SmartHawk

8.8

极危

57 个模型检测该样本为恶意！

重新分析

下载样本

e8b88bcf74c3bdf23e01c6aeedbfdf2937ae689cc65ee036b7cf2a4877611947

6da10aa5a23b2d157c3811d9b9c71976.exe

分析耗时

77s

最近分析

文件大小

583.0KB

静态报毒动态报毒 AGENSLA AI SCORE=85 CLOUD CONFIDENCE ELDORADO FAREIT GENERICKD HEAPOVERRIDE HIGH CONFIDENCE HRLLYI KM0@A83PJYD KRYPTIK MALICIOUS PE MALWAREX MASSLOGGER NANOCORE PACKEDNET R347027 SCORE SKEEYAH SUSGEN UNSAFE USXVPH620 WACATAC WSKF YTSIH ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXH!6DA10AA5A23B	20200826	6.0.6.653
Alibaba	Trojan:Win32/Kryptik.9c4d85fe	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Tencent	Msil.Trojan.Crypt.Wskf	20200826	1.0.0.1
Kingsoft		20200826	2013.8.14.323
Avast	Win32:MalwareX-gen [Trj]	20200826	18.4.3895.0

Checks if process is being debugged by a debugger (6 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596031.588662 IsDebuggerPresent		failed	0	0
1619596031.588662 IsDebuggerPresent		failed	0	0
1619596081.182662 IsDebuggerPresent		failed	0	0
1619596081.697662 IsDebuggerPresent		failed	0	0
1619623732.095374 IsDebuggerPresent		failed	0	0
1619623732.095374 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596031.635662 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 131 个事件)

Time & API	Arguments	Status	Return
1619596030.744662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00610000	success	0
1619596030.744662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00690000	success	0
1619596031.244662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02080000	success	0
1619596031.244662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02270000	success	0
1619596031.401662 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619596031.588662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01e90000	success	0
1619596031.588662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01ec0000	success	0
1619596031.588662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004ca000	success	0
1619596031.604662 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619596031.604662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004c2000	success	0
1619596032.041662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d2000	success	0
1619596032.307662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00505000	success	0
1619596032.307662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0050b000	success	0
1619596032.307662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00507000	success	0
1619596032.479662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d3000	success	0
1619596032.510662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004dc000	success	0
1619596032.557662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e90000	success	0
1619596032.854662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d4000	success	0
1619596032.869662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d6000	success	0
1619596032.947662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d7000	success	0
1619596032.979662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d8000	success	0
1619596032.979662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e91000	success	0
1619596033.026662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004fa000	success	0
1619596033.026662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f7000	success	0
1619596033.182662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f6000	success	0
1619596033.182662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e92000	success	0
1619596033.385662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004da000	success	0
1619596033.479662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d9000	success	0
1619596033.526662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02030000	success	0
1619596033.572662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e97000	success	0
1619596033.729662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e9a000	success	0
1619596033.807662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02031000	success	0
1619596033.901662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02032000	success	0
1619596033.901662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e9b000	success	0
1619596033.947662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02033000	success	0
1619596033.963662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e9c000	success	0
1619596033.979662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01e9f000	success	0
1619596033.979662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004dd000	success	0
1619596074.994662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02034000	success	0
1619596074.994662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04730000	success	0
1619596074.994662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02271000	success	0
1619596075.041662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04731000	success	0
1619596075.057662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04732000	success	0
1619596075.166662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004cc000	success	0
1619596075.197662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04733000	success	0
1619596075.229662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02035000	success	0
1619596075.229662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04734000	success	0
1619596075.307662 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 285696 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05590400	failed	3221225550
1619596080.744662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04735000	success	0
1619596080.744662 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04736000	success	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.640379881331216

section

{'size_of_data': '0x00091000', 'virtual_address': '0x00002000', 'entropy': 7.640379881331216, 'name': '.text', 'virtual_size': '0x00090e04'}

description

A section with a high entropy has been found

entropy

0.9957081545064378

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596075.307662 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596081.697662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 196 process_handle: 0x00010e78	failed	0	0
1619596081.697662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 196 process_handle: 0x00010e78	success	0	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596081.401662 NtAllocateVirtualMemory	process_identifier: 196 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000f548 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619596081.776662 NtAllocateVirtualMemory	process_identifier: 3008 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000dc3c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 manipulating memory of non-child process 196
1619596081.401662 NtAllocateVirtualMemory	process_identifier: 196 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000f548 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619596081.776662 WriteProcessMemory	process_identifier: 3008 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7I*_àPîo @ À@oS H.textôO P `.rsrcR@@.reloc V@B process_handle: 0x0000dc3c base_address: 0x00400000	success	1
1619596081.791662 WriteProcessMemory	process_identifier: 3008 buffer: 0HX´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p(InternalNameXCrGOKnOMKyCLFUpgKIbnYLWHRrbKZoVaYd.exe(LegalCopyright x(OriginalFilenameXCrGOKnOMKyCLFUpgKIbnYLWHRrbKZoVaYd.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000dc3c base_address: 0x00448000	success	1
1619596081.791662 WriteProcessMemory	process_identifier: 3008 buffer: `ð? process_handle: 0x0000dc3c base_address: 0x0044a000	success	1
1619596081.791662 WriteProcessMemory	process_identifier: 3008 buffer: @ process_handle: 0x0000dc3c base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596081.776662 WriteProcessMemory	process_identifier: 3008 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7I*_àPîo @ À@oS H.textôO P `.rsrcR@@.reloc V@B process_handle: 0x0000dc3c base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 called NtSetContextThread to modify thread in remote process 3008
1619596081.791662 NtSetContextThread	thread_handle: 0x00010e78 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4485102 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3008	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 resumed a thread in remote process 3008
1619596082.057662 NtResumeThread	thread_handle: 0x00010e78 suspend_count: 1 process_identifier: 3008	success	0	0

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619596031.588662 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2228	success	0
1619596031.619662 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2228	success	0
1619596031.729662 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2228	success	0
1619596081.151662 NtResumeThread	thread_handle: 0x0000f850 suspend_count: 1 process_identifier: 2228	success	0
1619596081.166662 NtResumeThread	thread_handle: 0x000055e8 suspend_count: 1 process_identifier: 2228	success	0
1619596081.401662 CreateProcessInternalW	thread_identifier: 2956 thread_handle: 0x0000cf98 process_identifier: 196 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6da10aa5a23b2d157c3811d9b9c71976.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6da10aa5a23b2d157c3811d9b9c71976.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000f548 inherit_handles: 0	success	1
1619596081.401662 NtGetContextThread	thread_handle: 0x0000cf98	success	0
1619596081.401662 NtAllocateVirtualMemory	process_identifier: 196 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000f548 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619596081.760662 CreateProcessInternalW	thread_identifier: 1124 thread_handle: 0x00010e78 process_identifier: 3008 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6da10aa5a23b2d157c3811d9b9c71976.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6da10aa5a23b2d157c3811d9b9c71976.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000dc3c inherit_handles: 0	success	1
1619596081.776662 NtGetContextThread	thread_handle: 0x00010e78	success	0
1619596081.776662 NtAllocateVirtualMemory	process_identifier: 3008 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000dc3c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619596081.776662 WriteProcessMemory	process_identifier: 3008 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7I*_àPîo @ À@oS H.textôO P `.rsrcR@@.reloc V@B process_handle: 0x0000dc3c base_address: 0x00400000	success	1
1619596081.776662 WriteProcessMemory	process_identifier: 3008 buffer: process_handle: 0x0000dc3c base_address: 0x00402000	success	1
1619596081.791662 WriteProcessMemory	process_identifier: 3008 buffer: 0HX´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p(InternalNameXCrGOKnOMKyCLFUpgKIbnYLWHRrbKZoVaYd.exe(LegalCopyright x(OriginalFilenameXCrGOKnOMKyCLFUpgKIbnYLWHRrbKZoVaYd.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000dc3c base_address: 0x00448000	success	1
1619596081.791662 WriteProcessMemory	process_identifier: 3008 buffer: `ð? process_handle: 0x0000dc3c base_address: 0x0044a000	success	1
1619596081.791662 WriteProcessMemory	process_identifier: 3008 buffer: @ process_handle: 0x0000dc3c base_address: 0x7efde008	success	1
1619596081.791662 NtSetContextThread	thread_handle: 0x00010e78 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4485102 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3008	success	0
1619596082.057662 NtResumeThread	thread_handle: 0x00010e78 suspend_count: 1 process_identifier: 3008	success	0
1619623732.095374 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 3008	success	0
1619623732.142374 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 3008	success	0
1619623732.173374 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 3008	success	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

MicroWorld-eScan	Trojan.GenericKD.34302931
FireEye	Generic.mg.6da10aa5a23b2d15
CAT-QuickHeal	Trojan.MSIL
McAfee	Fareit-FXH!6DA10AA5A23B
Cylance	Unsafe
Zillya	Trojan.Crypt.Win32.64961
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c20e1 )
Alibaba	Trojan:Win32/Kryptik.9c4d85fe
K7GW	Trojan ( 0056c20e1 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Generic.D20B6BD3
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZemsilF.34196.Km0@a83Pjyd
Cyren	W32/MSIL_Kryptik.BIL.gen!Eldorado
TrendMicro-HouseCall	PUA.MSIL.Wacatac.USXVPH620
Paloalto	generic.ml
ClamAV	Win.Dropper.Nanocore-9248945-0
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Trojan.GenericKD.34302931
NANO-Antivirus	Trojan.Win32.Crypt.hrllyi
ViRobot	Trojan.Win32.Z.Masslogger.596992.A
Tencent	Msil.Trojan.Crypt.Wskf
Ad-Aware	Trojan.GenericKD.34302931
Emsisoft	Trojan.GenericKD.34302931 (B)
F-Secure	Trojan.TR/Dropper.MSIL.ytsih
DrWeb	Trojan.PackedNET.405
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	PUA.MSIL.Wacatac.USXVPH620
Sophos	Mal/Generic-S
APEX	Malicious
F-Prot	W32/MSIL_Kryptik.BIL.gen!Eldorado
Webroot	W32.Adware.Gen
Avira	TR/Dropper.MSIL.ytsih
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.Generic
Microsoft	Trojan:Win32/Skeeyah.A!rfn
Endgame	malicious (high confidence)
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Trojan.GenericKD.34302931
SentinelOne	DFI - Malicious PE
AhnLab-V3	Trojan/Win32.Agensla.R347027
VBA32	CIL.HeapOverride.Heur
ALYac	Trojan.GenericKD.34302931
Malwarebytes	Trojan.MalPack
Panda	Trj/CI.A
ESET-NOD32	a variant of MSIL/Kryptik.XGH
Rising	Trojan.Crypt!8.2E3 (CLOUD)
Ikarus	Trojan-Spy.MassLogger

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-06 20:15:15

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.