12.2
0-day
45 个模型检测该样本为恶意!
重新分析
更多

3da452ae8e1e1feb7546b7ff0dedecab241b19a26ff2fd4f693de266286747cc

64cdb9571a5bcc21cecfae8df3a4312a.exe

分析耗时

86s

最近分析

文件大小

257.5KB
静态报毒 动态报毒 AI SCORE=83 ATTRIBUTE CONFIDENCE GDSDA HIGH CONFIDENCE HIGHCONFIDENCE HLGROL KRYPTIK MALICIOUS PE NANOBOT PACKED2 PARADISE QQW@A8VRKJII RATX RAZY SCORE THFADBO UNSAFE URLBOT WACATAC WPTT YMACCO ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.grp 20200622 6.0.6.653
Alibaba Trojan:MSIL/Kryptik.2f0118f8 20190527 0.3.0.5
Avast Win32:RATX-gen [Trj] 20200622 18.4.3895.0
Tencent Msil.Trojan.Nanobot.Wptt 20200622 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200622 2013.8.14.323
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619634852.035626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1619634834.083249
IsDebuggerPresent
failed 0 0
1619634838.239249
IsDebuggerPresent
failed 0 0
1619634841.832626
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619634847.941626
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .kupajis
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 121 个事件)
Time & API Arguments Status Return Repeated
1619634834.020249
NtProtectVirtualMemory
process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a41000
success 0 0
1619634834.098249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ba000
success 0 0
1619634834.098249
NtProtectVirtualMemory
process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a42000
success 0 0
1619634834.098249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b2000
success 0 0
1619634834.427249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c2000
success 0 0
1619634834.473249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c3000
success 0 0
1619634834.505249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006fb000
success 0 0
1619634834.505249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006f7000
success 0 0
1619634834.536249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c4000
success 0 0
1619634834.536249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cc000
success 0 0
1619634834.552249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c5000
success 0 0
1619634834.552249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04560000
success 0 0
1619634834.552249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04561000
success 0 0
1619634834.552249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ca000
success 0 0
1619634834.552249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cb000
success 0 0
1619634834.552249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04570000
success 0 0
1619634834.614249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045a0000
success 0 0
1619634834.708249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c6000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c9000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045b0000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045b1000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045b2000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045b3000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cd000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045c0000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045c1000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04571000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04572000
success 0 0
1619634834.739249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045b4000
success 0 0
1619634834.770249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045a1000
success 0 0
1619634834.770249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ce000
success 0 0
1619634834.786249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045a2000
success 0 0
1619634834.786249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045a3000
success 0 0
1619634834.786249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045a4000
success 0 0
1619634834.802249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045a5000
success 0 0
1619634834.802249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cf000
success 0 0
1619634834.802249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045a6000
success 0 0
1619634834.802249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d6000
success 0 0
1619634838.161249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x045d0000
success 0 0
1619634838.192249
NtAllocateVirtualMemory
process_identifier: 884
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04670000
success 0 0
1619634838.676626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619634838.676626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c0000
success 0 0
1619634841.816626
NtProtectVirtualMemory
process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a41000
success 0 0
1619634841.832626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ba000
success 0 0
1619634841.832626
NtProtectVirtualMemory
process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a42000
success 0 0
1619634841.832626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b2000
success 0 0
1619634841.847626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c2000
success 0 0
1619634841.847626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c3000
success 0 0
1619634841.847626
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004fb000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.997033616148144 section {'size_of_data': '0x0002ae00', 'virtual_address': '0x00010000', 'entropy': 7.997033616148144, 'name': '.data', 'virtual_size': '0x00039750'} description A section with a high entropy has been found
entropy 0.6686159844054581 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619634848.269626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.40.66
host 203.208.41.33
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619634838.333249
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001c4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619634847.551626
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 64cdb9571a5bcc21cecfae8df3a4312a.exe tried to sleep 5456490 seconds, actually delayed analysis time by 5456490 seconds
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619634838.348249
WriteProcessMemory
process_identifier: 1704
buffer: @
process_handle: 0x000001c4
base_address: 0x7efde008
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 884 called NtSetContextThread to modify thread in remote process 1704
Time & API Arguments Status Return Repeated
1619634838.348249
NtSetContextThread
thread_handle: 0x000001c0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1704
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64cdb9571a5bcc21cecfae8df3a4312a.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 884 resumed a thread in remote process 1704
Time & API Arguments Status Return Repeated
1619634838.427249
NtResumeThread
thread_handle: 0x000001c0
suspend_count: 1
process_identifier: 1704
success 0 0
Executed a process and injected code into it, probably while unpacking (22 个事件)
Time & API Arguments Status Return Repeated
1619634834.083249
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 884
success 0 0
1619634834.208249
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 884
success 0 0
1619634838.333249
CreateProcessInternalW
thread_identifier: 2632
thread_handle: 0x000001c0
process_identifier: 1704
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64cdb9571a5bcc21cecfae8df3a4312a.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64cdb9571a5bcc21cecfae8df3a4312a.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\64cdb9571a5bcc21cecfae8df3a4312a.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000001c4
inherit_handles: 0
success 1 0
1619634838.333249
NtGetContextThread
thread_handle: 0x000001c0
success 0 0
1619634838.333249
NtUnmapViewOfSection
process_identifier: 1704
region_size: 4096
process_handle: 0x000001c4
base_address: 0x00400000
success 0 0
1619634838.333249
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001c4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619634838.348249
WriteProcessMemory
process_identifier: 1704
buffer: @
process_handle: 0x000001c4
base_address: 0x7efde008
success 1 0
1619634838.348249
NtSetContextThread
thread_handle: 0x000001c0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1704
success 0 0
1619634838.427249
NtResumeThread
thread_handle: 0x000001c0
suspend_count: 1
process_identifier: 1704
success 0 0
1619634841.832626
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1704
success 0 0
1619634841.832626
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1704
success 0 0
1619634845.394626
NtResumeThread
thread_handle: 0x00000200
suspend_count: 1
process_identifier: 1704
success 0 0
1619634846.051626
NtResumeThread
thread_handle: 0x0000025c
suspend_count: 1
process_identifier: 1704
success 0 0
1619634847.051626
NtResumeThread
thread_handle: 0x00000268
suspend_count: 1
process_identifier: 1704
success 0 0
1619634847.785626
NtGetContextThread
thread_handle: 0x0000025c
success 0 0
1619634847.785626
NtGetContextThread
thread_handle: 0x0000025c
success 0 0
1619634847.847626
NtResumeThread
thread_handle: 0x0000025c
suspend_count: 1
process_identifier: 1704
success 0 0
1619634848.051626
NtResumeThread
thread_handle: 0x00000290
suspend_count: 1
process_identifier: 1704
success 0 0
1619634852.738626
NtResumeThread
thread_handle: 0x00000358
suspend_count: 1
process_identifier: 1704
success 0 0
1619634857.082626
NtResumeThread
thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 1704
success 0 0
1619634876.129626
NtResumeThread
thread_handle: 0x0000038c
suspend_count: 1
process_identifier: 1704
success 0 0
1619634895.019626
NtResumeThread
thread_handle: 0x000003a8
suspend_count: 1
process_identifier: 1704
success 0 0
File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 个事件)
DrWeb Trojan.Packed2.42485
MicroWorld-eScan Gen:Variant.Razy.674687
CAT-QuickHeal Trojan.Wacatac
McAfee RDN/Generic.grp
Cylance Unsafe
SUPERAntiSpyware Trojan.Agent/Gen-Urlbot
Sangfor Malware
Alibaba Trojan:MSIL/Kryptik.2f0118f8
Cybereason malicious.71a5bc
Arcabit Trojan.Razy.DA4B7F
Invincea heuristic
BitDefenderTheta Gen:NN.ZemsilF.34128.qqW@a8vRKJii
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall Trojan.MSIL.WACATAC.THFADBO
Avast Win32:RATX-gen [Trj]
GData Gen:Variant.Razy.674687
Kaspersky HEUR:Trojan.MSIL.NanoBot.gen
BitDefender Gen:Variant.Razy.674687
NANO-Antivirus Trojan.Win32.Packed2.hlgrol
Paloalto generic.ml
Tencent Msil.Trojan.Nanobot.Wptt
Ad-Aware Gen:Variant.Razy.674687
Sophos Mal/Generic-S
TrendMicro Trojan.MSIL.WACATAC.THFADBO
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
FireEye Generic.mg.64cdb9571a5bcc21
Emsisoft Gen:Variant.Razy.674687 (B)
SentinelOne DFI - Malicious PE
Antiy-AVL Trojan/MSIL.NanoBot
Microsoft Trojan:Win32/Ymacco.AB12
Endgame malicious (high confidence)
ZoneAlarm HEUR:Trojan.MSIL.NanoBot.gen
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.C4125503
Acronis suspicious
ALYac Gen:Variant.Razy.674687
MAX malware (ai score=83)
APEX Malicious
ESET-NOD32 a variant of MSIL/Kryptik.WHU
Ikarus Trojan.Crypt
Fortinet MSIL/Paradise.5!tr
AVG Win32:RATX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Generic/Trojan.BO.573
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 个事件)
dead_host 172.217.160.110:443
dead_host 192.168.56.101:49190
dead_host 192.168.56.101:49192
dead_host 172.217.24.14:443
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49189
dead_host 216.38.2.214:5638
dead_host 192.168.56.101:49186
dead_host 192.168.56.101:49185
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-01-19 14:17:54

Imports

Library MSVCR90.dll:
0x401074 _controlfp_s
0x401078 _invoke_watson
0x401080 _decode_pointer
0x401084 _onexit
0x401088 _lock
0x40108c __dllonexit
0x401090 _unlock
0x401098 ?terminate@@YAXXZ
0x40109c __set_app_type
0x4010a4 _encode_pointer
0x4010a8 __p__fmode
0x4010ac __p__commode
0x4010b0 _adjust_fdiv
0x4010b4 __setusermatherr
0x4010b8 _configthreadlocale
0x4010bc _initterm_e
0x4010c0 _initterm
0x4010c4 _wcmdln
0x4010c8 exit
0x4010cc _XcptFilter
0x4010d0 _exit
0x4010d4 _cexit
0x4010d8 __wgetmainargs
0x4010dc _amsg_exit
0x4010e0 ??3@YAXPAX@Z
0x4010e4 _crt_debugger_hook
0x4010e8 ceil
0x4010f0 ??_V@YAXPAX@Z
0x4010f8 fclose
0x4010fc fwrite
0x401100 fread
0x401104 scanf
0x401108 vsprintf
0x40110c sprintf
0x401110 __FrameUnwindFilter
0x401114 abort
0x401118 ??2@YAPAXI@Z
0x40111c _encoded_null
Library KERNEL32.dll:
0x401000 GetCurrentProcess
0x401004 Sleep
0x40100c GetStartupInfoW
0x401018 GetTickCount
0x40101c GetCurrentThreadId
0x401020 GetFileType
0x401024 GetProcessId
0x401028 VirtualAlloc
0x40102c GetModuleHandleW
0x401030 TerminateThread
0x401034 ExitThread
0x401038 IsDebuggerPresent
0x401040 TerminateProcess
0x401048 GetCurrentProcessId
0x40104c InterlockedExchange
Library MSVCP90.dll:
Library mscoree.dll:
0x401124 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 60088 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.