16.6
0-day
53 个模型检测该样本为恶意!
重新分析
更多

55aefb224ad3c9381b95d6c131b58141aeea9e59046eae8b53968a274108cfa8

714a769455675fe6a74c9448caa29c5d.exe

分析耗时

104s

最近分析

文件大小

552.0KB
静态报毒 动态报毒 100% AI SCORE=89 ATTRIBUTE AUTO BANKERX CONFIDENCE DESK DOWNLOADER33 ELDORADO GDSDA GEN2 GENERICRXKL HGIASOKA HIGH CONFIDENCE HIGHCONFIDENCE IM0@A0DCOVEG KCLOUD KRYPTIK MALICIOUS PE MALWARE@#2TT6RI5HIGLG2 NANOBOT NANOCORE SAVE SCORE SMARTASSEMBLY STATIC AI SUSGEN UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKL-UL!714A76945567 20210226 6.0.6.653
Alibaba Backdoor:MSIL/NanoBot.c5894453 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20210226 21.1.5827.0
Tencent Win32.Trojan.Inject.Auto 20210226 1.0.0.1
Kingsoft Win32.Hack.Undef.(kcloud) 20210226 2017.9.26.565
静态指标
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619596031.426436
IsDebuggerPresent
failed 0 0
1619596031.426436
IsDebuggerPresent
failed 0 0
1619622516.660499
IsDebuggerPresent
failed 0 0
1619622516.660499
IsDebuggerPresent
failed 0 0
Command line console output was observed (5 个事件)
Time & API Arguments Status Return Repeated
1619622521.738374
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619622521.738374
WriteConsoleW
buffer: timeout
console_handle: 0x00000007
success 1 0
1619622521.738374
WriteConsoleW
buffer: /t 300
console_handle: 0x00000007
success 1 0
1619622522.348249
WriteConsoleW
buffer: 等待 300
console_handle: 0x00000007
success 1 0
1619622522.348249
WriteConsoleW
buffer: 秒,按一个键继续 ...
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619596032.739436
CryptExportKey
crypto_handle: 0x00532190
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619596032.739436
CryptExportKey
crypto_handle: 0x00532190
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619596032.770436
CryptExportKey
crypto_handle: 0x005320d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619596031.473436
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619596033.254436
__exception__
stacktrace: 
0x6c0cce
0x6c0239
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4648864
registers.edi: 0
registers.eax: 0
registers.ebp: 4648904
registers.edx: 39308000
registers.ebx: 0
registers.esi: 38910028
registers.ecx: 0
exception.instruction_r: 8b 50 04 83 c2 01 0f 80 d4 00 00 00 b9 5a 43 c1
exception.instruction: mov edx, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6cbc96
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 162 个事件)
Time & API Arguments Status Return Repeated
1619596030.708436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005f0000
success 0 0
1619596030.708436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006e0000
success 0 0
1619596031.020436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008d0000
success 0 0
1619596031.020436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a00000
success 0 0
1619596031.176436
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619596031.426436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00750000
success 0 0
1619596031.426436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00850000
success 0 0
1619596031.426436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ba000
success 0 0
1619596031.442436
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619596031.442436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b2000
success 0 0
1619596031.848436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c2000
success 0 0
1619596032.067436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e5000
success 0 0
1619596032.083436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004eb000
success 0 0
1619596032.083436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e7000
success 0 0
1619596032.239436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c3000
success 0 0
1619596032.286436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c4000
success 0 0
1619596032.301436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cc000
success 0 0
1619596032.348436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c0000
success 0 0
1619596032.379436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c5000
success 0 0
1619596032.442436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c6000
success 0 0
1619596032.458436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619596032.458436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c1000
success 0 0
1619596032.536436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c2000
success 0 0
1619596032.551436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c8000
success 0 0
1619596032.551436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006df000
success 0 0
1619596032.551436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006d0000
success 0 0
1619596032.583436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c9000
success 0 0
1619596032.598436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c3000
success 0 0
1619596032.645436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d6000
success 0 0
1619596032.645436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c6000
success 0 0
1619596032.708436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004da000
success 0 0
1619596032.708436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d7000
success 0 0
1619596032.723436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c7000
success 0 0
1619596032.739436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c8000
success 0 0
1619596032.754436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00840000
success 0 0
1619596032.770436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00851000
success 0 0
1619596032.786436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00852000
success 0 0
1619596032.801436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00853000
success 0 0
1619596032.801436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00856000
success 0 0
1619596032.801436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0085a000
success 0 0
1619596032.911436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00841000
success 0 0
1619596032.942436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00842000
success 0 0
1619596032.989436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c9000
success 0 0
1619596032.989436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00843000
success 0 0
1619596032.989436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cd000
success 0 0
1619596033.098436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00844000
success 0 0
1619596033.145436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006ca000
success 0 0
1619596038.286436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00845000
success 0 0
1619596038.301436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0085f000
success 0 0
1619596038.301436
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00863000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.bat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.lnk
Creates hidden or system file (1 个事件)
Time & API Arguments Status Return Repeated
1619596039.333436
SetFileAttributesW
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN
success 1 0
Creates a shortcut to an executable file (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.lnk
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
cmdline cmd.exe /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619596041.942436
ShellExecuteExW
parameters: /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619596038.520436
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\714a769455675fe6a74c9448caa29c5d.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\melt.txt
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\melt.txt
flags: 2
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\714a769455675fe6a74c9448caa29c5d.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.4185440029959375 section {'size_of_data': '0x0005a200', 'virtual_address': '0x00002000', 'entropy': 7.4185440029959375, 'name': '.text', 'virtual_size': '0x0005a0c8'} description A section with a high entropy has been found
entropy 0.6536718041704442 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619596033.208436
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619622518.629499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Modifies the ZoneTransfer.ZoneID in Zone.Identifier ADS, generally to disable security warnings (2 个事件)
Time & API Arguments Status Return Repeated
1619622519.488501
NtCreateFile
create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000080
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 128 (FILE_ATTRIBUTE_NORMAL)
filepath_r: \??\C:\Users\ADMINI~1.OSK\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
success 0 0
1619622519.488501
NtWriteFile
file_handle: 0x00000080
filepath:
buffer: [zoneTransfer]ZoneID = 2
offset: 0
success 0 0
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619596038.926436
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000214
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619622519.051499
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description svhost.exe tried to sleep 2728428 seconds, actually delayed analysis time by 2728428 seconds
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619596038.926436
WriteProcessMemory
process_identifier: 2316
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x00000214
base_address: 0x00400000
success 1 0
1619596038.942436
WriteProcessMemory
process_identifier: 2316
buffer: à ”7
process_handle: 0x00000214
base_address: 0x00420000
success 1 0
1619596038.942436
WriteProcessMemory
process_identifier: 2316
buffer: @
process_handle: 0x00000214
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619596038.926436
WriteProcessMemory
process_identifier: 2316
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x00000214
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2900 called NtSetContextThread to modify thread in remote process 2316
Time & API Arguments Status Return Repeated
1619596038.942436
NtSetContextThread
thread_handle: 0x00000218
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2316
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\svhost.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2900 resumed a thread in remote process 2316
Time & API Arguments Status Return Repeated
1619596039.208436
NtResumeThread
thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2316
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (28 个事件)
Time & API Arguments Status Return Repeated
1619596031.426436
NtResumeThread
thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2900
success 0 0
1619596031.458436
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2900
success 0 0
1619596031.551436
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 2900
success 0 0
1619596038.926436
CreateProcessInternalW
thread_identifier: 3064
thread_handle: 0x00000218
process_identifier: 2316
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\svhost.exe
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\svhost.exe"
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\svhost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000214
inherit_handles: 0
success 1 0
1619596038.926436
NtGetContextThread
thread_handle: 0x00000218
success 0 0
1619596038.926436
NtAllocateVirtualMemory
process_identifier: 2316
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000214
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619596038.926436
WriteProcessMemory
process_identifier: 2316
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x00000214
base_address: 0x00400000
success 1 0
1619596038.942436
WriteProcessMemory
process_identifier: 2316
buffer:
process_handle: 0x00000214
base_address: 0x00402000
success 1 0
1619596038.942436
WriteProcessMemory
process_identifier: 2316
buffer: à ”7
process_handle: 0x00000214
base_address: 0x00420000
success 1 0
1619596038.942436
WriteProcessMemory
process_identifier: 2316
buffer:
process_handle: 0x00000214
base_address: 0x00422000
success 1 0
1619596038.942436
WriteProcessMemory
process_identifier: 2316
buffer: @
process_handle: 0x00000214
base_address: 0x7efde008
success 1 0
1619596038.942436
NtSetContextThread
thread_handle: 0x00000218
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2316
success 0 0
1619596039.208436
NtResumeThread
thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2316
success 0 0
1619596041.942436
CreateProcessInternalW
thread_identifier: 1908
thread_handle: 0x000003ac
process_identifier: 1932
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003e8
inherit_handles: 0
success 1 0
1619596043.973436
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x000003a0
process_identifier: 2256
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.bat
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000039c
inherit_handles: 0
success 1 0
1619622516.660499
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2316
success 0 0
1619622516.676499
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2316
success 0 0
1619622516.722499
NtResumeThread
thread_handle: 0x000001b0
suspend_count: 1
process_identifier: 2316
success 0 0
1619622518.379499
NtResumeThread
thread_handle: 0x00000278
suspend_count: 1
process_identifier: 2316
success 0 0
1619622518.394499
NtResumeThread
thread_handle: 0x0000028c
suspend_count: 1
process_identifier: 2316
success 0 0
1619622518.535499
NtResumeThread
thread_handle: 0x000002b4
suspend_count: 1
process_identifier: 2316
success 0 0
1619622519.066499
NtResumeThread
thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 2316
success 0 0
1619622522.082499
NtResumeThread
thread_handle: 0x0000035c
suspend_count: 1
process_identifier: 2316
success 0 0
1619622524.738499
NtResumeThread
thread_handle: 0x00000374
suspend_count: 1
process_identifier: 2316
success 0 0
1619622526.707499
NtResumeThread
thread_handle: 0x00000398
suspend_count: 1
process_identifier: 2316
success 0 0
1619622528.582499
NtResumeThread
thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 2316
success 0 0
1619622552.816499
NtResumeThread
thread_handle: 0x000003ec
suspend_count: 1
process_identifier: 2316
success 0 0
1619622522.113374
CreateProcessInternalW
thread_identifier: 2868
thread_handle: 0x00000084
process_identifier: 2772
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout /t 300
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000080
inherit_handles: 1
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-07 18:02:50

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 123 51.105.208.173 time.windows.com 123

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.