C92B1E
Symantec	Downloader
ESET-NOD32	a variant of Win32/Filecoder.NetWalker.D
APEX	Malicious
Avast	Win32:RansomX-gen [Ransom]
ClamAV	Win.Ransomware.Netwalker-7671868-0
Kaspersky	HEUR:Trojan-Ransom.Win32.Mailto.gen
BitDefender	Gen:Variant.Zusy.303374
NANO-Antivirus	Trojan.Win32.Filecoder.hjrouc
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.10cdcb86
Ad-Aware	Gen:Variant.Zusy.303374
Sophos	Mal/Generic-R + Mal/Ransom-FW
Comodo	TrojWare.Win32.Ransom.NetWalker.SD@8rqqoe
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win32.NETWALKER.SMTH
Emsisoft	Gen:Variant.Zusy.303374 (B)
Ikarus	Trojan-Ransom.NetWalker
Avira	HEUR/AGEN.1115135
MAX	malware (ai score=100)
Gridinsoft	Ransom.Win32.Ransom.oa!s1
Microsoft	Ransom:Win32/Filecoder.DD!MTB
AegisLab	Trojan.Win32.Crypmod.j!c
GData	Gen:Variant.Zusy.303374
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.RansomCrypt.R374144
McAfee	Ransom-NetW!645C720FF0EB
VBA32	BScope.TrojanPSW.Spy
Malwarebytes	Ransom.NetWalker
TrendMicro-HouseCall	Ransom.Win32.NETWALKER.SMTH
Rising	Worm.WBNA!8.321 (CLOUD)
Yandex	Trojan.Filecoder!ZsbuVNGs950
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.74666482.susgen
Fortinet	W32/NetWalker.B!tr.ransom
Webroot	W32.Ransom.Gen
AVG	Win32:RansomX-gen [Ransom]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	216.58.200.238:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-02 16:50:08

Imports

Library KERNEL32.dll:

• 0x410000 Sleep

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	55369	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.