SmartHawk

10.8

0-day

48 个模型检测该样本为恶意！

重新分析

下载样本

33e7bd8b10bd937f73029fae45b86815c941099c3c923105d5ba5449f591619f

6e0610dedafd26d4e86e9a24e488c7bc.exe

分析耗时

95s

最近分析

文件大小

444.0KB

静态报毒动态报毒 100% AGENSLA AGENTTESLA AI SCORE=83 ATTRIBUTE CLOUD CONFIDENCE DOWNLOADER34 ELDORADO FAREIT GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HRIWCE IGENERIC KRYPT KRYPTIK MALICIOUS PE MASSLOGGER QVM03 R044C0PH920 R347247 SCORE TESLAAG TROJANX TSCOPE UNCLASSIFIEDMALWARE@0 UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FVT!6E0610DEDAFD	20200821	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.dca67fdc	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20200821	18.4.3895.0
Tencent		20200821	1.0.0.1
Kingsoft		20200821	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602612.691875 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (11 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602557.036125 IsDebuggerPresent		failed	0	0
1619602611.598125 IsDebuggerPresent		failed	0	0
1619602612.083125 IsDebuggerPresent		failed	0	0
1619602612.598125 IsDebuggerPresent		failed	0	0
1619602613.083125 IsDebuggerPresent		failed	0	0
1619602613.598125 IsDebuggerPresent		failed	0	0
1619602614.083125 IsDebuggerPresent		failed	0	0
1619602614.598125 IsDebuggerPresent		failed	0	0
1619602615.098125 IsDebuggerPresent		failed	0	0
1619602615.598125 IsDebuggerPresent		failed	0	0
1619602616.847875 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602613.300875 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\AKXGoAfdF"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602602.239125 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 115 个事件)

Time & API	Arguments	Status	Return
1619602556.161125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00650000	success	0
1619602556.161125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007a0000	success	0
1619602556.864125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success	0
1619602557.067125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success	0
1619602557.067125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success	0
1619602557.067125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00582000	success	0
1619602557.708125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00592000	success	0
1619602558.051125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00593000	success	0
1619602558.083125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005cb000	success	0
1619602558.083125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c7000	success	0
1619602558.176125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059c000	success	0
1619602559.473125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00594000	success	0
1619602559.489125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00595000	success	0
1619602559.598125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00596000	success	0
1619602559.614125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00790000	success	0
1619602559.754125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005aa000	success	0
1619602559.754125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a7000	success	0
1619602559.770125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ba000	success	0
1619602559.848125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058b000	success	0
1619602560.333125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a6000	success	0
1619602560.333125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059a000	success	0
1619602560.567125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b2000	success	0
1619602560.723125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c5000	success	0
1619602560.895125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00791000	success	0
1619602560.926125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success	0
1619602602.067125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00792000	success	0
1619602602.083125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04780000	success	0
1619602602.083125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007a1000	success	0
1619602602.145125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00793000	success	0
1619602602.286125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005bc000	success	0
1619602602.301125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00794000	success	0
1619602602.379125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00598000	success	0
1619602602.395125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00795000	success	0
1619602602.473125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 295424 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04b90400	failed	3221225550
1619602610.801125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00599000	success	0
1619602610.801125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00797000	success	0
1619602610.833125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00798000	success	0
1619602610.848125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00799000	success	0
1619602610.911125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079a000	success	0
1619602611.114125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079b000	success	0
1619602611.379125 NtAllocateVirtualMemory	process_identifier: 1704 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079c000	success	0
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04b90178	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04b901a0	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04b901c8	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04b901f0	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04b90218	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04bd8f0e	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04bd8f02	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04bd8600	failed	3221225550
1619602611.395125 NtProtectVirtualMemory	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04bd8f1c	failed	3221225550

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AKXGoAfdF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp333B.tmp"
cmdline	schtasks.exe /Create /TN "Updates\AKXGoAfdF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp333B.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602612.395125 ShellExecuteExW	parameters: /Create /TN "Updates\AKXGoAfdF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp333B.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.919071487440355

section

{'size_of_data': '0x0006e600', 'virtual_address': '0x00002000', 'entropy': 7.919071487440355, 'name': '.text', 'virtual_size': '0x0006e498'}

description

A section with a high entropy has been found

entropy

0.9954904171364148

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602602.473125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619602629.035875 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AKXGoAfdF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp333B.tmp"
cmdline	schtasks.exe /Create /TN "Updates\AKXGoAfdF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp333B.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602615.254125 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002ae8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp333B.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619602615.254125 WriteProcessMemory	process_identifier: 1664 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢É _àPÞn @ À@nOà H.textäN P `.rsrcàR@@.reloc V@B process_handle: 0x00002ae8 base_address: 0x00400000	success	1
1619602615.286125 WriteProcessMemory	process_identifier: 1664 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNamescrnDnqkgHPIOjtOVylUwO.exe(LegalCopyright `OriginalFilenamescrnDnqkgHPIOjtOVylUwO.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00002ae8 base_address: 0x00448000	success	1
1619602615.286125 WriteProcessMemory	process_identifier: 1664 buffer: `à> process_handle: 0x00002ae8 base_address: 0x0044a000	success	1
1619602615.301125 WriteProcessMemory	process_identifier: 1664 buffer: @ process_handle: 0x00002ae8 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619602615.254125 WriteProcessMemory	process_identifier: 1664 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢É _àPÞn @ À@nOà H.textäN P `.rsrcàR@@.reloc V@B process_handle: 0x00002ae8 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1704 called NtSetContextThread to modify thread in remote process 1664
1619602615.317125 NtSetContextThread	thread_handle: 0x0000b4ac registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4484830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1664	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1704 resumed a thread in remote process 1664
1619602615.739125 NtResumeThread	thread_handle: 0x0000b4ac suspend_count: 1 process_identifier: 1664	success	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (18 个事件)

Time & API	Arguments	Status	Return
1619602557.036125 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1704	success	0
1619602557.176125 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1704	success	0
1619602611.551125 NtResumeThread	thread_handle: 0x00011484 suspend_count: 1 process_identifier: 1704	success	0
1619602611.567125 NtResumeThread	thread_handle: 0x00008080 suspend_count: 1 process_identifier: 1704	success	0
1619602612.395125 CreateProcessInternalW	thread_identifier: 2948 thread_handle: 0x000059ac process_identifier: 196 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AKXGoAfdF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp333B.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000b5f8 inherit_handles: 0	success	1
1619602615.254125 CreateProcessInternalW	thread_identifier: 176 thread_handle: 0x0000b4ac process_identifier: 1664 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6e0610dedafd26d4e86e9a24e488c7bc.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6e0610dedafd26d4e86e9a24e488c7bc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00002ae8 inherit_handles: 0	success	1
1619602615.254125 NtGetContextThread	thread_handle: 0x0000b4ac	success	0
1619602615.254125 NtAllocateVirtualMemory	process_identifier: 1664 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002ae8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619602615.254125 WriteProcessMemory	process_identifier: 1664 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢É _àPÞn @ À@nOà H.textäN P `.rsrcàR@@.reloc V@B process_handle: 0x00002ae8 base_address: 0x00400000	success	1
1619602615.254125 WriteProcessMemory	process_identifier: 1664 buffer: process_handle: 0x00002ae8 base_address: 0x00402000	success	1
1619602615.286125 WriteProcessMemory	process_identifier: 1664 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNamescrnDnqkgHPIOjtOVylUwO.exe(LegalCopyright `OriginalFilenamescrnDnqkgHPIOjtOVylUwO.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00002ae8 base_address: 0x00448000	success	1
1619602615.286125 WriteProcessMemory	process_identifier: 1664 buffer: `à> process_handle: 0x00002ae8 base_address: 0x0044a000	success	1
1619602615.301125 WriteProcessMemory	process_identifier: 1664 buffer: @ process_handle: 0x00002ae8 base_address: 0x7efde008	success	1
1619602615.317125 NtSetContextThread	thread_handle: 0x0000b4ac registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4484830 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1664	success	0
1619602615.739125 NtResumeThread	thread_handle: 0x0000b4ac suspend_count: 1 process_identifier: 1664	success	0
1619602615.739125 NtResumeThread	thread_handle: 0x000051b8 suspend_count: 1 process_identifier: 1704	success	0
1619602616.847875 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1664	success	0
1619602617.035875 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 1664	success	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)

Elastic	malicious (high confidence)
FireEye	Generic.mg.6e0610dedafd26d4
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Fareit-FVT!6E0610DEDAFD
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:MSIL/AgentTesla.dca67fdc
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.1e679e
Arcabit	Trojan.Generic.D20B90B4
TrendMicro	TROJ_GEN.R044C0PH920
Cyren	W32/MSIL_Kryptik.BJF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.34312372
NANO-Antivirus	Trojan.Win32.Kryptik.hriwce
Paloalto	generic.ml
MicroWorld-eScan	Trojan.GenericKD.34312372
Ad-Aware	Trojan.GenericKD.34312372
Comodo	.UnclassifiedMalware@0
DrWeb	Trojan.DownLoader34.18893
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
Sophos	Troj/TeslaAg-XP
SentinelOne	DFI - Malicious PE
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
ViRobot	Trojan.Win32.Z.Masslogger.454656
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.34312372
AhnLab-V3	Trojan/Win32.MSIL.R347247
ALYac	Trojan.GenericKD.34312372
MAX	malware (ai score=83)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
ESET-NOD32	a variant of MSIL/Kryptik.XHF
TrendMicro-HouseCall	TROJ_GEN.R044C0PH920
Rising	Trojan.Kryptik!8.8 (CLOUD)
Ikarus	Trojan.MSIL.Krypt
eGambit	Unsafe.AI_Score_91%
Fortinet	MSIL/Kryptik.4462!tr
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Generic/HEUR/QVM03.0.2624.Malware.Gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-07 21:36:38

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	50005	239.255.255.250	3702
192.168.56.101	51966	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.