SmartHawk

4.6

中危

2 个模型检测该样本为恶意！

重新分析

下载样本

cdb1bc822f3c6ba68e38cc65e09fbd51058ee5a5c281e93867692ae09366cad7

71c5d201c67bea1bd05c377b09854eda.exe

分析耗时

91s

最近分析

文件大小

4.9MB

静态报毒动态报毒 AUTORUNER EKCSLY SCORE UNSAFE

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
CrowdStrike	20190702	1.0
Alibaba	20190527	0.3.0.5
Avast	20200721	18.4.3895.0
Baidu	20190318	1.0.0.2
Kingsoft	20200721	2013.8.14.323
McAfee	20200721	6.0.6.653
Tencent	20200721	1.0.0.1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:655558488&cup2hreq=a7c350565e43dec9f55a9ef45e3bebeab4c8bd27f7f8c8372fe65e2e6cb43bdd

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5996c89aad37652&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=3
request	POST https://update.googleapis.com/service/update2?cup2key=10:655558488&cup2hreq=a7c350565e43dec9f55a9ef45e3bebeab4c8bd27f7f8c8372fe65e2e6cb43bdd

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:655558488&cup2hreq=a7c350565e43dec9f55a9ef45e3bebeab4c8bd27f7f8c8372fe65e2e6cb43bdd

Allocates read-write-execute memory (usually to unpack itself) (4 个事件)

Time & API	Arguments	Status
1620762802.34375 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1620762802.34375 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1620762802.34375 NtProtectVirtualMemory	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00413000	success
1620790429.379625 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b0000	success

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-04H2G.tmp\is-HVA9U.tmp

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)

NANO-Antivirus	Trojan.Win32.Autoruner.ekcsly
eGambit	Unsafe.AI_Score_99%

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x4110b4 DeleteCriticalSection

• 0x4110b8 LeaveCriticalSection

• 0x4110bc EnterCriticalSection

• 0x4110c0 InitializeCriticalSection

• 0x4110c4 VirtualFree

• 0x4110c8 VirtualAlloc

• 0x4110cc LocalFree

• 0x4110d0 LocalAlloc

• 0x4110d4 WideCharToMultiByte

• 0x4110d8 TlsSetValue

• 0x4110dc TlsGetValue

• 0x4110e0 MultiByteToWideChar

• 0x4110e4 GetModuleHandleA

• 0x4110e8 GetLastError

• 0x4110ec GetCommandLineA

• 0x4110f0 WriteFile

• 0x4110f4 SetFilePointer

• 0x4110f8 SetEndOfFile

• 0x4110fc RtlUnwind

• 0x411100 ReadFile

• 0x411104 RaiseException

• 0x411108 GetStdHandle

• 0x41110c GetFileSize

• 0x411110 GetSystemTime

• 0x411114 GetFileType

• 0x411118 ExitProcess

• 0x41111c CreateFileA

• 0x411120 CloseHandle

Library user32.dll:

• 0x411128 MessageBoxA

Library oleaut32.dll:

• 0x411130 VariantChangeTypeEx

• 0x411134 VariantCopyInd

• 0x411138 VariantClear

• 0x41113c SysStringLen

• 0x411140 SysAllocStringLen

Library advapi32.dll:

• 0x411148 RegQueryValueExA

• 0x41114c RegOpenKeyExA

• 0x411150 RegCloseKey

• 0x411154 OpenProcessToken

• 0x411158 LookupPrivilegeValueA

Library kernel32.dll:

• 0x411160 VirtualQuery

• 0x411164 VirtualProtect

• 0x411168 Sleep

• 0x41116c SetLastError

• 0x411170 SetErrorMode

• 0x411174 RemoveDirectoryA

• 0x411178 GetWindowsDirectoryA

• 0x41117c GetVersionExA

• 0x411180 GetUserDefaultLangID

• 0x411184 GetSystemInfo

• 0x411188 GetSystemDefaultLCID

• 0x41118c GetProcAddress

• 0x411190 GetModuleHandleA

• 0x411194 GetModuleFileNameA

• 0x411198 GetLocaleInfoA

• 0x41119c GetLastError

• 0x4111a0 GetFullPathNameA

• 0x4111a4 GetFileAttributesA

• 0x4111a8 GetExitCodeProcess

• 0x4111ac GetEnvironmentVariableA

• 0x4111b0 GetCurrentProcess

• 0x4111b4 GetCommandLineA

• 0x4111b8 GetCPInfo

• 0x4111bc FormatMessageA

• 0x4111c0 DeleteFileA

• 0x4111c4 CreateProcessA

• 0x4111c8 CreateDirectoryA

• 0x4111cc CloseHandle

Library user32.dll:

• 0x4111d4 TranslateMessage

• 0x4111d8 SetWindowLongA

• 0x4111dc PeekMessageA

• 0x4111e0 MsgWaitForMultipleObjects

• 0x4111e4 MessageBoxA

• 0x4111e8 LoadStringA

• 0x4111ec GetSystemMetrics

• 0x4111f0 ExitWindowsEx

• 0x4111f4 DispatchMessageA

• 0x4111f8 DestroyWindow

• 0x4111fc CreateWindowExA

• 0x411200 CallWindowProcA

• 0x411204 CharPrevA

• 0x411208 CharNextA

Library comctl32.dll:

• 0x411210 InitCommonControls

Library advapi32.dll:

• 0x411218 AdjustTokenPrivileges

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	216.58.200.78
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
redirector.gvt1.com	A 203.208.41.65	180.163.151.161
update.googleapis.com	A 203.208.40.66	180.163.151.162
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49187	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49188	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49185	203.208.40.66 update.googleapis.com	443
192.168.56.101	49186	203.208.41.65 redirector.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5996c89aad37652&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=3	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5996c89aad37652&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

URI

Data

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5996c89aad37652&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=3

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5996c89aad37652&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620761536&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.