SmartHawk

6.6

高危

3 个模型检测该样本为恶意！

重新分析

下载样本

e46fc35794c8fd2827b37c8565cc72251fdd52dcbb18fa95c104df5110d1fa85

744e9b5e1eeff8b447626715c65656df.exe

分析耗时

107s

最近分析

文件大小

724.5KB

静态报毒动态报毒 DEEPSCAN KCLOUD

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee		20160603	6.0.6.653
Baidu		20160603	1.0.0.2
Avast		20160603	8.0.1489.320
Alibaba		20160603	1.0
Kingsoft	Win32.Troj.DeepScan.a.(kcloud)	20160603	2013.8.14.323
Tencent		20160603	1.0.0.1

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762799.20275 IsDebuggerPresent		failed	0	0

Command line console output was observed (9 个事件)

Time & API	Arguments	Status	Return
1620787217.560876 WriteConsoleW	buffer: C:\Windows\Installer\InstallSource MSXML> console_handle: 0x00000007	success	1
1620787217.560876 WriteConsoleW	buffer: SetLocal console_handle: 0x00000007	success	1
1620787217.560876 WriteConsoleW	buffer: EnableExtensions console_handle: 0x00000007	success	1
1620787217.576876 WriteConsoleW	buffer: C:\Windows\Installer\InstallSource MSXML> console_handle: 0x00000007	success	1
1620787217.576876 WriteConsoleW	buffer: Start console_handle: 0x00000007	success	1
1620787217.576876 WriteConsoleW	buffer: /Wait msiexec.exe /i msxml.msi /qn REBOOT=ReallySuppress console_handle: 0x00000007	success	1
1620787271.357876 WriteConsoleW	buffer: C:\Windows\Installer\InstallSource MSXML> console_handle: 0x00000007	success	1
1620787271.357876 WriteConsoleW	buffer: If console_handle: 0x00000007	success	1
1620787271.357876 WriteConsoleW	buffer: Exit console_handle: 0x00000007	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762804.01575 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.sxdata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:3660062812&cup2hreq=2e00478bf0914d5f07dcac12e927d2a29cb46fbb910b4a9a78f0a94f1cb3d723

Performs some HTTP requests (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:3660062812&cup2hreq=2e00478bf0914d5f07dcac12e927d2a29cb46fbb910b4a9a78f0a94f1cb3d723

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:3660062812&cup2hreq=2e00478bf0914d5f07dcac12e927d2a29cb46fbb910b4a9a78f0a94f1cb3d723

Allocates read-write-execute memory (usually to unpack itself) (6 个事件)

Time & API	Arguments	Status
1620787219.841626 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75641000	success
1620787219.857626 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75061000	success
1620787219.888626 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74201000	success
1620787219.888626 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75831000	success
1620787219.888626 NtProtectVirtualMemory	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75841000	success
1620787268.357999 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004790000	success

Creates executable files on the filesystem (9 个事件)

file	C:\Windows\Installer\InstallSource MSXML\System\msxml4r.dll
file	C:\Windows\Installer\InstallSource MSXML\System\msxml4.dll
file	C:\Windows\Installer\InstallSource MSXML\msxml.cmd
file	C:\Windows\Installer\InstallSource MSXML\Windows\winsxs\vl34x2va.rt8\msxml4.dll
file	C:\Windows\Installer\InstallSource MSXML\Windows\winsxs\7n0mtfut.k85\msxml4r.dll
file	C:\Windows\Installer\InstallSource MSXML\msxml.msi
file	C:\Windows\Installer\InstallSource MSXML\Windows\winsxs\5n0mtfut.k85\msxml4r.dll
file	C:\Windows\Installer\InstallSource MSXML\System\msxml4a.dll
file	C:\Windows\Installer\InstallSource MSXML\Windows\winsxs\tl34x2va.rt8\msxml4.dll

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762804.51575 ShellExecuteExW	parameters: filepath: msxml.cmd filepath_r: msxml.cmd show_type: 0	success	1	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 个事件)

Jiangmin	Trojan/BAT.op
Antiy-AVL	Trojan[:HEUR]/Win32.Unknown
Kingsoft	Win32.Troj.DeepScan.a.(kcloud)

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 个事件)

Time & API	Arguments	Status	Return
1620787219.904626 LookupPrivilegeValueW	system_name: privilege_name: SeShutdownPrivilege	success	1
1620787220.138626 LookupPrivilegeValueW	system_name: privilege_name: SeCreateTokenPrivilege	success	1
1620787220.138626 LookupPrivilegeValueW	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	success	1
1620787220.138626 LookupPrivilegeValueW	system_name: privilege_name: SeMachineAccountPrivilege	success	1
1620787220.138626 LookupPrivilegeValueW	system_name: privilege_name: SeTcbPrivilege	success	1
1620787220.138626 LookupPrivilegeValueW	system_name: privilege_name: SeSecurityPrivilege	success	1
1620787220.138626 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1620787220.138626 LookupPrivilegeValueW	system_name: privilege_name: SeLoadDriverPrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeRestorePrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeShutdownPrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeRemoteShutdownPrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeEnableDelegationPrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeManageVolumePrivilege	success	1
1620787220.154626 LookupPrivilegeValueW	system_name: privilege_name: SeCreateGlobalPrivilege	success	1

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1068 resumed a thread in remote process 2940
1620787218.685876 NtResumeThread	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2940	success	0	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2008-04-25 17:03:12

Imports

Library KERNEL32.dll:

• 0x412018 GetLastError

• 0x41201c SystemTimeToFileTime

• 0x412020 GetLocalTime

• 0x412024 GetFileAttributesW

• 0x412028 CreateDirectoryW

• 0x41202c WriteFile

• 0x412030 GetStdHandle

• 0x412034 VirtualAlloc

• 0x412038 VirtualFree

• 0x41203c GetACP

• 0x412040 GetOEMCP

• 0x412044 GetModuleHandleW

• 0x412048 MultiByteToWideChar

• 0x41204c WideCharToMultiByte

• 0x412050 ExpandEnvironmentStringsW

• 0x412054 lstrlenA

• 0x412058 lstrcmpW

• 0x41205c RemoveDirectoryW

• 0x412060 FindClose

• 0x412064 FindNextFileW

• 0x412068 DeleteFileW

• 0x41206c FindFirstFileW

• 0x412070 CompareFileTime

• 0x412074 GetSystemTimeAsFileTime

• 0x412078 lstrlenW

• 0x41207c GetUserDefaultUILanguage

• 0x412080 GetUserDefaultLCID

• 0x412084 GetTempPathW

• 0x412088 SetEnvironmentVariableW

• 0x41208c CloseHandle

• 0x412090 CreateFileW

• 0x412094 CreateThread

• 0x412098 SetCurrentDirectoryW

• 0x41209c lstrcmpiW

• 0x4120a0 GetModuleFileNameW

• 0x4120a4 GetCommandLineW

• 0x4120a8 GetVersionExW

• 0x4120ac GetProcAddress

• 0x4120b0 LoadLibraryA

• 0x4120b4 MulDiv

• 0x4120b8 TerminateThread

• 0x4120bc ResumeThread

• 0x4120c0 SuspendThread

• 0x4120c4 LocalFree

• 0x4120c8 lstrcpyW

• 0x4120cc FormatMessageW

• 0x4120d0 GetSystemDirectoryW

• 0x4120d4 DeleteCriticalSection

• 0x4120d8 GetFileSize

• 0x4120dc SetFilePointer

• 0x4120e0 ReadFile

• 0x4120e4 SetFileTime

• 0x4120e8 SetEndOfFile

• 0x4120ec EnterCriticalSection

• 0x4120f0 LeaveCriticalSection

• 0x4120f4 WaitForMultipleObjects

• 0x4120f8 CreateEventW

• 0x4120fc SetEvent

• 0x412100 ResetEvent

• 0x412104 InitializeCriticalSection

• 0x412108 WaitForSingleObject

• 0x41210c GetExitCodeThread

• 0x412110 Sleep

• 0x412114 SetFileAttributesW

• 0x412118 GetDriveTypeW

• 0x41211c SetLastError

• 0x412120 GetStartupInfoA

Library USER32.dll:

• 0x412154 ScreenToClient

• 0x412158 GetWindowRect

• 0x41215c ShowWindow

• 0x412160 ReleaseDC

• 0x412164 DrawTextW

• 0x412168 GetSystemMetrics

• 0x41216c GetDC

• 0x412170 SetWindowPos

• 0x412174 GetWindowTextLengthW

• 0x412178 ClientToScreen

• 0x41217c GetParent

• 0x412180 GetWindow

• 0x412184 DialogBoxIndirectParamW

• 0x412188 SystemParametersInfoW

• 0x41218c DrawIconEx

• 0x412190 GetWindowDC

• 0x412194 CallWindowProcW

• 0x412198 SetFocus

• 0x41219c wvsprintfW

• 0x4121a0 SetWindowTextW

• 0x4121a4 GetWindowTextW

• 0x4121a8 LoadImageW

• 0x4121ac LoadIconW

• 0x4121b0 MessageBeep

• 0x4121b4 EnableMenuItem

• 0x4121b8 GetSystemMenu

• 0x4121bc DispatchMessageW

• 0x4121c0 KillTimer

• 0x4121c4 DestroyWindow

• 0x4121c8 CharUpperW

• 0x4121cc EndDialog

• 0x4121d0 SendMessageW

• 0x4121d4 GetWindowLongW

• 0x4121d8 GetMessageW

• 0x4121dc SetTimer

• 0x4121e0 GetClientRect

• 0x4121e4 SetDlgItemTextW

• 0x4121e8 GetDlgItem

• 0x4121ec GetKeyState

• 0x4121f0 MessageBoxA

• 0x4121f4 wsprintfA

• 0x4121f8 wsprintfW

• 0x4121fc CreateWindowExW

• 0x412200 DefWindowProcW

• 0x412204 SetWindowLongW

Library GDI32.dll:

• 0x412000 SelectObject

• 0x412004 CreateFontIndirectW

• 0x412008 GetObjectW

• 0x41200c DeleteObject

• 0x412010 GetDeviceCaps

Library SHELL32.dll:

• 0x412134 SHGetFileInfoW

• 0x412138 SHBrowseForFolderW

• 0x41213c SHGetPathFromIDListW

• 0x412140 SHGetMalloc

• 0x412144 ShellExecuteW

• 0x412148 SHGetSpecialFolderPathW

• 0x41214c ShellExecuteExW

Library ole32.dll:

• 0x412294 CoInitialize

• 0x412298 CoCreateInstance

Library OLEAUT32.dll:

• 0x412128 SysAllocString

• 0x41212c VariantClear

Library msvcrt.dll:

• 0x41220c _controlfp

• 0x412210 ?terminate@@YAXXZ

• 0x412214 ??3@YAXPAX@Z

• 0x412218 ??2@YAPAXI@Z

• 0x41221c _purecall

• 0x412220 __CxxFrameHandler

• 0x412224 memcmp

• 0x412228 free

• 0x41222c malloc

• 0x412230 memmove

• 0x412234 memcpy

• 0x412238 _wtol

• 0x41223c _wcsnicmp

• 0x412240 memset

• 0x412244 _CxxThrowException

• 0x412248 _beginthreadex

• 0x41224c _except_handler3

• 0x412250 __dllonexit

• 0x412254 _onexit

• 0x412258 ??1type_info@@UAE@XZ

• 0x41225c _c_exit

• 0x412260 _exit

• 0x412264 _XcptFilter

• 0x412268 _cexit

• 0x41226c exit

• 0x412270 _acmdln

• 0x412274 __getmainargs

• 0x412278 _initterm

• 0x41227c __setusermatherr

• 0x412280 _adjust_fdiv

• 0x412284 __p__commode

• 0x412288 __p__fmode

• 0x41228c __set_app_type

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	216.58.200.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.41.66	113.108.239.162
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49191	203.208.41.66 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.