15.2
0-day
58 个模型检测该样本为恶意!
重新分析
更多

9c76803cb5acd81ad611eed2bc4daa50f1a4e27cd2cea75e40f0d5011047e2a9

6c7b002d23f38600926eba53eb0126cf.exe

分析耗时

92s

最近分析

文件大小

629.0KB
静态报毒 动态报毒 AGEN AI SCORE=88 AIDETECTVM ALI2000015 BTONON CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS ELXR EMHC FAREIT GENERICKDZ GENETIC HIGH CONFIDENCE HKSAEC IGENT KRYPTIK MALWARE1 MARIA NGW@AC2ZHPLI R + MAL R06EC0DIA20 SCH@8T5MJ8 SCORE STATIC AI SUSPICIOUS PE TSCOPE UNSAFE WACATAC WQXF X2066 XUHF ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Tencent Win32.Trojan.Kryptik.Wqxf 20201228 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20201228 2017.9.26.565
McAfee Fareit-FTB!6C7B002D23F3 20201228 6.0.6.653
Avast Win32:Trojan-gen 20201228 21.1.5827.0
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Command line console output was observed (4 个事件)
Time & API Arguments Status Return Repeated
1619608677.257626
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619608675.444001
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
1619608689.365751
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619608687.194374
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (10 个事件)
Time & API Arguments Status Return Repeated
1619608690.304626
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1571056
registers.edi: 0
registers.eax: 1571256
registers.ebp: 1571196
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608695.304626
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1833972
registers.edi: 0
registers.eax: 1834172
registers.ebp: 1834112
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608701.038374
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1441384
registers.edi: 0
registers.eax: 1441584
registers.ebp: 1441524
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608705.116626
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2816560
registers.edi: 0
registers.eax: 2816760
registers.ebp: 2816700
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608710.991124
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 850220
registers.edi: 0
registers.eax: 850420
registers.ebp: 850360
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608717.240751
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1899896
registers.edi: 0
registers.eax: 1900096
registers.ebp: 1900036
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608721.913374
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1702832
registers.edi: 0
registers.eax: 1703032
registers.ebp: 1702972
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608727.303876
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1310112
registers.edi: 0
registers.eax: 1310312
registers.ebp: 1310252
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608735.710124
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2816912
registers.edi: 0
registers.eax: 2817112
registers.ebp: 2817052
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
1619608741.554001
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2620100
registers.edi: 0
registers.eax: 2620300
registers.ebp: 2620240
registers.edx: 4274820
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
exception.instruction: add byte ptr [eax], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1761a
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (36 个事件)
Time & API Arguments Status Return Repeated
1619608671.865751
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619608672.037751
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608672.037751
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01eb0000
success 0 0
1619608681.288374
NtAllocateVirtualMemory
process_identifier: 3296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619608681.710374
NtProtectVirtualMemory
process_identifier: 3296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608681.726374
NtAllocateVirtualMemory
process_identifier: 3296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00670000
success 0 0
1619608687.757249
NtAllocateVirtualMemory
process_identifier: 3516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a0000
success 0 0
1619608687.788249
NtProtectVirtualMemory
process_identifier: 3516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608687.819249
NtAllocateVirtualMemory
process_identifier: 3516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00980000
success 0 0
1619608694.069374
NtAllocateVirtualMemory
process_identifier: 3832
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b0000
success 0 0
1619608694.085374
NtProtectVirtualMemory
process_identifier: 3832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608694.101374
NtAllocateVirtualMemory
process_identifier: 3832
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00340000
success 0 0
1619608699.757626
NtAllocateVirtualMemory
process_identifier: 4032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b0000
success 0 0
1619608699.804626
NtProtectVirtualMemory
process_identifier: 4032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608699.819626
NtAllocateVirtualMemory
process_identifier: 4032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619608704.132249
NtAllocateVirtualMemory
process_identifier: 1464
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c0000
success 0 0
1619608704.148249
NtProtectVirtualMemory
process_identifier: 1464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608704.148249
NtAllocateVirtualMemory
process_identifier: 1464
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619608708.835626
NtAllocateVirtualMemory
process_identifier: 3672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c0000
success 0 0
1619608708.835626
NtProtectVirtualMemory
process_identifier: 3672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608708.835626
NtAllocateVirtualMemory
process_identifier: 3672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00340000
success 0 0
1619608714.773124
NtAllocateVirtualMemory
process_identifier: 3684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00330000
success 0 0
1619608714.804124
NtProtectVirtualMemory
process_identifier: 3684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608714.819124
NtAllocateVirtualMemory
process_identifier: 3684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1619608720.757249
NtAllocateVirtualMemory
process_identifier: 4048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a0000
success 0 0
1619608720.773249
NtProtectVirtualMemory
process_identifier: 4048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608720.773249
NtAllocateVirtualMemory
process_identifier: 4048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1619608726.194001
NtAllocateVirtualMemory
process_identifier: 3464
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00660000
success 0 0
1619608726.194001
NtProtectVirtualMemory
process_identifier: 3464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608726.194001
NtAllocateVirtualMemory
process_identifier: 3464
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008c0000
success 0 0
1619608733.084751
NtAllocateVirtualMemory
process_identifier: 3124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00340000
success 0 0
1619608733.100751
NtProtectVirtualMemory
process_identifier: 3124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608733.115751
NtAllocateVirtualMemory
process_identifier: 3124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005b0000
success 0 0
1619608739.366374
NtAllocateVirtualMemory
process_identifier: 4088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00260000
success 0 0
1619608739.382374
NtProtectVirtualMemory
process_identifier: 4088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619608739.413374
NtAllocateVirtualMemory
process_identifier: 4088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004d0000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description xls.exe tried to sleep 135 seconds, actually delayed analysis time by 135 seconds
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
cmdline C:\Windows\SysWOW64\svchost.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
A process created a hidden window (4 个事件)
Time & API Arguments Status Return Repeated
1619608674.318876
CreateProcessInternalW
thread_identifier: 472
thread_handle: 0x000000bc
process_identifier: 1108
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000b8
inherit_handles: 0
success 1 0
1619608675.584876
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619608680.069001
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619608685.601124
CreateProcessInternalW
thread_identifier: 3456
thread_handle: 0x000000bc
process_identifier: 3452
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000b8
inherit_handles: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (22 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.2271522532080406 section {'size_of_data': '0x0002da00', 'virtual_address': '0x00075000', 'entropy': 7.2271522532080406, 'name': '.rsrc', 'virtual_size': '0x0002d85c'} description A section with a high entropy has been found
entropy 0.2906050955414013 description Overall entropy of this PE file is high
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (10 个事件)
Time & API Arguments Status Return Repeated
1619608672.053751
Process32NextW
process_name: 6c7b002d23f38600926eba53eb0126cf.exe
snapshot_handle: 0x000000f8
process_identifier: 580
failed 0 0
1619608694.116374
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 3832
failed 0 0
1619608699.819626
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 4032
failed 0 0
1619608704.163249
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 1464
failed 0 0
1619608708.851626
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 3672
failed 0 0
1619608714.835124
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 3684
failed 0 0
1619608720.773249
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 4048
failed 0 0
1619608726.210001
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 3464
failed 0 0
1619608733.147751
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 3124
failed 0 0
1619608739.444374
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000000d0
process_identifier: 4088
failed 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmdline /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 188.72.124.143
host 208.109.25.159
Allocates execute permission to another process indicative of possible code injection (10 个事件)
Time & API Arguments Status Return Repeated
1619608686.319124
NtAllocateVirtualMemory
process_identifier: 3516
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608692.929124
NtAllocateVirtualMemory
process_identifier: 3832
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608698.648124
NtAllocateVirtualMemory
process_identifier: 4032
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608703.132124
NtAllocateVirtualMemory
process_identifier: 1464
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001dc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608707.819124
NtAllocateVirtualMemory
process_identifier: 3672
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608713.663124
NtAllocateVirtualMemory
process_identifier: 3684
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001ec
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608719.991124
NtAllocateVirtualMemory
process_identifier: 4048
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608725.023124
NtAllocateVirtualMemory
process_identifier: 3464
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000208
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608732.257124
NtAllocateVirtualMemory
process_identifier: 3124
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000020c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608738.663124
NtAllocateVirtualMemory
process_identifier: 4088
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000214
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Installs itself for autorun at Windows startup (21 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
Potential code injection by writing to the memory of another process (30 个事件)
Time & API Arguments Status Return Repeated
1619608686.319124
WriteProcessMemory
process_identifier: 3516
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001a8
base_address: 0x00400000
success 1 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001a8
base_address: 0x0046d000
success 1 0
1619608686.413124
WriteProcessMemory
process_identifier: 3516
buffer: @
process_handle: 0x000001a8
base_address: 0x7efde008
success 1 0
1619608692.929124
WriteProcessMemory
process_identifier: 3832
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001b8
base_address: 0x00400000
success 1 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001b8
base_address: 0x0046d000
success 1 0
1619608693.007124
WriteProcessMemory
process_identifier: 3832
buffer: @
process_handle: 0x000001b8
base_address: 0x7efde008
success 1 0
1619608698.648124
WriteProcessMemory
process_identifier: 4032
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001d8
base_address: 0x00400000
success 1 0
1619608698.679124
WriteProcessMemory
process_identifier: 4032
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001d8
base_address: 0x0046d000
success 1 0
1619608698.710124
WriteProcessMemory
process_identifier: 4032
buffer: @
process_handle: 0x000001d8
base_address: 0x7efde008
success 1 0
1619608703.132124
WriteProcessMemory
process_identifier: 1464
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001dc
base_address: 0x00400000
success 1 0
1619608703.163124
WriteProcessMemory
process_identifier: 1464
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001dc
base_address: 0x0046d000
success 1 0
1619608703.194124
WriteProcessMemory
process_identifier: 1464
buffer: @
process_handle: 0x000001dc
base_address: 0x7efde008
success 1 0
1619608707.819124
WriteProcessMemory
process_identifier: 3672
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001e4
base_address: 0x00400000
success 1 0
1619608707.913124
WriteProcessMemory
process_identifier: 3672
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001e4
base_address: 0x0046d000
success 1 0
1619608707.913124
WriteProcessMemory
process_identifier: 3672
buffer: @
process_handle: 0x000001e4
base_address: 0x7efde008
success 1 0
1619608713.663124
WriteProcessMemory
process_identifier: 3684
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001ec
base_address: 0x00400000
success 1 0
1619608713.710124
WriteProcessMemory
process_identifier: 3684
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001ec
base_address: 0x0046d000
success 1 0
1619608713.726124
WriteProcessMemory
process_identifier: 3684
buffer: @
process_handle: 0x000001ec
base_address: 0x7efde008
success 1 0
1619608719.991124
WriteProcessMemory
process_identifier: 4048
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001fc
base_address: 0x00400000
success 1 0
1619608720.038124
WriteProcessMemory
process_identifier: 4048
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001fc
base_address: 0x0046d000
success 1 0
1619608720.054124
WriteProcessMemory
process_identifier: 4048
buffer: @
process_handle: 0x000001fc
base_address: 0x7efde008
success 1 0
1619608725.023124
WriteProcessMemory
process_identifier: 3464
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x00000208
base_address: 0x00400000
success 1 0
1619608725.054124
WriteProcessMemory
process_identifier: 3464
buffer: ÀFÀFœ`FÐF
process_handle: 0x00000208
base_address: 0x0046d000
success 1 0
1619608725.069124
WriteProcessMemory
process_identifier: 3464
buffer: @
process_handle: 0x00000208
base_address: 0x7efde008
success 1 0
1619608732.257124
WriteProcessMemory
process_identifier: 3124
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x0000020c
base_address: 0x00400000
success 1 0
1619608732.319124
WriteProcessMemory
process_identifier: 3124
buffer: ÀFÀFœ`FÐF
process_handle: 0x0000020c
base_address: 0x0046d000
success 1 0
1619608732.335124
WriteProcessMemory
process_identifier: 3124
buffer: @
process_handle: 0x0000020c
base_address: 0x7efde008
success 1 0
1619608738.663124
WriteProcessMemory
process_identifier: 4088
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x00000214
base_address: 0x00400000
success 1 0
1619608738.741124
WriteProcessMemory
process_identifier: 4088
buffer: ÀFÀFœ`FÐF
process_handle: 0x00000214
base_address: 0x0046d000
success 1 0
1619608738.773124
WriteProcessMemory
process_identifier: 4088
buffer: @
process_handle: 0x00000214
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (10 个事件)
Time & API Arguments Status Return Repeated
1619608686.319124
WriteProcessMemory
process_identifier: 3516
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001a8
base_address: 0x00400000
success 1 0
1619608692.929124
WriteProcessMemory
process_identifier: 3832
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001b8
base_address: 0x00400000
success 1 0
1619608698.648124
WriteProcessMemory
process_identifier: 4032
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001d8
base_address: 0x00400000
success 1 0
1619608703.132124
WriteProcessMemory
process_identifier: 1464
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001dc
base_address: 0x00400000
success 1 0
1619608707.819124
WriteProcessMemory
process_identifier: 3672
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001e4
base_address: 0x00400000
success 1 0
1619608713.663124
WriteProcessMemory
process_identifier: 3684
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001ec
base_address: 0x00400000
success 1 0
1619608719.991124
WriteProcessMemory
process_identifier: 4048
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001fc
base_address: 0x00400000
success 1 0
1619608725.023124
WriteProcessMemory
process_identifier: 3464
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x00000208
base_address: 0x00400000
success 1 0
1619608732.257124
WriteProcessMemory
process_identifier: 3124
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x0000020c
base_address: 0x00400000
success 1 0
1619608738.663124
WriteProcessMemory
process_identifier: 4088
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x00000214
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (44 个事件)
Process injection Process 580 called NtSetContextThread to modify thread in remote process 2764
Process injection Process 3296 called NtSetContextThread to modify thread in remote process 3344
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 3516
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 3832
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 4032
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 1464
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 3672
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 3684
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 4048
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 3464
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 3124
Process injection Process 3344 called NtSetContextThread to modify thread in remote process 4088
Process injection Process 3516 called NtSetContextThread to modify thread in remote process 3680
Process injection Process 3832 called NtSetContextThread to modify thread in remote process 3904
Process injection Process 4032 called NtSetContextThread to modify thread in remote process 3092
Process injection Process 1464 called NtSetContextThread to modify thread in remote process 3184
Process injection Process 3672 called NtSetContextThread to modify thread in remote process 3552
Process injection Process 3684 called NtSetContextThread to modify thread in remote process 3940
Process injection Process 4048 called NtSetContextThread to modify thread in remote process 2668
Process injection Process 3464 called NtSetContextThread to modify thread in remote process 3408
Process injection Process 3124 called NtSetContextThread to modify thread in remote process 3768
Process injection Process 4088 called NtSetContextThread to modify thread in remote process 3388
Time & API Arguments Status Return Repeated
1619608672.678751
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2764
success 0 0
1619608683.257374
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3344
success 0 0
1619608686.413124
NtSetContextThread
thread_handle: 0x000001ac
registers.eip: 2010382788
registers.esp: 1768704
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3516
success 0 0
1619608693.007124
NtSetContextThread
thread_handle: 0x000001b0
registers.eip: 2010382788
registers.esp: 1768444
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3832
success 0 0
1619608698.726124
NtSetContextThread
thread_handle: 0x000001bc
registers.eip: 2010382788
registers.esp: 588392
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4032
success 0 0
1619608703.194124
NtSetContextThread
thread_handle: 0x000001e0
registers.eip: 2010382788
registers.esp: 2030360
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1464
success 0 0
1619608707.913124
NtSetContextThread
thread_handle: 0x000001e8
registers.eip: 2010382788
registers.esp: 1964416
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3672
success 0 0
1619608713.741124
NtSetContextThread
thread_handle: 0x000001f0
registers.eip: 2010382788
registers.esp: 784900
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3684
success 0 0
1619608720.054124
NtSetContextThread
thread_handle: 0x00000118
registers.eip: 2010382788
registers.esp: 2031020
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4048
success 0 0
1619608725.069124
NtSetContextThread
thread_handle: 0x00000200
registers.eip: 2010382788
registers.esp: 2751216
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3464
success 0 0
1619608732.335124
NtSetContextThread
thread_handle: 0x00000210
registers.eip: 2010382788
registers.esp: 588488
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3124
success 0 0
1619608738.773124
NtSetContextThread
thread_handle: 0x00000218
registers.eip: 2010382788
registers.esp: 3078588
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4088
success 0 0
1619608688.632249
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3680
success 0 0
1619608694.585374
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3904
success 0 0
1619608700.351626
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3092
success 0 0
1619608704.460249
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3184
success 0 0
1619608709.101626
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3552
success 0 0
1619608715.226124
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3940
success 0 0
1619608720.991249
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2668
success 0 0
1619608726.366001
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3408
success 0 0
1619608733.490751
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3768
success 0 0
1619608740.007374
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3388
success 0 0
One or more non-safelisted processes were created (2 个事件)
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
Resumed a suspended thread in a remote process potentially indicative of process injection (44 个事件)
Process injection Process 580 resumed a thread in remote process 2764
Process injection Process 3296 resumed a thread in remote process 3344
Process injection Process 3344 resumed a thread in remote process 3516
Process injection Process 3344 resumed a thread in remote process 3832
Process injection Process 3344 resumed a thread in remote process 4032
Process injection Process 3344 resumed a thread in remote process 1464
Process injection Process 3344 resumed a thread in remote process 3672
Process injection Process 3344 resumed a thread in remote process 3684
Process injection Process 3344 resumed a thread in remote process 4048
Process injection Process 3344 resumed a thread in remote process 3464
Process injection Process 3344 resumed a thread in remote process 3124
Process injection Process 3344 resumed a thread in remote process 4088
Process injection Process 3516 resumed a thread in remote process 3680
Process injection Process 3832 resumed a thread in remote process 3904
Process injection Process 4032 resumed a thread in remote process 3092
Process injection Process 1464 resumed a thread in remote process 3184
Process injection Process 3672 resumed a thread in remote process 3552
Process injection Process 3684 resumed a thread in remote process 3940
Process injection Process 4048 resumed a thread in remote process 2668
Process injection Process 3464 resumed a thread in remote process 3408
Process injection Process 3124 resumed a thread in remote process 3768
Process injection Process 4088 resumed a thread in remote process 3388
Time & API Arguments Status Return Repeated
1619608673.272751
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2764
success 0 0
1619608684.944374
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3344
success 0 0
1619608687.366124
NtResumeThread
thread_handle: 0x000001ac
suspend_count: 1
process_identifier: 3516
success 0 0
1619608693.663124
NtResumeThread
thread_handle: 0x000001b0
suspend_count: 1
process_identifier: 3832
success 0 0
1619608699.273124
NtResumeThread
thread_handle: 0x000001bc
suspend_count: 1
process_identifier: 4032
success 0 0
1619608703.788124
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 1464
success 0 0
1619608708.554124
NtResumeThread
thread_handle: 0x000001e8
suspend_count: 1
process_identifier: 3672
success 0 0
1619608714.335124
NtResumeThread
thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 3684
success 0 0
1619608720.460124
NtResumeThread
thread_handle: 0x00000118
suspend_count: 1
process_identifier: 4048
success 0 0
1619608725.976124
NtResumeThread
thread_handle: 0x00000200
suspend_count: 1
process_identifier: 3464
success 0 0
1619608732.773124
NtResumeThread
thread_handle: 0x00000210
suspend_count: 1
process_identifier: 3124
success 0 0
1619608739.038124
NtResumeThread
thread_handle: 0x00000218
suspend_count: 1
process_identifier: 4088
success 0 0
1619608690.069249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3680
success 0 0
1619608695.101374
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3904
success 0 0
1619608700.804626
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3092
success 0 0
1619608704.851249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3184
success 0 0
1619608710.804626
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3552
success 0 0
1619608717.069124
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3940
success 0 0
1619608721.726249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2668
success 0 0
1619608727.148001
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3408
success 0 0
1619608735.553751
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3768
success 0 0
1619608741.335374
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3388
success 0 0
Disables Windows Security features (1 个事件)
description attempts to disable user access control registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 188.72.124.143:2858
Executed a process and injected code into it, probably while unpacking (50 out of 230 个事件)
Time & API Arguments Status Return Repeated
1619608672.647751
CreateProcessInternalW
thread_identifier: 2244
thread_handle: 0x000000fc
process_identifier: 2764
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6c7b002d23f38600926eba53eb0126cf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619608672.647751
NtUnmapViewOfSection
process_identifier: 2764
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619608672.647751
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 2764
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619608672.678751
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619608672.678751
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2764
success 0 0
1619608673.272751
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2764
success 0 0
1619608674.318876
CreateProcessInternalW
thread_identifier: 472
thread_handle: 0x000000bc
process_identifier: 1108
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000b8
inherit_handles: 0
success 1 0
1619608674.975876
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 2764
success 0 0
1619608675.568876
CreateProcessInternalW
thread_identifier: 284
thread_handle: 0x00000174
process_identifier: 2456
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000188
inherit_handles: 0
success 1 0
1619608675.148626
CreateProcessInternalW
thread_identifier: 2252
thread_handle: 0x00000080
process_identifier: 2632
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
filepath_r: C:\Windows\System32\reg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619608680.054001
CreateProcessInternalW
thread_identifier: 3212
thread_handle: 0x000002b4
process_identifier: 3208
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe"
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f4
inherit_handles: 0
success 1 0
1619608680.662751
CreateProcessInternalW
thread_identifier: 3300
thread_handle: 0x00000080
process_identifier: 3296
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619608683.226374
CreateProcessInternalW
thread_identifier: 3348
thread_handle: 0x000000fc
process_identifier: 3344
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\xls.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619608683.226374
NtUnmapViewOfSection
process_identifier: 3344
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619608683.226374
NtMapViewOfSection
section_handle: 0x00000108
process_identifier: 3344
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619608683.257374
NtGetContextThread
thread_handle: 0x000000fc
success 0 0
1619608683.257374
NtSetContextThread
thread_handle: 0x000000fc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3344
success 0 0
1619608684.944374
NtResumeThread
thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 3344
success 0 0
1619608685.601124
CreateProcessInternalW
thread_identifier: 3456
thread_handle: 0x000000bc
process_identifier: 3452
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000b8
inherit_handles: 0
success 1 0
1619608686.319124
CreateProcessInternalW
thread_identifier: 3520
thread_handle: 0x000001ac
process_identifier: 3516
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001a8
inherit_handles: 0
success 1 0
1619608686.319124
NtGetContextThread
thread_handle: 0x000001ac
success 0 0
1619608686.319124
NtAllocateVirtualMemory
process_identifier: 3516
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608686.319124
WriteProcessMemory
process_identifier: 3516
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001a8
base_address: 0x00400000
success 1 0
1619608686.319124
WriteProcessMemory
process_identifier: 3516
buffer:
process_handle: 0x000001a8
base_address: 0x00401000
success 1 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer:
process_handle: 0x000001a8
base_address: 0x00466000
success 1 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer:
process_handle: 0x000001a8
base_address: 0x00468000
failed 0 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer:
process_handle: 0x000001a8
base_address: 0x00469000
success 1 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer:
process_handle: 0x000001a8
base_address: 0x0046c000
failed 0 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001a8
base_address: 0x0046d000
success 1 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer:
process_handle: 0x000001a8
base_address: 0x0046e000
success 1 0
1619608686.366124
WriteProcessMemory
process_identifier: 3516
buffer:
process_handle: 0x000001a8
base_address: 0x00475000
success 1 0
1619608686.413124
WriteProcessMemory
process_identifier: 3516
buffer: @
process_handle: 0x000001a8
base_address: 0x7efde008
success 1 0
1619608686.413124
NtSetContextThread
thread_handle: 0x000001ac
registers.eip: 2010382788
registers.esp: 1768704
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3516
success 0 0
1619608687.366124
NtResumeThread
thread_handle: 0x000001ac
suspend_count: 1
process_identifier: 3516
success 0 0
1619608692.913124
CreateProcessInternalW
thread_identifier: 3836
thread_handle: 0x000001b0
process_identifier: 3832
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001b8
inherit_handles: 0
success 1 0
1619608692.929124
NtGetContextThread
thread_handle: 0x000001b0
success 0 0
1619608692.929124
NtAllocateVirtualMemory
process_identifier: 3832
region_size: 667648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619608692.929124
WriteProcessMemory
process_identifier: 3832
buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ N‚À\`@0 @<"P\ØàmÐCODEMN `DATA¨`R@ÀBSSí €fÀ.idata<"$f@À.tlsÀŠÀ.rdataЊ@P.relocmànŒ@P.rsrc\ØPÚú@PÐt@P
process_handle: 0x000001b8
base_address: 0x00400000
success 1 0
1619608692.929124
WriteProcessMemory
process_identifier: 3832
buffer:
process_handle: 0x000001b8
base_address: 0x00401000
success 1 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer:
process_handle: 0x000001b8
base_address: 0x00466000
success 1 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer:
process_handle: 0x000001b8
base_address: 0x00468000
failed 0 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer:
process_handle: 0x000001b8
base_address: 0x00469000
success 1 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer:
process_handle: 0x000001b8
base_address: 0x0046c000
failed 0 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer: ÀFÀFœ`FÐF
process_handle: 0x000001b8
base_address: 0x0046d000
success 1 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer:
process_handle: 0x000001b8
base_address: 0x0046e000
success 1 0
1619608692.944124
WriteProcessMemory
process_identifier: 3832
buffer:
process_handle: 0x000001b8
base_address: 0x00475000
success 1 0
1619608693.007124
WriteProcessMemory
process_identifier: 3832
buffer: @
process_handle: 0x000001b8
base_address: 0x7efde008
success 1 0
1619608693.007124
NtSetContextThread
thread_handle: 0x000001b0
registers.eip: 2010382788
registers.esp: 1768444
registers.edi: 0
registers.eax: 4611264
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3832
success 0 0
1619608693.663124
NtResumeThread
thread_handle: 0x000001b0
suspend_count: 1
process_identifier: 3832
success 0 0
1619608698.648124
CreateProcessInternalW
thread_identifier: 4036
thread_handle: 0x000001bc
process_identifier: 4032
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001d8
inherit_handles: 0
success 1 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Maria.3
MicroWorld-eScan Trojan.GenericKDZ.67460
FireEye Generic.mg.6c7b002d23f38600
CAT-QuickHeal Trojan.Kryptik
ALYac Trojan.GenericKDZ.67460
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 0056739d1 )
BitDefender Trojan.GenericKDZ.67460
K7GW Trojan ( 0056739d1 )
Cybereason malicious.d23f38
BitDefenderTheta Gen:NN.ZelphiF.34700.NGW@aC2zhPli
Cyren W32/Injector.XUHF-9172
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
Alibaba Trojan:Win32/DelfInject.ali2000015
NANO-Antivirus Trojan.Win32.Maria.hksaec
Tencent Win32.Trojan.Kryptik.Wqxf
Ad-Aware Trojan.GenericKDZ.67460
Sophos Mal/Generic-R + Mal/Fareit-AA
Comodo TrojWare.Win32.Injector.SCH@8t5mj8
F-Secure Heuristic.HEUR/AGEN.1137421
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Fareit.jh
Emsisoft Trojan.GenericKDZ.67460 (B)
Ikarus Trojan.Inject
Jiangmin Trojan.Kryptik.ayh
eGambit Unsafe.AI_Score_88%
Avira HEUR/AGEN.1137421
Antiy-AVL Trojan/Win32.Kryptik
Microsoft Trojan:Win32/DelfInject.B!MTB
Gridinsoft Trojan.Win32.Wacatac.ba!s1
Arcabit Trojan.Generic.D10784
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.GenericKDZ.67460
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
McAfee Fareit-FTB!6C7B002D23F3
MAX malware (ai score=88)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
Panda Trj/Genetic.gen
Zoner Trojan.Win32.91359
ESET-NOD32 a variant of Win32/Injector.EMHC
TrendMicro-HouseCall TROJ_GEN.R06EC0DIA20
Rising Trojan.Kryptik!1.C71C (CLASSIC)
The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\cmd.exe
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46913c VirtualFree
0x469140 VirtualAlloc
0x469144 LocalFree
0x469148 LocalAlloc
0x46914c GetVersion
0x469150 GetCurrentThreadId
0x46915c VirtualQuery
0x469160 WideCharToMultiByte
0x469164 MultiByteToWideChar
0x469168 lstrlenA
0x46916c lstrcpynA
0x469170 LoadLibraryExA
0x469174 GetThreadLocale
0x469178 GetStartupInfoA
0x46917c GetProcAddress
0x469180 GetModuleHandleA
0x469184 GetModuleFileNameA
0x469188 GetLocaleInfoA
0x46918c GetCommandLineA
0x469190 FreeLibrary
0x469194 FindFirstFileA
0x469198 FindClose
0x46919c ExitProcess
0x4691a0 WriteFile
0x4691a8 RtlUnwind
0x4691ac RaiseException
0x4691b0 GetStdHandle
Library user32.dll:
0x4691b8 GetKeyboardType
0x4691bc LoadStringA
0x4691c0 MessageBoxA
0x4691c4 CharNextA
Library advapi32.dll:
0x4691cc RegQueryValueExA
0x4691d0 RegOpenKeyExA
0x4691d4 RegCloseKey
Library oleaut32.dll:
0x4691dc SysFreeString
0x4691e0 SysReAllocStringLen
0x4691e4 SysAllocStringLen
Library kernel32.dll:
0x4691ec TlsSetValue
0x4691f0 TlsGetValue
0x4691f4 LocalAlloc
0x4691f8 GetModuleHandleA
Library advapi32.dll:
0x469200 RegQueryValueExA
0x469204 RegOpenKeyExA
0x469208 RegCloseKey
Library kernel32.dll:
0x469210 lstrcpyA
0x469214 WriteFile
0x46921c WaitForSingleObject
0x469220 VirtualQuery
0x469224 VirtualAlloc
0x469228 Sleep
0x46922c SizeofResource
0x469230 SetThreadLocale
0x469234 SetFilePointer
0x469238 SetEvent
0x46923c SetErrorMode
0x469240 SetEndOfFile
0x469244 ResetEvent
0x469248 ReadFile
0x46924c MulDiv
0x469250 LockResource
0x469254 LoadResource
0x469258 LoadLibraryA
0x469264 GlobalUnlock
0x469268 GlobalReAlloc
0x46926c GlobalHandle
0x469270 GlobalLock
0x469274 GlobalFree
0x469278 GlobalFindAtomA
0x46927c GlobalDeleteAtom
0x469280 GlobalAlloc
0x469284 GlobalAddAtomA
0x469288 GetVersionExA
0x46928c GetVersion
0x469290 GetTickCount
0x469294 GetThreadLocale
0x46929c GetSystemTime
0x4692a0 GetSystemInfo
0x4692a4 GetStringTypeExA
0x4692a8 GetStdHandle
0x4692ac GetProcAddress
0x4692b0 GetModuleHandleA
0x4692b4 GetModuleFileNameA
0x4692b8 GetLocaleInfoA
0x4692bc GetLocalTime
0x4692c0 GetLastError
0x4692c4 GetFullPathNameA
0x4692c8 GetFileAttributesA
0x4692cc GetDiskFreeSpaceA
0x4692d0 GetDateFormatA
0x4692d4 GetCurrentThreadId
0x4692d8 GetCurrentProcessId
0x4692dc GetCPInfo
0x4692e0 GetACP
0x4692e4 FreeResource
0x4692e8 InterlockedExchange
0x4692ec FreeLibrary
0x4692f0 FormatMessageA
0x4692f4 FindResourceA
0x4692f8 FindFirstFileA
0x4692fc FindClose
0x469308 ExitThread
0x46930c EnumCalendarInfoA
0x469318 CreateThread
0x46931c CreateFileA
0x469320 CreateEventA
0x469324 CompareStringA
0x469328 CloseHandle
Library version.dll:
0x469330 VerQueryValueA
0x469338 GetFileVersionInfoA
Library gdi32.dll:
0x469340 UnrealizeObject
0x469344 StretchBlt
0x469348 SetWindowOrgEx
0x46934c SetWinMetaFileBits
0x469350 SetViewportOrgEx
0x469354 SetTextColor
0x469358 SetStretchBltMode
0x46935c SetROP2
0x469360 SetPixel
0x469364 SetEnhMetaFileBits
0x469368 SetDIBColorTable
0x46936c SetBrushOrgEx
0x469370 SetBkMode
0x469374 SetBkColor
0x469378 SelectPalette
0x46937c SelectObject
0x469380 SelectClipRgn
0x469384 SelectClipPath
0x469388 SaveDC
0x46938c RestoreDC
0x469390 Rectangle
0x469394 RectVisible
0x469398 RealizePalette
0x46939c Polyline
0x4693a0 PlayEnhMetaFile
0x4693a4 PatBlt
0x4693a8 MoveToEx
0x4693ac MaskBlt
0x4693b0 LineTo
0x4693b4 IntersectClipRect
0x4693b8 GetWindowOrgEx
0x4693bc GetWinMetaFileBits
0x4693c0 GetTextMetricsA
0x4693cc GetStockObject
0x4693d0 GetPixel
0x4693d4 GetPaletteEntries
0x4693d8 GetObjectA
0x4693e4 GetEnhMetaFileBits
0x4693e8 GetDeviceCaps
0x4693ec GetDIBits
0x4693f0 GetDIBColorTable
0x4693f4 GetDCOrgEx
0x4693fc GetClipBox
0x469400 GetBrushOrgEx
0x469404 GetBitmapBits
0x469408 ExtTextOutA
0x46940c ExcludeClipRect
0x469410 DeleteObject
0x469414 DeleteEnhMetaFile
0x469418 DeleteDC
0x46941c CreateSolidBrush
0x469420 CreateRectRgn
0x469424 CreatePenIndirect
0x469428 CreatePalette
0x469430 CreateFontIndirectA
0x469434 CreateDIBitmap
0x469438 CreateDIBSection
0x46943c CreateCompatibleDC
0x469444 CreateBrushIndirect
0x469448 CreateBitmap
0x46944c CopyEnhMetaFileA
0x469450 BitBlt
Library user32.dll:
0x469458 CreateWindowExA
0x46945c WindowFromPoint
0x469460 WinHelpA
0x469464 WaitMessage
0x469468 UpdateWindow
0x46946c UnregisterClassA
0x469470 UnhookWindowsHookEx
0x469474 TranslateMessage
0x46947c TrackPopupMenu
0x469484 ShowWindow
0x469488 ShowScrollBar
0x46948c ShowOwnedPopups
0x469490 ShowCursor
0x469494 SetWindowsHookExA
0x469498 SetWindowTextA
0x46949c SetWindowPos
0x4694a0 SetWindowPlacement
0x4694a4 SetWindowLongA
0x4694a8 SetTimer
0x4694ac SetScrollRange
0x4694b0 SetScrollPos
0x4694b4 SetScrollInfo
0x4694b8 SetRect
0x4694bc SetPropA
0x4694c0 SetParent
0x4694c4 SetMenuItemInfoA
0x4694c8 SetMenu
0x4694cc SetForegroundWindow
0x4694d0 SetFocus
0x4694d4 SetCursor
0x4694d8 SetClassLongA
0x4694dc SetCapture
0x4694e0 SetActiveWindow
0x4694e4 SendMessageA
0x4694e8 ScrollWindow
0x4694ec ScreenToClient
0x4694f0 RemovePropA
0x4694f4 RemoveMenu
0x4694f8 ReleaseDC
0x4694fc ReleaseCapture
0x469508 RegisterClassA
0x46950c RedrawWindow
0x469510 PtInRect
0x469514 PostQuitMessage
0x469518 PostMessageA
0x46951c PeekMessageA
0x469520 OffsetRect
0x469524 OemToCharA
0x469528 MessageBoxA
0x46952c MapWindowPoints
0x469530 MapVirtualKeyA
0x469534 LoadStringA
0x469538 LoadKeyboardLayoutA
0x46953c LoadIconA
0x469540 LoadCursorA
0x469544 LoadBitmapA
0x469548 KillTimer
0x46954c IsZoomed
0x469550 IsWindowVisible
0x469554 IsWindowEnabled
0x469558 IsWindow
0x46955c IsRectEmpty
0x469560 IsIconic
0x469564 IsDialogMessageA
0x469568 IsChild
0x46956c InvalidateRect
0x469570 IntersectRect
0x469574 InsertMenuItemA
0x469578 InsertMenuA
0x46957c InflateRect
0x469584 GetWindowTextA
0x469588 GetWindowRect
0x46958c GetWindowPlacement
0x469590 GetWindowLongA
0x469594 GetWindowDC
0x469598 GetTopWindow
0x46959c GetSystemMetrics
0x4695a0 GetSystemMenu
0x4695a4 GetSysColorBrush
0x4695a8 GetSysColor
0x4695ac GetSubMenu
0x4695b0 GetScrollRange
0x4695b4 GetScrollPos
0x4695b8 GetScrollInfo
0x4695bc GetPropA
0x4695c0 GetParent
0x4695c4 GetWindow
0x4695c8 GetMenuStringA
0x4695cc GetMenuState
0x4695d0 GetMenuItemInfoA
0x4695d4 GetMenuItemID
0x4695d8 GetMenuItemCount
0x4695dc GetMenu
0x4695e0 GetLastActivePopup
0x4695e4 GetKeyboardState
0x4695ec GetKeyboardLayout
0x4695f0 GetKeyState
0x4695f4 GetKeyNameTextA
0x4695f8 GetIconInfo
0x4695fc GetForegroundWindow
0x469600 GetFocus
0x469604 GetDlgItem
0x469608 GetDesktopWindow
0x46960c GetDCEx
0x469610 GetDC
0x469614 GetCursorPos
0x469618 GetCursor
0x46961c GetClipboardData
0x469620 GetClientRect
0x469624 GetClassNameA
0x469628 GetClassInfoA
0x46962c GetCapture
0x469630 GetActiveWindow
0x469634 FrameRect
0x469638 FindWindowA
0x46963c FillRect
0x469640 EqualRect
0x469644 EnumWindows
0x469648 EnumThreadWindows
0x46964c EndPaint
0x469650 EnableWindow
0x469654 EnableScrollBar
0x469658 EnableMenuItem
0x46965c DrawTextA
0x469660 DrawMenuBar
0x469664 DrawIconEx
0x469668 DrawIcon
0x46966c DrawFrameControl
0x469670 DrawFocusRect
0x469674 DrawEdge
0x469678 DispatchMessageA
0x46967c DestroyWindow
0x469680 DestroyMenu
0x469684 DestroyIcon
0x469688 DestroyCursor
0x46968c DeleteMenu
0x469690 DefWindowProcA
0x469694 DefMDIChildProcA
0x469698 DefFrameProcA
0x46969c CreatePopupMenu
0x4696a0 CreateMenu
0x4696a4 CreateIcon
0x4696a8 ClientToScreen
0x4696ac CheckMenuItem
0x4696b0 CallWindowProcA
0x4696b4 CallNextHookEx
0x4696b8 BeginPaint
0x4696bc CharNextA
0x4696c0 CharLowerBuffA
0x4696c4 CharLowerA
0x4696c8 CharToOemA
0x4696cc AdjustWindowRectEx
Library kernel32.dll:
0x4696d8 Sleep
Library oleaut32.dll:
0x4696e0 SafeArrayPtrOfIndex
0x4696e4 SafeArrayGetUBound
0x4696e8 SafeArrayGetLBound
0x4696ec SafeArrayCreate
0x4696f0 VariantChangeType
0x4696f4 VariantCopy
0x4696f8 VariantClear
0x4696fc VariantInit
Library comctl32.dll:
0x46970c ImageList_Write
0x469710 ImageList_Read
0x469720 ImageList_DragMove
0x469724 ImageList_DragLeave
0x469728 ImageList_DragEnter
0x46972c ImageList_EndDrag
0x469730 ImageList_BeginDrag
0x469734 ImageList_Remove
0x469738 ImageList_DrawEx
0x46973c ImageList_Replace
0x469740 ImageList_Draw
0x469750 ImageList_Add
0x469758 ImageList_Destroy
0x46975c ImageList_Create
0x469760 InitCommonControls
Library comdlg32.dll:
0x469768 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
208.109.25.159 80 192.168.56.101 49178

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53238 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.