SmartHawk

12.8

0-day

51 个模型检测该样本为恶意！

重新分析

下载样本

e0ff2d17640f73176f1f678d9ab6f453991d8f741a12a98abd0e0665d21cd7be

6ab17e0cbe77fe7fb4525961a977c132.exe

分析耗时

85s

最近分析

文件大小

834.5KB

静态报毒动态报毒 0U0@AASHNJF AGENSLA AI SCORE=82 ATTRIBUTE BTVJK2 CONFIDENCE ELPQ GDSDA GENERIC PWS GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HLCPQJ IGENT INJECT3 KRYPTIK MALICIOUS PE NEAEM NOON PASSWORDSTEALER PWSX QQPASS QQROB SCORE TROJANPSW UNSAFE WRQN ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Generic PWS.y	20200618	6.0.6.653
Alibaba	TrojanPSW:MSIL/Agensla.cb761285	20190527	0.3.0.5
Avast	Win32:PWSX-gen [Trj]	20200618	18.4.3895.0
Tencent	Msil.Trojan-qqpass.Qqrob.Wrqn	20200618	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20200618	2013.8.14.323
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619631627.361626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619631650.751124 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619631652.829124 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619631655.220124 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619631655.329124 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631617.923249 IsDebuggerPresent		failed	0	0
1619631617.923249 IsDebuggerPresent		failed	0	0
1619631633.861124 IsDebuggerPresent		failed	0	0
1619631633.861124 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631632.798626 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\FXfWbOg"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631617.954249 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.{ \x1fgr<k
section

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631655.142124 __exception__	stacktrace: 0xb40245 0xeff188 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 4123788 registers.edi: 107499452 registers.eax: 0 registers.ebp: 4123832 registers.edx: 8 registers.ebx: 0 registers.esi: 41215940 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 cb 93 9e 25 e9 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb439f3	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619631655.142124
__exception__

stacktrace:

0xb40245
0xeff188
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4123788
registers.edi: 107499452
registers.eax: 0
registers.ebp: 4123832
registers.edx: 8
registers.ebx: 0
registers.esi: 41215940
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 cb 93 9e 25 e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb439f3

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 138 个事件)

Time & API	Arguments	Status
1619631616.861249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00710000	success
1619631616.861249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00850000	success
1619631617.611249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00bb0000	success
1619631617.611249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d60000	success
1619631617.798249 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success
1619631617.923249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00580000	success
1619631617.923249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c0000	success
1619631617.939249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0051a000	success
1619631617.939249 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success
1619631617.939249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00512000	success
1619631618.173249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00522000	success
1619631618.267249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00555000	success
1619631618.283249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0055b000	success
1619631618.283249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00557000	success
1619631618.408249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00523000	success
1619631618.454249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052c000	success
1619631618.548249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00780000	success
1619631618.954249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00524000	success
1619631619.017249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00781000	success
1619631619.111249 NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 561152 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00fe2000	success
1619631623.564249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00782000	success
1619631623.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00525000	success
1619631623.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00783000	success
1619631623.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00784000	success
1619631623.642249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00785000	success
1619631623.642249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00786000	success
1619631623.829249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00787000	success
1619631624.189249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00526000	success
1619631624.220249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00528000	success
1619631624.345249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0054a000	success
1619631624.345249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00547000	success
1619631624.454249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00788000	success
1619631624.736249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00546000	success
1619631624.736249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0078d000	success
1619631624.736249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052a000	success
1619631624.751249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0078e000	success
1619631624.954249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00529000	success
1619631624.970249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0078f000	success
1619631625.267249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d61000	success
1619631625.376249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045e0000	success
1619631625.454249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f0000	success
1619631625.564249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f1000	success
1619631625.564249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x045f2000	success
1619631625.579249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c1000	success
1619631625.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c2000	success
1619631625.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c3000	success
1619631625.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c4000	success
1619631625.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c5000	success
1619631625.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c9000	success
1619631625.595249 NtAllocateVirtualMemory	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005da000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FXfWbOg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA2E2.tmp"
cmdline	schtasks.exe /Create /TN "Updates\FXfWbOg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA2E2.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631627.064249 ShellExecuteExW	parameters: /Create /TN "Updates\FXfWbOg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA2E2.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.999669111590749

section

{'size_of_data': '0x00088200', 'virtual_address': '0x00002000', 'entropy': 7.999669111590749, 'name': '.{\r\\x1fgr<k', 'virtual_size': '0x000880dc'}

description

A section with a high entropy has been found

entropy

0.6532693461307738

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631619.079249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619631635.283124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631650.517124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2440 process_handle: 0x00000234	failed	0	0
1619631650.517124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2440 process_handle: 0x00000234	failed	3221225738	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FXfWbOg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA2E2.tmp"
cmdline	schtasks.exe /Create /TN "Updates\FXfWbOg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA2E2.tmp"

Communicates with host for which no DNS query was performed (2 个事件)

host	106.7.64.1
host	172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631633.595249 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000e8c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

6ab17e0cbe77fe7fb4525961a977c132.exe tried to sleep 2728184 seconds, actually delayed analysis time by 2728184 seconds

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA2E2.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619631633.595249 WriteProcessMemory	process_identifier: 2952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷ûÐ^àª¾È à@ @pÈKà H.textÄ¨ ª `.rsrc à¬@@.reloc²@B process_handle: 0x00000e8c base_address: 0x00400000	success	1
1619631633.611249 WriteProcessMemory	process_identifier: 2952 buffer: P8h à4ãê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameUBSnoSFgPqRhSRvazcOyuYYZNY.exe(LegalCopyright hOriginalFilenameUBSnoSFgPqRhSRvazcOyuYYZNY.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000e8c base_address: 0x0044e000	success	1
1619631633.611249 WriteProcessMemory	process_identifier: 2952 buffer: ÀÀ8 process_handle: 0x00000e8c base_address: 0x00450000	success	1
1619631633.611249 WriteProcessMemory	process_identifier: 2952 buffer: @ process_handle: 0x00000e8c base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619631633.595249 WriteProcessMemory	process_identifier: 2952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷ûÐ^àª¾È à@ @pÈKà H.textÄ¨ ª `.rsrc à¬@@.reloc²@B process_handle: 0x00000e8c base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 called NtSetContextThread to modify thread in remote process 2952
1619631633.611249 NtSetContextThread	thread_handle: 0x00002538 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4507838 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2952	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 resumed a thread in remote process 2952
1619631633.673249 NtResumeThread	thread_handle: 0x00002538 suspend_count: 1 process_identifier: 2952	success	0	0

Executed a process and injected code into it, probably while unpacking (25 个事件)

Time & API	Arguments	Status	Return
1619631617.923249 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2440	success	0
1619631617.939249 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2440	success	0
1619631617.954249 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2440	success	0
1619631627.064249 CreateProcessInternalW	thread_identifier: 1932 thread_handle: 0x0000714c process_identifier: 1320 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FXfWbOg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpA2E2.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000585c inherit_handles: 0	success	1
1619631633.595249 CreateProcessInternalW	thread_identifier: 364 thread_handle: 0x00002538 process_identifier: 2952 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6ab17e0cbe77fe7fb4525961a977c132.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6ab17e0cbe77fe7fb4525961a977c132.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000e8c inherit_handles: 0	success	1
1619631633.595249 NtGetContextThread	thread_handle: 0x00002538	success	0
1619631633.595249 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000e8c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619631633.595249 WriteProcessMemory	process_identifier: 2952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷ûÐ^àª¾È à@ @pÈKà H.textÄ¨ ª `.rsrc à¬@@.reloc²@B process_handle: 0x00000e8c base_address: 0x00400000	success	1
1619631633.595249 WriteProcessMemory	process_identifier: 2952 buffer: process_handle: 0x00000e8c base_address: 0x00402000	success	1
1619631633.611249 WriteProcessMemory	process_identifier: 2952 buffer: P8h à4ãê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameUBSnoSFgPqRhSRvazcOyuYYZNY.exe(LegalCopyright hOriginalFilenameUBSnoSFgPqRhSRvazcOyuYYZNY.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000e8c base_address: 0x0044e000	success	1
1619631633.611249 WriteProcessMemory	process_identifier: 2952 buffer: ÀÀ8 process_handle: 0x00000e8c base_address: 0x00450000	success	1
1619631633.611249 WriteProcessMemory	process_identifier: 2952 buffer: @ process_handle: 0x00000e8c base_address: 0x7efde008	success	1
1619631633.611249 NtSetContextThread	thread_handle: 0x00002538 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4507838 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2952	success	0
1619631633.673249 NtResumeThread	thread_handle: 0x00002538 suspend_count: 1 process_identifier: 2952	success	0
1619631633.673249 NtResumeThread	thread_handle: 0x0000252c suspend_count: 1 process_identifier: 2440	success	0
1619631634.236249 NtGetContextThread	thread_handle: 0x0000252c	success	0
1619631634.236249 NtGetContextThread	thread_handle: 0x0000252c	success	0
1619631634.236249 NtResumeThread	thread_handle: 0x0000252c suspend_count: 1 process_identifier: 2440	success	0
1619631633.861124 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2952	success	0
1619631633.861124 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2952	success	0
1619631633.876124 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 2952	success	0
1619631652.095124 NtResumeThread	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2952	success	0
1619631652.329124 NtResumeThread	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 2952	success	0
1619631655.220124 NtResumeThread	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2952	success	0
1619631661.329124 NtResumeThread	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 2952	success	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

DrWeb	Trojan.Inject3.40849
MicroWorld-eScan	Trojan.GenericKD.33946885
FireEye	Generic.mg.6ab17e0cbe77fe7f
CAT-QuickHeal	Trojan.Multi
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
K7AntiVirus	Trojan ( 00567cf61 )
Alibaba	TrojanPSW:MSIL/Agensla.cb761285
K7GW	Trojan ( 00567cf61 )
Cybereason	malicious.077449
Arcabit	Trojan.Generic.D205FD05
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZemsilF.34128.0u0@aaSHnjf
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TrojanSpy.MSIL.NOON.SMA.hp
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.33946885
NANO-Antivirus	Trojan.Win32.Inject3.hlcpqj
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Agensla.i!c
Tencent	Msil.Trojan-qqpass.Qqrob.Wrqn
Endgame	malicious (high confidence)
Emsisoft	Trojan.GenericKD.33946885 (B)
F-Secure	Trojan.TR/Kryptik.neaem
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.MSIL.NOON.SMA.hp
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Troj/MSIL-OUQ
SentinelOne	DFI - Malicious PE
Webroot	W32.Trojan.Msil.Noon.Sma
Avira	TR/Kryptik.neaem
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.33946885
Cynet	Malicious (score: 100)
VBA32	CIL.HeapOverride.Heur
ALYac	Trojan.GenericKD.33946885
MAX	malware (ai score=82)
Ad-Aware	Trojan.GenericKD.33946885
Malwarebytes	Spyware.PasswordStealer.Generic
APEX	Malicious
ESET-NOD32	a variant of MSIL/GenKryptik.ELPQ
Yandex	Trojan.Igent.bTVjk2.14
Ikarus	Trojan.MSIL.Agent
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/GenKryptik.ELPQ!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	216.58.200.238:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-01 17:13:38

Imports

Library mscoree.dll:

• 0x4d8000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62912	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.