SmartHawk

10.6

0-day

48 个模型检测该样本为恶意！

重新分析

下载样本

8ac57ec0d32b453aa23a1c7149d5cd5695c8a99a9bd0b792bfc1411b1216c4da

7236e60628c25d1b48ae9de6eb5e6b8c.exe

分析耗时

93s

最近分析

文件大小

731.5KB

静态报毒动态报毒 AENU AGENTTESLA AI SCORE=87 ATTRIBUTE CONFIDENCE ELDORADO ENCODED FAREIT GDSDA HIGH CONFIDENCE HIGHCONFIDENCE HOUNGK INJECT3 INPGR KCLOUD KRYPTIK MALWARE@#3TXH9CPPBSH3M MASSLOGGER PWSX QVM03 R + TROJ RAZY SCORE UNSAFE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:MSIL/MassLogger.7944d94b	20190527	0.3.0.5
Avast	Win32:PWSX-gen [Trj]	20201210	21.1.5827.0
Tencent	Msil.Trojan.Crypt.Aenu	20201211	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Undef.(kcloud)	20201211	2017.9.26.565
McAfee	Fareit-FXR!7236E60628C2	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619603654.798626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619603675.908001 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619603679.689001 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619603682.611001 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619603683.517001 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596028.055776 IsDebuggerPresent		failed	0	0
1619596028.055776 IsDebuggerPresent		failed	0	0
1619603658.595001 IsDebuggerPresent		failed	0	0
1619603658.595001 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619603655.439626 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\CdKZXCSedTjRc"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596028.071776 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619603682.236001 __exception__	stacktrace: 0xbc188e 0xbc0902 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2814236 registers.edi: 38519052 registers.eax: 0 registers.ebp: 2814284 registers.edx: 8 registers.ebx: 0 registers.esi: 1252303399 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 69 c6 be 1d ff 90 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbc5052	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619603682.236001
__exception__

stacktrace:

0xbc188e
0xbc0902
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2814236
registers.edi: 38519052
registers.eax: 0
registers.ebp: 2814284
registers.edx: 8
registers.ebx: 0
registers.esi: 1252303399
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 69 c6 be 1d ff 90
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xbc5052

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 个事件)

Time & API	Arguments	Status
1619596027.524776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005d0000	success
1619596027.524776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00750000	success
1619596027.758776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01fe0000	success
1619596027.758776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02080000	success
1619596027.899776 NtProtectVirtualMemory	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619596028.055776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00690000	success
1619596028.055776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00710000	success
1619596028.055776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success
1619596028.055776 NtProtectVirtualMemory	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619596028.055776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00462000	success
1619596028.649776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00472000	success
1619596028.977776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00495000	success
1619596028.993776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049b000	success
1619596028.993776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00497000	success
1619596029.321776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00473000	success
1619596029.368776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00474000	success
1619596029.399776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047c000	success
1619596029.602776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c0000	success
1619596030.212776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00475000	success
1619596030.212776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success
1619596030.587776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00478000	success
1619596030.743776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006f0000	success
1619596030.743776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047a000	success
1619596030.868776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00479000	success
1619596030.868776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00700000	success
1619596031.274776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00702000	success
1619596031.305776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c1000	success
1619596031.352776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00703000	success
1619596031.415776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00704000	success
1619596031.446776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00486000	success
1619596031.477776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00705000	success
1619596031.477776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success
1619596031.477776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success
1619596031.493776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c2000	success
1619596031.508776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00706000	success
1619596031.524776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c3000	success
1619596031.540776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047d000	success
1619596069.555776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c6000	success
1619596069.790776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00707000	success
1619596069.790776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c7000	success
1619596070.008776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046c000	success
1619596070.102776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c8000	success
1619596070.149776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00708000	success
1619596070.149776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00711000	success
1619596070.165776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00712000	success
1619596070.180776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00713000	success
1619596070.180776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00714000	success
1619596070.180776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00715000	success
1619596070.180776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00716000	success
1619596070.180776 NtAllocateVirtualMemory	process_identifier: 2560 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0071a000	success

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\CdKZXCSedTjRc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD47.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CdKZXCSedTjRc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD47.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596071.696776 ShellExecuteExW	parameters: /Create /TN "Updates\CdKZXCSedTjRc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD47.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.31796352263337

section

{'size_of_data': '0x000b6200', 'virtual_address': '0x00002000', 'entropy': 7.31796352263337, 'name': '.text', 'virtual_size': '0x000b6084'}

description

A section with a high entropy has been found

entropy

0.9965800273597811

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619603670.970001 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619603673.658001 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2560 process_handle: 0x00000234	failed	0	0
1619603673.658001 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2560 process_handle: 0x00000234	failed	3221225738	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\CdKZXCSedTjRc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD47.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CdKZXCSedTjRc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD47.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596074.852776 NtAllocateVirtualMemory	process_identifier: 2516 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD47.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619596074.852776 WriteProcessMemory	process_identifier: 2516 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\4_à\{ @ À@¸zSH H.text[ \ `.rsrcH^@@.reloc d@B process_handle: 0x00000388 base_address: 0x00400000	success	1
1619596074.883776 WriteProcessMemory	process_identifier: 2516 buffer: P8h ¼\ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNamehjRZTvPqMDPTOMIbUvtAcOcsojPcMMzSjdfj.exe(LegalCopyright \|)OriginalFilenamehjRZTvPqMDPTOMIbUvtAcOcsojPcMMzSjdfj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000388 base_address: 0x00448000	success	1
1619596074.883776 WriteProcessMemory	process_identifier: 2516 buffer: p; process_handle: 0x00000388 base_address: 0x0044a000	success	1
1619596074.883776 WriteProcessMemory	process_identifier: 2516 buffer: @ process_handle: 0x00000388 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619596074.852776 WriteProcessMemory	process_identifier: 2516 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\4_à\{ @ À@¸zSH H.text[ \ `.rsrcH^@@.reloc d@B process_handle: 0x00000388 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2516
1619596074.883776 NtSetContextThread	thread_handle: 0x00000330 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4487950 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2516	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2516
1619596075.383776 NtResumeThread	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2516	success	0	0

Executed a process and injected code into it, probably while unpacking (24 个事件)

Time & API	Arguments	Status	Return
1619596028.055776 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2560	success	0
1619596028.055776 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2560	success	0
1619596028.087776 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2560	success	0
1619596071.680776 CreateProcessInternalW	thread_identifier: 2968 thread_handle: 0x0000033c process_identifier: 2964 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CdKZXCSedTjRc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD47.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000378 inherit_handles: 0	success	1
1619596074.852776 CreateProcessInternalW	thread_identifier: 580 thread_handle: 0x00000330 process_identifier: 2516 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7236e60628c25d1b48ae9de6eb5e6b8c.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7236e60628c25d1b48ae9de6eb5e6b8c.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000388 inherit_handles: 0	success	1
1619596074.852776 NtGetContextThread	thread_handle: 0x00000330	success	0
1619596074.852776 NtAllocateVirtualMemory	process_identifier: 2516 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619596074.852776 WriteProcessMemory	process_identifier: 2516 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\4_à\{ @ À@¸zSH H.text[ \ `.rsrcH^@@.reloc d@B process_handle: 0x00000388 base_address: 0x00400000	success	1
1619596074.868776 WriteProcessMemory	process_identifier: 2516 buffer: process_handle: 0x00000388 base_address: 0x00402000	success	1
1619596074.883776 WriteProcessMemory	process_identifier: 2516 buffer: P8h ¼\ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNamehjRZTvPqMDPTOMIbUvtAcOcsojPcMMzSjdfj.exe(LegalCopyright \|)OriginalFilenamehjRZTvPqMDPTOMIbUvtAcOcsojPcMMzSjdfj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000388 base_address: 0x00448000	success	1
1619596074.883776 WriteProcessMemory	process_identifier: 2516 buffer: p; process_handle: 0x00000388 base_address: 0x0044a000	success	1
1619596074.883776 WriteProcessMemory	process_identifier: 2516 buffer: @ process_handle: 0x00000388 base_address: 0x7efde008	success	1
1619596074.883776 NtSetContextThread	thread_handle: 0x00000330 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4487950 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2516	success	0
1619596075.383776 NtResumeThread	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2516	success	0
1619596075.383776 NtResumeThread	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2560	success	0
1619596075.415776 NtGetContextThread	thread_handle: 0x0000039c	success	0
1619596075.415776 NtGetContextThread	thread_handle: 0x0000039c	success	0
1619596075.415776 NtResumeThread	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2560	success	0
1619603658.595001 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2516	success	0
1619603658.595001 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2516	success	0
1619603658.767001 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2516	success	0
1619603679.158001 NtResumeThread	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 2516	success	0
1619603679.408001 NtResumeThread	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2516	success	0
1619603682.345001 NtResumeThread	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 2516	success	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.Inject3.45011
MicroWorld-eScan	Gen:Variant.Razy.721932
FireEye	Gen:Variant.Razy.721932
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Gen:Variant.Razy.721932
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:MSIL/MassLogger.7944d94b
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Razy.DB040C
Cyren	W32/MSIL_Kryptik.BMQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.WYY
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Gen:Variant.Razy.721932
NANO-Antivirus	Trojan.Win32.Crypt.houngk
Paloalto	generic.ml
Tencent	Msil.Trojan.Crypt.Aenu
Ad-Aware	Gen:Variant.Razy.721932
Emsisoft	Gen:Variant.Razy.721932 (B)
Comodo	Malware@#3txh9cppbsh3m
F-Secure	Trojan.TR/AD.AgentTesla.inpgr
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Fareit-FXR!7236E60628C2
Sophos	Mal/Generic-R + Troj/MSIL-PKO
Avira	TR/AD.AgentTesla.inpgr
Antiy-AVL	Trojan/MSIL.Crypt
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	SUSP.Encoded_EXE.bot!yf
Microsoft	Trojan:MSIL/MassLogger.G!MTB
AegisLab	Trojan.MSIL.Crypt.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Gen:Variant.Razy.721932
Cynet	Malicious (score: 90)
AhnLab-V3	Trojan/Win32.RL_MSIL.C4165654
McAfee	Fareit-FXR!7236E60628C2
MAX	malware (ai score=87)
Malwarebytes	Trojan.MalPack
Ikarus	Trojan.Inject
Fortinet	MSIL/Kryptik.WYG!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	Generic/HEUR/QVM03.0.BBD4.Malware.Gen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-21 22:20:02

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.