12.2
0-day
56 个模型检测该样本为恶意!
重新分析
更多

9c1ec23b3bd8de007b86280d0ac67786d0c03f84dd596e826a21d29390aa99da

65103c593e0fd6edec11f544039e224d.exe

分析耗时

116s

最近分析

文件大小

624.5KB
静态报毒 动态报毒 AGEN AGENTTESLA AI SCORE=89 ATTRIBUTE CLOUD CONFIDENCE DYSGXX ELDORADO FAREIT GDSDA GENERICKD GRAYWARE HIGH CONFIDENCE HIGHCONFIDENCE HQOWQU IGENERIC KRYPTIK MALICIOUS PE MASSLOGGER NEGASTEAL NM0@AYSVZJM R346969 RANSOMX SCORE SPYBOTNET SUSGEN TSCOPE UNCLASSIFIEDMALWARE@0 UNSAFE VKONTAKTEDJ WLYU ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:MSIL/AgentTesla.b758f957 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RansomX-gen [Ransom] 20200826 18.4.3895.0
Tencent Msil.Trojan.Crypt.Wlyu 20200826 1.0.0.1
Kingsoft 20200826 2013.8.14.323
McAfee Fareit-FXO!65103C593E0F 20200826 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619619745.522375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 57 个事件)
Time & API Arguments Status Return Repeated
1619610599.891
IsDebuggerPresent
failed 0 0
1619610599.891
IsDebuggerPresent
failed 0 0
1619610646.812
IsDebuggerPresent
failed 0 0
1619610647.312
IsDebuggerPresent
failed 0 0
1619610647.828
IsDebuggerPresent
failed 0 0
1619610648.312
IsDebuggerPresent
failed 0 0
1619610648.828
IsDebuggerPresent
failed 0 0
1619610649.312
IsDebuggerPresent
failed 0 0
1619610649.828
IsDebuggerPresent
failed 0 0
1619610650.312
IsDebuggerPresent
failed 0 0
1619610650.828
IsDebuggerPresent
failed 0 0
1619610651.312
IsDebuggerPresent
failed 0 0
1619610651.828
IsDebuggerPresent
failed 0 0
1619610652.312
IsDebuggerPresent
failed 0 0
1619610652.828
IsDebuggerPresent
failed 0 0
1619610653.312
IsDebuggerPresent
failed 0 0
1619610653.828
IsDebuggerPresent
failed 0 0
1619610654.312
IsDebuggerPresent
failed 0 0
1619610654.828
IsDebuggerPresent
failed 0 0
1619610655.312
IsDebuggerPresent
failed 0 0
1619610655.828
IsDebuggerPresent
failed 0 0
1619610656.312
IsDebuggerPresent
failed 0 0
1619610656.828
IsDebuggerPresent
failed 0 0
1619610657.312
IsDebuggerPresent
failed 0 0
1619610657.828
IsDebuggerPresent
failed 0 0
1619610658.312
IsDebuggerPresent
failed 0 0
1619610658.828
IsDebuggerPresent
failed 0 0
1619610659.312
IsDebuggerPresent
failed 0 0
1619610659.828
IsDebuggerPresent
failed 0 0
1619610660.312
IsDebuggerPresent
failed 0 0
1619610660.828
IsDebuggerPresent
failed 0 0
1619610661.312
IsDebuggerPresent
failed 0 0
1619610661.828
IsDebuggerPresent
failed 0 0
1619610662.312
IsDebuggerPresent
failed 0 0
1619610662.828
IsDebuggerPresent
failed 0 0
1619610663.312
IsDebuggerPresent
failed 0 0
1619610663.828
IsDebuggerPresent
failed 0 0
1619610664.312
IsDebuggerPresent
failed 0 0
1619610664.828
IsDebuggerPresent
failed 0 0
1619610665.312
IsDebuggerPresent
failed 0 0
1619610665.828
IsDebuggerPresent
failed 0 0
1619610666.312
IsDebuggerPresent
failed 0 0
1619610666.828
IsDebuggerPresent
failed 0 0
1619610667.312
IsDebuggerPresent
failed 0 0
1619610667.828
IsDebuggerPresent
failed 0 0
1619610668.312
IsDebuggerPresent
failed 0 0
1619610668.828
IsDebuggerPresent
failed 0 0
1619610669.312
IsDebuggerPresent
failed 0 0
1619610669.828
IsDebuggerPresent
failed 0 0
1619610670.312
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619619754.490375
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\QJqicKAYtcmjB"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619610599.906
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:925680580&cup2hreq=55d5d667644dc29422bf0c369e4d44c0d41a579e18bbf57330939e4e59513ad0
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619590816&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=4c12f6edf428216a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619590576&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:925680580&cup2hreq=55d5d667644dc29422bf0c369e4d44c0d41a579e18bbf57330939e4e59513ad0
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:925680580&cup2hreq=55d5d667644dc29422bf0c369e4d44c0d41a579e18bbf57330939e4e59513ad0
Allocates read-write-execute memory (usually to unpack itself) (50 out of 125 个事件)
Time & API Arguments Status Return Repeated
1619610598.984
NtAllocateVirtualMemory
process_identifier: 324
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619610598.984
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00500000
success 0 0
1619610599.75
NtAllocateVirtualMemory
process_identifier: 324
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00540000
success 0 0
1619610599.75
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619610599.797
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619610599.891
NtAllocateVirtualMemory
process_identifier: 324
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00be0000
success 0 0
1619610599.891
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc0000
success 0 0
1619610599.891
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619610599.891
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619610599.891
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c2000
success 0 0
1619610600.109
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619610600.219
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b5000
success 0 0
1619610600.219
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004bb000
success 0 0
1619610600.219
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b7000
success 0 0
1619610600.375
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d3000
success 0 0
1619610600.422
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003dc000
success 0 0
1619610601.109
NtAllocateVirtualMemory
process_identifier: 324
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d4000
success 0 0
1619610601.109
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d6000
success 0 0
1619610601.359
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f0000
success 0 0
1619610601.547
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619610601.562
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1619610601.562
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619610601.859
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d8000
success 0 0
1619610601.906
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d9000
success 0 0
1619610601.937
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f1000
success 0 0
1619610602.125
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e6000
success 0 0
1619610602.156
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a0000
success 0 0
1619610602.203
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f2000
success 0 0
1619610602.203
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a1000
success 0 0
1619610602.234
NtAllocateVirtualMemory
process_identifier: 324
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f3000
success 0 0
1619610643.266
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a2000
success 0 0
1619610643.297
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f6000
success 0 0
1619610643.609
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f7000
success 0 0
1619610643.734
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003cc000
success 0 0
1619610643.844
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f8000
success 0 0
1619610643.875
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a3000
success 0 0
1619610643.891
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003dd000
success 0 0
1619610643.891
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f9000
success 0 0
1619610644.078
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 297472
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050d0400
failed 3221225550 0
1619610646.469
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fa000
success 0 0
1619610646.484
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a4000
success 0 0
1619610646.484
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fb000
success 0 0
1619610646.484
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fc000
success 0 0
1619610646.516
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fd000
success 0 0
1619610646.531
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fe000
success 0 0
1619610646.656
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007ff000
success 0 0
1619610646.703
NtAllocateVirtualMemory
process_identifier: 324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05180000
success 0 0
1619610646.703
NtAllocateVirtualMemory
process_identifier: 324
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05181000
success 0 0
1619610646.703
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050d0178
failed 3221225550 0
1619610646.703
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050d01a0
failed 3221225550 0
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QJqicKAYtcmjB" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CCC.tmp"
cmdline schtasks.exe /Create /TN "Updates\QJqicKAYtcmjB" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CCC.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619610660.672
ShellExecuteExW
parameters: /Create /TN "Updates\QJqicKAYtcmjB" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CCC.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.961069163792554 section {'size_of_data': '0x00072200', 'virtual_address': '0x00002000', 'entropy': 7.961069163792554, 'name': '.text', 'virtual_size': '0x00072064'} description A section with a high entropy has been found
entropy 0.7315705128205128 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619610644.078
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619619769.63175
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QJqicKAYtcmjB" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CCC.tmp"
cmdline schtasks.exe /Create /TN "Updates\QJqicKAYtcmjB" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CCC.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619610672.734
NtAllocateVirtualMemory
process_identifier: 1872
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004be0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619610672.734
WriteProcessMemory
process_identifier: 1872
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL½´"_à  Vžt €@ À@…DtW€À   H.text¤T V `.rsrcÀ€X@@.reloc  ^@B
process_handle: 0x00004be0
base_address: 0x00400000
success 1 0
1619610672.75
WriteProcessMemory
process_identifier: 1872
buffer:  €P€8€€h€ €4ԃê44VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°”StringFileInfop000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.4.8`InternalNamebZyhSGIBFekodKJBtyKjdSdpIg.exe,LegalCopyrightHi0LegalTrademarksHihOriginalFilenamebZyhSGIBFekodKJBtyKjdSdpIg.exe(ProductNameHi0ProductVersion1.4.88Assembly Version1.4.8.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00004be0
base_address: 0x00448000
success 1 0
1619610672.75
WriteProcessMemory
process_identifier: 1872
buffer: p  4
process_handle: 0x00004be0
base_address: 0x0044a000
success 1 0
1619610672.75
WriteProcessMemory
process_identifier: 1872
buffer: @
process_handle: 0x00004be0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619610672.734
WriteProcessMemory
process_identifier: 1872
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL½´"_à  Vžt €@ À@…DtW€À   H.text¤T V `.rsrcÀ€X@@.reloc  ^@B
process_handle: 0x00004be0
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 324 called NtSetContextThread to modify thread in remote process 1872
Time & API Arguments Status Return Repeated
1619610672.75
NtSetContextThread
thread_handle: 0x00008e6c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4486302
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1872
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 324 resumed a thread in remote process 1872
Time & API Arguments Status Return Repeated
1619610672.812
NtResumeThread
thread_handle: 0x00008e6c
suspend_count: 1
process_identifier: 1872
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619610599.891
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 324
success 0 0
1619610599.891
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 324
success 0 0
1619610599.906
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 324
success 0 0
1619610646.781
NtResumeThread
thread_handle: 0x00000864
suspend_count: 1
process_identifier: 324
success 0 0
1619610646.797
NtResumeThread
thread_handle: 0x0000b5e8
suspend_count: 1
process_identifier: 324
success 0 0
1619610660.672
CreateProcessInternalW
thread_identifier: 2412
thread_handle: 0x0000fb5c
process_identifier: 2824
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QJqicKAYtcmjB" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5CCC.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00010b2c
inherit_handles: 0
success 1 0
1619610672.719
CreateProcessInternalW
thread_identifier: 1876
thread_handle: 0x00008e6c
process_identifier: 1872
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00004be0
inherit_handles: 0
success 1 0
1619610672.734
NtGetContextThread
thread_handle: 0x00008e6c
success 0 0
1619610672.734
NtAllocateVirtualMemory
process_identifier: 1872
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004be0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619610672.734
WriteProcessMemory
process_identifier: 1872
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL½´"_à  Vžt €@ À@…DtW€À   H.text¤T V `.rsrcÀ€X@@.reloc  ^@B
process_handle: 0x00004be0
base_address: 0x00400000
success 1 0
1619610672.734
WriteProcessMemory
process_identifier: 1872
buffer:
process_handle: 0x00004be0
base_address: 0x00402000
success 1 0
1619610672.75
WriteProcessMemory
process_identifier: 1872
buffer:  €P€8€€h€ €4ԃê44VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°”StringFileInfop000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.4.8`InternalNamebZyhSGIBFekodKJBtyKjdSdpIg.exe,LegalCopyrightHi0LegalTrademarksHihOriginalFilenamebZyhSGIBFekodKJBtyKjdSdpIg.exe(ProductNameHi0ProductVersion1.4.88Assembly Version1.4.8.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00004be0
base_address: 0x00448000
success 1 0
1619610672.75
WriteProcessMemory
process_identifier: 1872
buffer: p  4
process_handle: 0x00004be0
base_address: 0x0044a000
success 1 0
1619610672.75
WriteProcessMemory
process_identifier: 1872
buffer: @
process_handle: 0x00004be0
base_address: 0x7efde008
success 1 0
1619610672.75
NtSetContextThread
thread_handle: 0x00008e6c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4486302
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1872
success 0 0
1619610672.812
NtResumeThread
thread_handle: 0x00008e6c
suspend_count: 1
process_identifier: 1872
success 0 0
1619619757.11575
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1872
success 0 0
1619619757.11575
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1872
success 0 0
1619619757.13175
NtResumeThread
thread_handle: 0x00000194
suspend_count: 1
process_identifier: 1872
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34291714
CAT-QuickHeal Trojan.IGENERIC
Qihoo-360 Generic/Trojan.21a
ALYac Trojan.GenericKD.34291714
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056bf4c1 )
Alibaba Trojan:MSIL/AgentTesla.b758f957
K7GW Trojan ( 0056bf4c1 )
Cybereason malicious.5d5034
Arcabit Trojan.Generic.D20B4002
TrendMicro TrojanSpy.MSIL.NEGASTEAL.DYSGXX
Cyren W32/MSIL_Kryptik.BHO.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.XFJ
APEX Malicious
Avast Win32:RansomX-gen [Ransom]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.34291714
NANO-Antivirus Trojan.Win32.Crypt.hqowqu
Paloalto generic.ml
AegisLab Trojan.MSIL.Crypt.4!c
Tencent Msil.Trojan.Crypt.Wlyu
Ad-Aware Trojan.GenericKD.34291714
Sophos Mal/Generic-S
Comodo .UnclassifiedMalware@0
F-Secure Heuristic.HEUR/AGEN.1137288
DrWeb BackDoor.SpyBotNET.25
Zillya Trojan.Kryptik.Win32.2340605
FireEye Generic.mg.65103c593e0fd6ed
Emsisoft Trojan.GenericKD.34291714 (B)
SentinelOne DFI - Malicious PE
Avira HEUR/AGEN.1137288
MAX malware (ai score=89)
Antiy-AVL GrayWare/Win32.VKontakteDJ.a
Microsoft Trojan:MSIL/AgentTesla.G!MTB
ViRobot Trojan.Win32.Z.Agent.639488.OH
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Trojan.GenericKD.34291714
Cynet Malicious (score: 90)
AhnLab-V3 Trojan/Win32.Infostealer.R346969
McAfee Fareit-FXO!65103C593E0F
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.DYSGXX
Rising Trojan.AgentTesla!8.104D5 (CLOUD)
Ikarus Trojan-Spy.MassLogger
eGambit Unsafe.AI_Score_99%
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.160.110:443
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-05 00:32:20

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49195 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49196 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49194 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49193 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619590816&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619590816&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=4c12f6edf428216a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619590576&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=4c12f6edf428216a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619590576&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.