SmartHawk

10.6

0-day

51 个模型检测该样本为恶意！

重新分析

下载样本

fc2c34e1dd5f692574ac306899b2accbe4af58749d8ba4bb50bff31713bfabcb

6c8668bc33c1b8144f0e1cf88f314966.exe

分析耗时

92s

最近分析

文件大小

806.0KB

静态报毒动态报毒 100% AI SCORE=83 CONFIDENCE ELDORADO EPVU FAREIT FVTN GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HRJBTU KRYPTIK MALICIOUS PE MALWARE@#2ZKDMB5R5E8PI MASSLOGGER PACKEDNET PWSX QLUA R347089 RDRLI SCORE SUSGEN UNSAFE YAKBEEXMSIL Z+EKT8+G 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXH!6C8668BC33C1	20201025	6.0.6.653
Alibaba	TrojanSpy:MSIL/Masslogger.3c95b24b	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201025	18.4.3895.0
Tencent		20201025	1.0.0.1
Kingsoft		20201025	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617083.056251 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1619617092.493126 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (30 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617017.478251 IsDebuggerPresent		failed	0	0
1619617017.478251 IsDebuggerPresent		failed	0	0
1619617076.587251 IsDebuggerPresent		failed	0	0
1619617077.103251 IsDebuggerPresent		failed	0	0
1619617077.618251 IsDebuggerPresent		failed	0	0
1619617078.118251 IsDebuggerPresent		failed	0	0
1619617078.618251 IsDebuggerPresent		failed	0	0
1619617079.118251 IsDebuggerPresent		failed	0	0
1619617079.618251 IsDebuggerPresent		failed	0	0
1619617080.118251 IsDebuggerPresent		failed	0	0
1619617080.618251 IsDebuggerPresent		failed	0	0
1619617081.118251 IsDebuggerPresent		failed	0	0
1619617081.618251 IsDebuggerPresent		failed	0	0
1619617082.118251 IsDebuggerPresent		failed	0	0
1619617082.618251 IsDebuggerPresent		failed	0	0
1619617083.118251 IsDebuggerPresent		failed	0	0
1619617083.618251 IsDebuggerPresent		failed	0	0
1619617084.118251 IsDebuggerPresent		failed	0	0
1619617084.634251 IsDebuggerPresent		failed	0	0
1619617085.118251 IsDebuggerPresent		failed	0	0
1619617085.634251 IsDebuggerPresent		failed	0	0
1619617086.134251 IsDebuggerPresent		failed	0	0
1619617086.634251 IsDebuggerPresent		failed	0	0
1619617087.150251 IsDebuggerPresent		failed	0	0
1619617087.712251 IsDebuggerPresent		failed	0	0
1619617088.243251 IsDebuggerPresent		failed	0	0
1619617088.759251 IsDebuggerPresent		failed	0	0
1619617089.243251 IsDebuggerPresent		failed	0	0
1619617089.822126 IsDebuggerPresent		failed	0	0
1619617089.837126 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617083.900251 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\wWWkClg"。 console_handle: 0x00000007	success	1	0

Uses Windows APIs to generate a cryptographic key (3 个事件)

Time & API	Arguments	Status	Return
1619617091.431126 CryptExportKey	crypto_handle: 0x0081f9a0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619617091.431126 CryptExportKey	crypto_handle: 0x0081f9a0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619617091.447126 CryptExportKey	crypto_handle: 0x0081f320 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617017.540251 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 173 个事件)

Time & API	Arguments	Status	Return
1619617016.603251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00650000	success	0
1619617016.603251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a0000	success	0
1619617016.978251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02040000	success	0
1619617016.978251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021e0000	success	0
1619617017.181251 NtProtectVirtualMemory	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619617017.478251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x006e0000	success	0
1619617017.478251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00730000	success	0
1619617017.478251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ea000	success	0
1619617017.493251 NtProtectVirtualMemory	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619617017.493251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e2000	success	0
1619617017.884251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f2000	success	0
1619617018.103251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00665000	success	0
1619617018.103251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0066b000	success	0
1619617018.103251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00667000	success	0
1619617018.290251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f3000	success	0
1619617018.384251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fc000	success	0
1619617019.353251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f4000	success	0
1619617019.368251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f6000	success	0
1619617019.478251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f7000	success	0
1619617019.493251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007c0000	success	0
1619617019.634251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065a000	success	0
1619617019.634251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00657000	success	0
1619617019.884251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007c1000	success	0
1619617020.243251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00656000	success	0
1619617020.587251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fa000	success	0
1619617020.665251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021e1000	success	0
1619617021.087251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f8000	success	0
1619617021.228251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f9000	success	0
1619617021.353251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020c0000	success	0
1619617021.353251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007c6000	success	0
1619617021.447251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020c1000	success	0
1619617021.493251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007c7000	success	0
1619617021.525251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007ca000	success	0
1619617021.540251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020c2000	success	0
1619617021.540251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fd000	success	0
1619617062.556251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007cb000	success	0
1619617062.572251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007cc000	success	0
1619617062.775251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ec000	success	0
1619617062.775251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007cd000	success	0
1619617062.822251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007ce000	success	0
1619617062.837251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020c3000	success	0
1619617062.853251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007cf000	success	0
1619617062.947251 NtProtectVirtualMemory	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 585728 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x06360400	failed	3221225550
1619617075.368251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ea0000	success	0
1619617075.384251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020c4000	success	0
1619617075.384251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ea1000	success	0
1619617075.493251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ea2000	success	0
1619617075.665251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ea3000	success	0
1619617075.947251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ea4000	success	0
1619617075.947251 NtAllocateVirtualMemory	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ea5000	success	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617092.493126 GetDiskFreeSpaceExW	root_path: C:\ free_bytes_available: 19263537152 total_number_of_free_bytes: 19263537152 total_number_of_bytes: 34252779520	success	1	0

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWWkClg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp570F.tmp"
cmdline	schtasks.exe /Create /TN "Updates\wWWkClg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp570F.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617082.743251 ShellExecuteExW	parameters: /Create /TN "Updates\wWWkClg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp570F.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.915557638700786

section

{'size_of_data': '0x000c8e00', 'virtual_address': '0x00002000', 'entropy': 7.915557638700786, 'name': '.text', 'virtual_size': '0x000c8c8c'}

description

A section with a high entropy has been found

entropy

0.9975170701427685

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617062.931251 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619617091.759126 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWWkClg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp570F.tmp"
cmdline	schtasks.exe /Create /TN "Updates\wWWkClg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp570F.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617088.415251 NtAllocateVirtualMemory	process_identifier: 1816 region_size: 753664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f2c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp570F.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619617088.415251 WriteProcessMemory	process_identifier: 1816 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4Ûáÿà0N6 @@ @6K@8` H.textT `.rsrc8@@@.reloc` @B process_handle: 0x00010f2c base_address: 0x00400000	success	1
1619617088.478251 WriteProcessMemory	process_identifier: 1816 buffer: 8Ph @¬äLCêä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0"InternalName&LegalCopyrightLegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00010f2c base_address: 0x004b4000	success	1
1619617088.478251 WriteProcessMemory	process_identifier: 1816 buffer: 0P6 process_handle: 0x00010f2c base_address: 0x004b6000	success	1
1619617088.478251 WriteProcessMemory	process_identifier: 1816 buffer: @ process_handle: 0x00010f2c base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619617088.415251 WriteProcessMemory	process_identifier: 1816 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4Ûáÿà0N6 @@ @6K@8` H.textT `.rsrc8@@@.reloc` @B process_handle: 0x00010f2c base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2308 called NtSetContextThread to modify thread in remote process 1816
1619617088.493251 NtSetContextThread	thread_handle: 0x00010f00 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4929102 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1816	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2308 resumed a thread in remote process 1816
1619617089.181251 NtResumeThread	thread_handle: 0x00010f00 suspend_count: 1 process_identifier: 1816	success	0	0

Executed a process and injected code into it, probably while unpacking (20 个事件)

Time & API	Arguments	Status	Return
1619617017.478251 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2308	success	0
1619617017.509251 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2308	success	0
1619617017.618251 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2308	success	0
1619617076.556251 NtResumeThread	thread_handle: 0x00005ebc suspend_count: 1 process_identifier: 2308	success	0
1619617076.572251 NtResumeThread	thread_handle: 0x0000c5f4 suspend_count: 1 process_identifier: 2308	success	0
1619617082.743251 CreateProcessInternalW	thread_identifier: 952 thread_handle: 0x00010f24 process_identifier: 2576 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWWkClg" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp570F.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000100c8 inherit_handles: 0	success	1
1619617088.400251 CreateProcessInternalW	thread_identifier: 520 thread_handle: 0x00010f00 process_identifier: 1816 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00010f2c inherit_handles: 0	success	1
1619617088.415251 NtGetContextThread	thread_handle: 0x00010f00	success	0
1619617088.415251 NtAllocateVirtualMemory	process_identifier: 1816 region_size: 753664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00010f2c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619617088.415251 WriteProcessMemory	process_identifier: 1816 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4Ûáÿà0N6 @@ @6K@8` H.textT `.rsrc8@@@.reloc` @B process_handle: 0x00010f2c base_address: 0x00400000	success	1
1619617088.431251 WriteProcessMemory	process_identifier: 1816 buffer: process_handle: 0x00010f2c base_address: 0x00402000	success	1
1619617088.478251 WriteProcessMemory	process_identifier: 1816 buffer: 8Ph @¬äLCêä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0"InternalName&LegalCopyrightLegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00010f2c base_address: 0x004b4000	success	1
1619617088.478251 WriteProcessMemory	process_identifier: 1816 buffer: 0P6 process_handle: 0x00010f2c base_address: 0x004b6000	success	1
1619617088.478251 WriteProcessMemory	process_identifier: 1816 buffer: @ process_handle: 0x00010f2c base_address: 0x7efde008	success	1
1619617088.493251 NtSetContextThread	thread_handle: 0x00010f00 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4929102 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1816	success	0
1619617089.181251 NtResumeThread	thread_handle: 0x00010f00 suspend_count: 1 process_identifier: 1816	success	0
1619617089.181251 NtResumeThread	thread_handle: 0x00001ad8 suspend_count: 1 process_identifier: 2308	success	0
1619617089.837126 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1816	success	0
1619617089.868126 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 1816	success	0
1619617090.009126 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 1816	success	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34303660
FireEye	Generic.mg.6c8668bc33c1b814
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Qihoo-360	Win32/Trojan.PWS.d75
McAfee	Fareit-FXH!6C8668BC33C1
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1369951
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanSpy:MSIL/Masslogger.3c95b24b
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.f5d09c
Arcabit	Trojan.Generic.D20B6EAC
Cyren	W32/MSIL_Kryptik.BIY.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Agent.gen
BitDefender	Trojan.GenericKD.34303660
NANO-Antivirus	Trojan.Win32.PackedNET.hrjbtu
Ad-Aware	Trojan.GenericKD.34303660
Emsisoft	Trojan.GenericKD.34303660 (B)
Comodo	Malware@#2zkdmb5r5e8pi
DrWeb	Trojan.PackedNET.405
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.MSIL.qlua
Avira	TR/Dropper.MSIL.rdrli
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	TrojanSpy:MSIL/Masslogger.AR!MTB
AegisLab	Trojan.Win32.Malicious.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Agent.gen
GData	Trojan.GenericKD.34303660
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Agent.R347089
ALYac	Trojan.GenericKD.34303660
MAX	malware (ai score=83)
Malwarebytes	Trojan.MalPack.FVTN
ESET-NOD32	a variant of MSIL/Kryptik.XGR
Yandex	Trojan.Kryptik!Z+EkT8+g/yg
Ikarus	Trojan-Spy.MassLogger
eGambit	Unsafe.AI_Score_80%
Fortinet	MSIL/GenKryptik.EPVU!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-06 22:44:13

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51966	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.