15.6
0-day
55 个模型检测该样本为恶意!
重新分析
更多

1fb56d650a87fbd1ed57929b7127488d189804096a033af3dfa22936662d2ea0

66adf8101a8b0c72644680476997e373.exe

分析耗时

84s

最近分析

文件大小

540.5KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=81 CONFIDENCE CRYPTERX ELDORADO FSJJ GDSDA GENERICKD GTHMAUTPYJK HIGH CONFIDENCE HKLCQG KBBXS KCLOUD KRYPT KRYPTIK MALWARE@#CWS17DRSOH30 NANOBOT R06EC0DIA20 R337637 REMCOS S + TROJ SCORE SIGGEN SPYBOTNET STATIC AI STEALE SUSPICIOUS PE TSCOPE UNSAFE WPTT YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:MSIL/AgentTesla.6a65c4cd 20190527 0.3.0.5
Avast Win32:CrypterX-gen [Trj] 20201210 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft Win32.Hack.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Trojan-FSJJ!66ADF8101A8B 20201211 6.0.6.653
Tencent Msil.Backdoor.Nanobot.Wptt 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619610638.968875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619635361.612625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619635381.9875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619635382.5185
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619635384.4095
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619635384.7065
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619610635.015875
IsDebuggerPresent
failed 0 0
1619610635.015875
IsDebuggerPresent
failed 0 0
1619635367.7845
IsDebuggerPresent
failed 0 0
1619635367.7845
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619635365.956625
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\PIFBiDZfh"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619610635.015875
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619635384.3785
__exception__
stacktrace: 
0xce0415
0x48bf258
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4123992
registers.edi: 590401673
registers.eax: 0
registers.ebp: 4124040
registers.edx: 8
registers.ebx: 0
registers.esi: 42927792
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 b8 8b a9 a7 c7 e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xce3b93
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 个事件)
Time & API Arguments Status Return Repeated
1619610633.999875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00570000
success 0 0
1619610633.999875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619610634.718875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a40000
success 0 0
1619610634.718875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ad0000
success 0 0
1619610634.749875
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619610635.015875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b10000
success 0 0
1619610635.015875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c90000
success 0 0
1619610635.015875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052a000
success 0 0
1619610635.015875
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619610635.015875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00522000
success 0 0
1619610635.234875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00572000
success 0 0
1619610635.359875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00595000
success 0 0
1619610635.374875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059b000
success 0 0
1619610635.374875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00597000
success 0 0
1619610635.499875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00573000
success 0 0
1619610635.531875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057c000
success 0 0
1619610636.312875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00574000
success 0 0
1619610636.327875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00576000
success 0 0
1619610636.452875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a40000
success 0 0
1619610636.624875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058a000
success 0 0
1619610636.624875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00587000
success 0 0
1619610636.749875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00586000
success 0 0
1619610636.796875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a41000
success 0 0
1619610637.109875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00577000
success 0 0
1619610637.109875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00578000
success 0 0
1619610637.781875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a44000
success 0 0
1619610637.781875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00579000
success 0 0
1619610637.781875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f90000
success 0 0
1619610637.812875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c91000
success 0 0
1619610637.827875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c92000
success 0 0
1619610637.843875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c93000
success 0 0
1619610637.843875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c94000
success 0 0
1619610637.843875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c95000
success 0 0
1619610637.843875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c96000
success 0 0
1619610637.843875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c99000
success 0 0
1619610637.843875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c9d000
success 0 0
1619610637.843875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cae000
success 0 0
1619610637.952875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a45000
success 0 0
1619610637.952875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cb1000
success 0 0
1619610637.999875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cb2000
success 0 0
1619610637.999875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f91000
success 0 0
1619610637.999875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a46000
success 0 0
1619610638.062875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a47000
success 0 0
1619610638.281875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f92000
success 0 0
1619610638.281875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f93000
success 0 0
1619610638.281875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f94000
success 0 0
1619610638.281875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057d000
success 0 0
1619610638.296875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f95000
success 0 0
1619610638.296875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a48000
success 0 0
1619610638.327875
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f96000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\PIFBiDZfh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA95A.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIFBiDZfh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA95A.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619610646.406875
ShellExecuteExW
parameters: /Create /TN "Updates\PIFBiDZfh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA95A.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.945255706080188 section {'size_of_data': '0x00086600', 'virtual_address': '0x00002000', 'entropy': 7.945255706080188, 'name': '.text', 'virtual_size': '0x00086578'} description A section with a high entropy has been found
entropy 0.9953703703703703 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619635368.4095
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619635381.6595
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 708
process_handle: 0x00000234
failed 0 0
1619635381.6595
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 708
process_handle: 0x00000234
failed 3221225738 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\PIFBiDZfh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA95A.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIFBiDZfh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA95A.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619610652.624875
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000042c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 66adf8101a8b0c72644680476997e373.exe tried to sleep 2728186 seconds, actually delayed analysis time by 2728186 seconds
Checks the version of Bios, possibly for anti-virtualization (2 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Detects virtualization software with SCSI Disk Identifier trick(s) (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA95A.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELm ¹^à  °îÎ à@  @…”ÎWà  H.textô® ° `.rsrcà²@@.reloc ¸@B
process_handle: 0x0000042c
base_address: 0x00400000
success 1 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer:  €P€8€€h€ à|ãê|4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNameHCJIxQlaKFuTCLcSkxeH.exe(LegalCopyright \OriginalFilenameHCJIxQlaKFuTCLcSkxeH.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000042c
base_address: 0x0044e000
success 1 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer: À ð>
process_handle: 0x0000042c
base_address: 0x00450000
success 1 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer: @
process_handle: 0x0000042c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELm ¹^à  °îÎ à@  @…”ÎWà  H.textô® ° `.rsrcà²@@.reloc ¸@B
process_handle: 0x0000042c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 708 called NtSetContextThread to modify thread in remote process 2636
Time & API Arguments Status Return Repeated
1619610652.624875
NtSetContextThread
thread_handle: 0x00000430
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4509422
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2636
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 708 resumed a thread in remote process 2636
Time & API Arguments Status Return Repeated
1619610652.656875
NtResumeThread
thread_handle: 0x00000430
suspend_count: 1
process_identifier: 2636
success 0 0
Detects VirtualBox through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
Detects VMWare through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Detects the presence of Wine emulator (1 个事件)
Time & API Arguments Status Return Repeated
1619610638.327875
LdrGetProcedureAddress
ordinal: 0
module: KERNEL32
module_address: 0x76340000
function_address: 0x002cd8bc
function_name: wine_get_unix_file_name
failed 3221225785 0
Executed a process and injected code into it, probably while unpacking (27 个事件)
Time & API Arguments Status Return Repeated
1619610635.015875
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 708
success 0 0
1619610635.015875
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 708
success 0 0
1619610635.031875
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 708
success 0 0
1619610638.343875
NtResumeThread
thread_handle: 0x00000268
suspend_count: 1
process_identifier: 708
success 0 0
1619610638.702875
NtResumeThread
thread_handle: 0x000002e0
suspend_count: 1
process_identifier: 708
success 0 0
1619610646.406875
CreateProcessInternalW
thread_identifier: 2964
thread_handle: 0x0000043c
process_identifier: 2604
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PIFBiDZfh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA95A.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000474
inherit_handles: 0
success 1 0
1619610652.624875
CreateProcessInternalW
thread_identifier: 2536
thread_handle: 0x00000430
process_identifier: 2636
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\66adf8101a8b0c72644680476997e373.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\66adf8101a8b0c72644680476997e373.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000042c
inherit_handles: 0
success 1 0
1619610652.624875
NtGetContextThread
thread_handle: 0x00000430
success 0 0
1619610652.624875
NtAllocateVirtualMemory
process_identifier: 2636
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000042c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELm ¹^à  °îÎ à@  @…”ÎWà  H.textô® ° `.rsrcà²@@.reloc ¸@B
process_handle: 0x0000042c
base_address: 0x00400000
success 1 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer:
process_handle: 0x0000042c
base_address: 0x00402000
success 1 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer:  €P€8€€h€ à|ãê|4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNameHCJIxQlaKFuTCLcSkxeH.exe(LegalCopyright \OriginalFilenameHCJIxQlaKFuTCLcSkxeH.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000042c
base_address: 0x0044e000
success 1 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer: À ð>
process_handle: 0x0000042c
base_address: 0x00450000
success 1 0
1619610652.624875
WriteProcessMemory
process_identifier: 2636
buffer: @
process_handle: 0x0000042c
base_address: 0x7efde008
success 1 0
1619610652.624875
NtSetContextThread
thread_handle: 0x00000430
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4509422
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2636
success 0 0
1619610652.656875
NtResumeThread
thread_handle: 0x00000430
suspend_count: 1
process_identifier: 2636
success 0 0
1619610652.656875
NtResumeThread
thread_handle: 0x00000450
suspend_count: 1
process_identifier: 708
success 0 0
1619610652.968875
NtGetContextThread
thread_handle: 0x00000450
success 0 0
1619610652.968875
NtGetContextThread
thread_handle: 0x00000450
success 0 0
1619610652.968875
NtResumeThread
thread_handle: 0x00000450
suspend_count: 1
process_identifier: 708
success 0 0
1619635367.7845
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2636
success 0 0
1619635367.7845
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2636
success 0 0
1619635367.8005
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 2636
success 0 0
1619635382.4565
NtResumeThread
thread_handle: 0x000002e4
suspend_count: 1
process_identifier: 2636
success 0 0
1619635382.5035
NtResumeThread
thread_handle: 0x00000314
suspend_count: 1
process_identifier: 2636
success 0 0
1619635384.4095
NtResumeThread
thread_handle: 0x00000370
suspend_count: 1
process_identifier: 2636
success 0 0
1619635390.7065
NtResumeThread
thread_handle: 0x000003bc
suspend_count: 1
process_identifier: 2636
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
DrWeb BackDoor.SpyBotNET.17
MicroWorld-eScan Trojan.GenericKD.33879339
FireEye Trojan.GenericKD.33879339
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKD.33879339
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2036222
Sangfor Malware
K7AntiVirus Trojan ( 005672541 )
Alibaba TrojanSpy:MSIL/AgentTesla.6a65c4cd
K7GW Trojan ( 005672541 )
Arcabit Trojan.Generic.D204F52B
Cyren W32/MSIL_Kryptik.ASY.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:CrypterX-gen [Trj]
Kaspersky HEUR:Backdoor.MSIL.NanoBot.gen
BitDefender Trojan.GenericKD.33879339
NANO-Antivirus Trojan.Win32.SpyBotNET.hklcqg
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.33879339
Emsisoft Trojan.GenericKD.33879339 (B)
Comodo Malware@#cws17drsoh30
F-Secure Trojan.TR/AD.AgentTesla.kbbxs
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Sophos Mal/Generic-S + Troj/Steale-WO
Ikarus Trojan.MSIL.Krypt
Webroot W32.Trojan.Gen
Avira TR/AD.AgentTesla.kbbxs
MAX malware (ai score=81)
Antiy-AVL Trojan[Backdoor]/MSIL.NanoBot
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft TrojanSpy:MSIL/AgentTesla.SA!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Backdoor.MSIL.NanoBot.gen
GData Trojan.GenericKD.33879339
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R337637
McAfee Trojan-FSJJ!66ADF8101A8B
VBA32 TScope.Trojan.MSIL
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.VZW
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Tencent Msil.Backdoor.Nanobot.Wptt
Yandex Trojan.Kryptik!GtHmAutpyjk
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-21 09:36:27

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.