10.0
0-day
该样本未表现出任何异常!
重新分析
更多

b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31

64756c1a7d89b53e2879228f4e3f9c5e.exe

分析耗时

62s

最近分析

文件大小

1.2MB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619648967.938249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7456d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
app+0xc03f8 @ 0x4c03f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74105d3d
app+0x17005c @ 0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 180
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfce6147d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (31 个事件)
Time & API Arguments Status Return Repeated
1619648946.578876
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00840000
success 0 0
1619648946.687876
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00475000
success 0 0
1619648946.687876
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1619648948.376126
NtAllocateVirtualMemory
process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619648948.454126
NtProtectVirtualMemory
process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00475000
success 0 0
1619648948.454126
NtAllocateVirtualMemory
process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00970000
success 0 0
1619648960.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619648960.907249
NtAllocateVirtualMemory
process_identifier: 880
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00590000
success 0 0
1619648960.907249
NtAllocateVirtualMemory
process_identifier: 880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00600000
success 0 0
1619648960.907249
NtAllocateVirtualMemory
process_identifier: 880
region_size: 753664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020a0000
success 0 0
1619648960.907249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 729088
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x020a2000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1619648967.860249
NtProtectVirtualMemory
process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe.vbs
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.683830892810297 section {'size_of_data': '0x0009f800', 'virtual_address': '0x00097000', 'entropy': 7.683830892810297, 'name': '.rsrc', 'virtual_size': '0x0009f7c0'} description A section with a high entropy has been found
entropy 0.5240246406570842 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619648947.844876
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2632 created a thread in remote process 1752
Time & API Arguments Status Return Repeated
1619648947.844876
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 1752
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619648947.844876
WriteProcessMemory
process_identifier: 1752
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1619648947.844876
WriteProcessMemory
process_identifier: 1752
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64756c1a7d89b53e2879228f4e3f9c5e.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64756c1a7d89b53e2879228f4e3f9c5e.exe" app.exeSeT buNZQvpYMRBqXOt = CreateObJECt("WScripT.SHeLL") bUNzqvpYMRBqXOt.run """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2544 called NtSetContextThread to modify thread in remote process 880
Time & API Arguments Status Return Repeated
1619648953.720126
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 880
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2544 resumed a thread in remote process 880
Time & API Arguments Status Return Repeated
1619648960.688126
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 880
success 0 0
Executed a process and injected code into it, probably while unpacking (12 个事件)
Time & API Arguments Status Return Repeated
1619648947.844876
CreateProcessInternalW
thread_identifier: 192
thread_handle: 0x00000104
process_identifier: 1752
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619648947.844876
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619648947.844876
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619648947.844876
WriteProcessMemory
process_identifier: 1752
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1619648947.844876
WriteProcessMemory
process_identifier: 1752
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64756c1a7d89b53e2879228f4e3f9c5e.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64756c1a7d89b53e2879228f4e3f9c5e.exe" app.exeSeT buNZQvpYMRBqXOt = CreateObJECt("WScripT.SHeLL") bUNzqvpYMRBqXOt.run """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
1619648948.234751
CreateProcessInternalW
thread_identifier: 2504
thread_handle: 0x000000d0
process_identifier: 2544
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619648953.673126
CreateProcessInternalW
thread_identifier: 2468
thread_handle: 0x00000104
process_identifier: 880
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\app.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619648953.673126
NtUnmapViewOfSection
process_identifier: 880
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619648953.673126
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 880
commit_size: 1581056
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1581056
base_address: 0x00400000
success 0 0
1619648953.720126
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619648953.720126
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5770576
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 880
success 0 0
1619648960.688126
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 880
success 0 0
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x489164 VirtualFree
0x489168 VirtualAlloc
0x48916c LocalFree
0x489170 LocalAlloc
0x489174 GetVersion
0x489178 GetCurrentThreadId
0x489184 VirtualQuery
0x489188 WideCharToMultiByte
0x489190 MultiByteToWideChar
0x489194 lstrlenA
0x489198 lstrcpynA
0x48919c LoadLibraryExA
0x4891a0 GetThreadLocale
0x4891a4 GetStartupInfoA
0x4891a8 GetProcAddress
0x4891ac GetModuleHandleA
0x4891b0 GetModuleFileNameA
0x4891b4 GetLocaleInfoA
0x4891b8 GetLastError
0x4891c0 GetCommandLineA
0x4891c4 FreeLibrary
0x4891c8 FindFirstFileA
0x4891cc FindClose
0x4891d0 ExitProcess
0x4891d4 WriteFile
0x4891dc RtlUnwind
0x4891e0 RaiseException
0x4891e4 GetStdHandle
Library user32.dll:
0x4891ec GetKeyboardType
0x4891f0 LoadStringA
0x4891f4 MessageBoxA
0x4891f8 CharNextA
Library advapi32.dll:
0x489200 RegQueryValueExA
0x489204 RegOpenKeyExA
0x489208 RegCloseKey
Library oleaut32.dll:
0x489210 SysFreeString
0x489214 SysReAllocStringLen
0x489218 SysAllocStringLen
Library kernel32.dll:
0x489220 TlsSetValue
0x489224 TlsGetValue
0x489228 LocalAlloc
0x48922c GetModuleHandleA
Library advapi32.dll:
0x489234 RegQueryValueExA
0x489238 RegOpenKeyExA
0x48923c RegCloseKey
Library kernel32.dll:
0x489244 lstrcpyA
0x489248 WriteFile
0x48924c WaitForSingleObject
0x489250 VirtualQuery
0x489254 VirtualProtect
0x489258 VirtualAlloc
0x48925c Sleep
0x489260 SizeofResource
0x489264 SetThreadLocale
0x489268 SetFilePointer
0x48926c SetEvent
0x489270 SetErrorMode
0x489274 SetEndOfFile
0x489278 ResetEvent
0x48927c ReadFile
0x489280 MultiByteToWideChar
0x489284 MulDiv
0x489288 LockResource
0x48928c LoadResource
0x489290 LoadLibraryA
0x48929c GlobalUnlock
0x4892a0 GlobalSize
0x4892a4 GlobalReAlloc
0x4892a8 GlobalHandle
0x4892ac GlobalLock
0x4892b0 GlobalFree
0x4892b4 GlobalFindAtomA
0x4892b8 GlobalDeleteAtom
0x4892bc GlobalAlloc
0x4892c0 GlobalAddAtomA
0x4892c8 GetVersionExA
0x4892cc GetVersion
0x4892d0 GetUserDefaultLCID
0x4892d4 GetTickCount
0x4892d8 GetThreadLocale
0x4892e0 GetSystemInfo
0x4892e4 GetStringTypeExA
0x4892e8 GetStdHandle
0x4892ec GetProcAddress
0x4892f0 GetModuleHandleA
0x4892f4 GetModuleFileNameA
0x4892f8 GetLocaleInfoA
0x4892fc GetLocalTime
0x489300 GetLastError
0x489304 GetFullPathNameA
0x489308 GetFileAttributesA
0x48930c GetDiskFreeSpaceA
0x489310 GetDateFormatA
0x489314 GetCurrentThreadId
0x489318 GetCurrentProcessId
0x48931c GetComputerNameA
0x489320 GetCPInfo
0x489324 GetACP
0x489328 FreeResource
0x48932c InterlockedExchange
0x489330 FreeLibrary
0x489334 FormatMessageA
0x489338 FindResourceA
0x48933c FindNextFileA
0x489340 FindFirstFileA
0x489344 FindClose
0x489354 EnumCalendarInfoA
0x489360 CreateThread
0x489364 CreateFileA
0x489368 CreateEventA
0x48936c CompareStringA
0x489370 CloseHandle
Library version.dll:
0x489378 VerQueryValueA
0x489380 GetFileVersionInfoA
Library gdi32.dll:
0x489388 UnrealizeObject
0x48938c StretchBlt
0x489390 SetWindowOrgEx
0x489394 SetWinMetaFileBits
0x489398 SetViewportOrgEx
0x48939c SetTextColor
0x4893a0 SetStretchBltMode
0x4893a4 SetROP2
0x4893a8 SetPixel
0x4893ac SetMapMode
0x4893b0 SetEnhMetaFileBits
0x4893b4 SetDIBColorTable
0x4893b8 SetBrushOrgEx
0x4893bc SetBkMode
0x4893c0 SetBkColor
0x4893c4 SelectPalette
0x4893c8 SelectObject
0x4893cc SelectClipRgn
0x4893d0 SaveDC
0x4893d4 RestoreDC
0x4893d8 Rectangle
0x4893dc RectVisible
0x4893e0 RealizePalette
0x4893e4 Polyline
0x4893e8 PlayEnhMetaFile
0x4893ec PatBlt
0x4893f0 MoveToEx
0x4893f4 MaskBlt
0x4893f8 LineTo
0x4893fc LPtoDP
0x489400 IntersectClipRect
0x489404 GetWindowOrgEx
0x489408 GetWinMetaFileBits
0x48940c GetTextMetricsA
0x489418 GetStockObject
0x48941c GetPixel
0x489420 GetPaletteEntries
0x489424 GetObjectA
0x489434 GetEnhMetaFileBits
0x489438 GetDeviceCaps
0x48943c GetDIBits
0x489440 GetDIBColorTable
0x489444 GetDCOrgEx
0x48944c GetClipBox
0x489450 GetBrushOrgEx
0x489454 GetBitmapBits
0x489458 ExtTextOutA
0x48945c ExcludeClipRect
0x489460 DeleteObject
0x489464 DeleteEnhMetaFile
0x489468 DeleteDC
0x48946c CreateSolidBrush
0x489470 CreatePenIndirect
0x489474 CreatePen
0x489478 CreatePalette
0x489480 CreateFontIndirectA
0x489484 CreateEnhMetaFileA
0x489488 CreateDIBitmap
0x48948c CreateDIBSection
0x489490 CreateCompatibleDC
0x489498 CreateBrushIndirect
0x48949c CreateBitmap
0x4894a0 CopyEnhMetaFileA
0x4894a4 CloseEnhMetaFile
0x4894a8 BitBlt
Library user32.dll:
0x4894b0 CreateWindowExA
0x4894b4 WindowFromPoint
0x4894b8 WinHelpA
0x4894bc WaitMessage
0x4894c0 ValidateRect
0x4894c4 UpdateWindow
0x4894c8 UnregisterClassA
0x4894cc UnhookWindowsHookEx
0x4894d0 TranslateMessage
0x4894d8 TrackPopupMenu
0x4894e0 ShowWindow
0x4894e4 ShowScrollBar
0x4894e8 ShowOwnedPopups
0x4894ec ShowCursor
0x4894f0 SetWindowsHookExA
0x4894f4 SetWindowTextA
0x4894f8 SetWindowPos
0x4894fc SetWindowPlacement
0x489500 SetWindowLongA
0x489504 SetTimer
0x489508 SetScrollRange
0x48950c SetScrollPos
0x489510 SetScrollInfo
0x489514 SetRect
0x489518 SetPropA
0x48951c SetParent
0x489520 SetMenuItemInfoA
0x489524 SetMenu
0x489528 SetForegroundWindow
0x48952c SetFocus
0x489530 SetCursor
0x489534 SetClassLongA
0x489538 SetCapture
0x48953c SetActiveWindow
0x489540 SendMessageA
0x489544 ScrollWindow
0x489548 ScreenToClient
0x48954c RemovePropA
0x489550 RemoveMenu
0x489554 ReleaseDC
0x489558 ReleaseCapture
0x489564 RegisterClassA
0x489568 RedrawWindow
0x48956c PtInRect
0x489570 PostQuitMessage
0x489574 PostMessageA
0x489578 PeekMessageA
0x48957c OffsetRect
0x489580 OemToCharA
0x489584 MessageBoxA
0x489588 MapWindowPoints
0x48958c MapVirtualKeyA
0x489590 LoadStringA
0x489594 LoadKeyboardLayoutA
0x489598 LoadIconA
0x48959c LoadCursorA
0x4895a0 LoadBitmapA
0x4895a4 KillTimer
0x4895a8 IsZoomed
0x4895ac IsWindowVisible
0x4895b0 IsWindowEnabled
0x4895b4 IsWindow
0x4895b8 IsRectEmpty
0x4895bc IsIconic
0x4895c0 IsDialogMessageA
0x4895c4 IsChild
0x4895c8 InvalidateRect
0x4895cc IntersectRect
0x4895d0 InsertMenuItemA
0x4895d4 InsertMenuA
0x4895d8 InflateRect
0x4895e0 GetWindowTextA
0x4895e4 GetWindowRect
0x4895e8 GetWindowPlacement
0x4895ec GetWindowLongA
0x4895f0 GetWindowDC
0x4895f4 GetTopWindow
0x4895f8 GetSystemMetrics
0x4895fc GetSystemMenu
0x489600 GetSysColorBrush
0x489604 GetSysColor
0x489608 GetSubMenu
0x48960c GetScrollRange
0x489610 GetScrollPos
0x489614 GetScrollInfo
0x489618 GetPropA
0x48961c GetParent
0x489620 GetWindow
0x489624 GetMessageTime
0x489628 GetMenuStringA
0x48962c GetMenuState
0x489630 GetMenuItemInfoA
0x489634 GetMenuItemID
0x489638 GetMenuItemCount
0x48963c GetMenuDefaultItem
0x489640 GetMenu
0x489644 GetLastActivePopup
0x489648 GetKeyboardState
0x489650 GetKeyboardLayout
0x489654 GetKeyState
0x489658 GetKeyNameTextA
0x48965c GetIconInfo
0x489660 GetForegroundWindow
0x489664 GetFocus
0x489668 GetDlgItem
0x48966c GetDesktopWindow
0x489670 GetDCEx
0x489674 GetDC
0x489678 GetCursorPos
0x48967c GetCursor
0x489680 GetClipboardData
0x489684 GetClientRect
0x489688 GetClassNameA
0x48968c GetClassInfoA
0x489690 GetCapture
0x489694 GetActiveWindow
0x489698 FrameRect
0x48969c FindWindowA
0x4896a0 FillRect
0x4896a4 EqualRect
0x4896a8 EnumWindows
0x4896ac EnumThreadWindows
0x4896b0 EndPaint
0x4896b4 EnableWindow
0x4896b8 EnableScrollBar
0x4896bc EnableMenuItem
0x4896c0 DrawTextA
0x4896c4 DrawMenuBar
0x4896c8 DrawIconEx
0x4896cc DrawIcon
0x4896d0 DrawFrameControl
0x4896d4 DrawFocusRect
0x4896d8 DrawEdge
0x4896dc DispatchMessageA
0x4896e0 DestroyWindow
0x4896e4 DestroyMenu
0x4896e8 DestroyIcon
0x4896ec DestroyCursor
0x4896f0 DeleteMenu
0x4896f4 DefWindowProcA
0x4896f8 DefMDIChildProcA
0x4896fc DefFrameProcA
0x489700 CreatePopupMenu
0x489704 CreateMenu
0x489708 CreateIcon
0x48970c ClientToScreen
0x489710 CheckMenuItem
0x489714 CallWindowProcA
0x489718 CallNextHookEx
0x48971c BeginPaint
0x489720 CharNextA
0x489724 CharLowerBuffA
0x489728 CharLowerA
0x48972c CharUpperBuffA
0x489730 CharToOemA
0x489734 AdjustWindowRectEx
Library kernel32.dll:
0x489740 Sleep
Library oleaut32.dll:
0x489748 SafeArrayPtrOfIndex
0x48974c SafeArrayPutElement
0x489750 SafeArrayGetElement
0x489758 SafeArrayAccessData
0x48975c SafeArrayGetUBound
0x489760 SafeArrayGetLBound
0x489764 SafeArrayCreate
0x489768 VariantChangeType
0x48976c VariantCopyInd
0x489770 VariantCopy
0x489774 VariantClear
0x489778 VariantInit
Library ole32.dll:
0x489784 IsAccelerator
0x489788 OleDraw
0x489790 CoTaskMemFree
0x489794 ProgIDFromCLSID
0x489798 StringFromCLSID
0x48979c CoCreateInstance
0x4897a0 CoGetClassObject
0x4897a4 CoUninitialize
0x4897a8 CoInitialize
0x4897ac IsEqualGUID
Library oleaut32.dll:
0x4897b4 GetErrorInfo
0x4897b8 GetActiveObject
0x4897bc SysFreeString
Library comctl32.dll:
0x4897cc ImageList_Write
0x4897d0 ImageList_Read
0x4897e0 ImageList_DragMove
0x4897e4 ImageList_DragLeave
0x4897e8 ImageList_DragEnter
0x4897ec ImageList_EndDrag
0x4897f0 ImageList_BeginDrag
0x4897f4 ImageList_Remove
0x4897f8 ImageList_DrawEx
0x4897fc ImageList_Draw
0x48980c ImageList_Add
0x489814 ImageList_Destroy
0x489818 ImageList_Create
0x48981c InitCommonControls
Library comdlg32.dll:
0x489824 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.