SmartHawk

10.4

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

1afdcdeb74beab866c0f856e4381570ccd75dbffd12de925db0eb25bc0593596

75207c7ddfc523a02d7ef12f633cb6a8.exe

分析耗时

109s

最近分析

文件大小

488.5KB

静态报毒动态报毒 0NA104H420 100% AGENTTESLA AI SCORE=88 CONFIDENCE DWZEZ ELDORADO EM0@ACKQBT EPNV FAREIT GENKRYPTIK HIGH CONFIDENCE HRCNYK KCLOUD KRYPTIK MALWARE@#3O0R4QIZWQMQT MASSLOGGER PACKEDNET PWSX QFKX R346717 RAZY SCORE TSCOPE UNSAFE YAKBEEXMSIL ZEMSILCO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXU!75207C7DDFC5	20201226	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.0dad8ff7	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201226	21.1.5827.0
Kingsoft	Win32.Troj.Undef.(kcloud)	20201226	2017.9.26.565
Tencent		20201226	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619599984.700124 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (50 out of 111 个事件)

Time & API	Arguments	Status	Return	Repeated
1619599934.402626 IsDebuggerPresent		failed	0	0
1619599934.402626 IsDebuggerPresent		failed	0	0
1619599937.152626 IsDebuggerPresent		failed	0	0
1619599937.652626 IsDebuggerPresent		failed	0	0
1619599938.184626 IsDebuggerPresent		failed	0	0
1619599938.652626 IsDebuggerPresent		failed	0	0
1619599939.199626 IsDebuggerPresent		failed	0	0
1619599939.652626 IsDebuggerPresent		failed	0	0
1619599940.199626 IsDebuggerPresent		failed	0	0
1619599940.652626 IsDebuggerPresent		failed	0	0
1619599941.199626 IsDebuggerPresent		failed	0	0
1619599941.652626 IsDebuggerPresent		failed	0	0
1619599942.199626 IsDebuggerPresent		failed	0	0
1619599942.652626 IsDebuggerPresent		failed	0	0
1619599943.199626 IsDebuggerPresent		failed	0	0
1619599943.652626 IsDebuggerPresent		failed	0	0
1619599944.199626 IsDebuggerPresent		failed	0	0
1619599944.652626 IsDebuggerPresent		failed	0	0
1619599945.199626 IsDebuggerPresent		failed	0	0
1619599945.652626 IsDebuggerPresent		failed	0	0
1619599946.199626 IsDebuggerPresent		failed	0	0
1619599946.652626 IsDebuggerPresent		failed	0	0
1619599947.199626 IsDebuggerPresent		failed	0	0
1619599947.652626 IsDebuggerPresent		failed	0	0
1619599948.199626 IsDebuggerPresent		failed	0	0
1619599948.652626 IsDebuggerPresent		failed	0	0
1619599949.199626 IsDebuggerPresent		failed	0	0
1619599949.652626 IsDebuggerPresent		failed	0	0
1619599950.199626 IsDebuggerPresent		failed	0	0
1619599950.652626 IsDebuggerPresent		failed	0	0
1619599951.199626 IsDebuggerPresent		failed	0	0
1619599951.652626 IsDebuggerPresent		failed	0	0
1619599952.199626 IsDebuggerPresent		failed	0	0
1619599952.652626 IsDebuggerPresent		failed	0	0
1619599953.199626 IsDebuggerPresent		failed	0	0
1619599953.652626 IsDebuggerPresent		failed	0	0
1619599954.199626 IsDebuggerPresent		failed	0	0
1619599954.652626 IsDebuggerPresent		failed	0	0
1619599955.199626 IsDebuggerPresent		failed	0	0
1619599955.652626 IsDebuggerPresent		failed	0	0
1619599956.199626 IsDebuggerPresent		failed	0	0
1619599956.652626 IsDebuggerPresent		failed	0	0
1619599957.199626 IsDebuggerPresent		failed	0	0
1619599957.652626 IsDebuggerPresent		failed	0	0
1619599958.199626 IsDebuggerPresent		failed	0	0
1619599958.652626 IsDebuggerPresent		failed	0	0
1619599959.199626 IsDebuggerPresent		failed	0	0
1619599959.652626 IsDebuggerPresent		failed	0	0
1619599960.199626 IsDebuggerPresent		failed	0	0
1619599960.652626 IsDebuggerPresent		failed	0	0

Command line console output was observed (3 个事件)

Time & API	Arguments	Status	Return
1619599984.747124 WriteConsoleW	buffer: 错误: console_handle: 0x0000000b	success	1
1619599984.747124 WriteConsoleW	buffer: 任务 XML 格式错误。 console_handle: 0x0000000b	success	1
1619599984.747124 WriteConsoleW	buffer: (44,80):Command: console_handle: 0x0000000b	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619599934.465626 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 115 个事件)

Time & API	Arguments	Status	Return
1619599933.574626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00740000	success	0
1619599933.574626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00860000	success	0
1619599934.027626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x004e0000	success	0
1619599934.027626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e0000	success	0
1619599934.230626 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619599934.402626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00740000	success	0
1619599934.402626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007b0000	success	0
1619599934.402626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ca000	success	0
1619599934.418626 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619599934.418626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c2000	success	0
1619599934.684626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d2000	success	0
1619599934.840626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00535000	success	0
1619599934.855626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053b000	success	0
1619599934.855626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00537000	success	0
1619599935.168626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d3000	success	0
1619599935.199626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d4000	success	0
1619599935.215626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003dc000	success	0
1619599935.371626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00790000	success	0
1619599935.855626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d5000	success	0
1619599937.496626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d6000	success	0
1619599937.715626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052a000	success	0
1619599937.715626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00527000	success	0
1619599937.824626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00526000	success	0
1619599937.918626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00791000	success	0
1619599938.387626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d8000	success	0
1619599938.387626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d9000	success	0
1619599938.402626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00793000	success	0
1619599938.512626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x042a0000	success	0
1619599938.574626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x042a1000	success	0
1619599938.621626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00794000	success	0
1619599938.637626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x042a2000	success	0
1619599938.668626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00795000	success	0
1619599938.699626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00798000	success	0
1619599979.699626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e1000	success	0
1619599979.746626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00799000	success	0
1619599979.809626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003cc000	success	0
1619599979.824626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079a000	success	0
1619599979.871626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x042a3000	success	0
1619599979.871626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003dd000	success	0
1619599979.871626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x042a4000	success	0
1619599979.871626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079b000	success	0
1619599979.918626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079c000	success	0
1619599979.918626 NtProtectVirtualMemory	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 139776 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05450400	failed	3221225550
1619599982.684626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079d000	success	0
1619599982.730626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x042a5000	success	0
1619599982.793626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079e000	success	0
1619599982.824626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0079f000	success	0
1619599982.934626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04e60000	success	0
1619599982.934626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04e61000	success	0
1619599983.340626 NtAllocateVirtualMemory	process_identifier: 2344 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04e62000	success	0

A process attempted to delay the analysis task. (1 个事件)

description

75207c7ddfc523a02d7ef12f633cb6a8.exe tried to sleep 148 seconds, actually delayed analysis time by 148 seconds

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1BFA.tmp"
cmdline	schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1BFA.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619599984.387626 ShellExecuteExW	parameters: /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1BFA.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.301162093945703

section

{'size_of_data': '0x00079800', 'virtual_address': '0x00002000', 'entropy': 7.301162093945703, 'name': '.text', 'virtual_size': '0x00079714'}

description

A section with a high entropy has been found

entropy

0.9959016393442623

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619599936.277626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1BFA.tmp"
cmdline	schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1BFA.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619599986.746626 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00008784 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1BFA.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ ^Ç à@ @ÇWàÿ H.textd§ ¨ `.rsrcÿàª@@.reloc²@B process_handle: 0x00008784 base_address: 0x00400000	success	1
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: P8h àÌlãÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> process_handle: 0x00008784 base_address: 0x0040e000	success	1
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: À`7 process_handle: 0x00008784 base_address: 0x00410000	success	1
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: @ process_handle: 0x00008784 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ ^Ç à@ @ÇWàÿ H.textd§ ¨ `.rsrcÿàª@@.reloc²@B process_handle: 0x00008784 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2344 called NtSetContextThread to modify thread in remote process 2952
1619599986.746626 NtSetContextThread	thread_handle: 0x0000ca44 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2952	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2344 resumed a thread in remote process 2952
1619599987.168626 NtResumeThread	thread_handle: 0x0000ca44 suspend_count: 1 process_identifier: 2952	success	0	0

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619599934.402626 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2344	success	0
1619599934.434626 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2344	success	0
1619599934.512626 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2344	success	0
1619599936.965626 NtResumeThread	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2344	success	0
1619599937.090626 NtResumeThread	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2344	success	0
1619599983.559626 NtResumeThread	thread_handle: 0x00000acc suspend_count: 1 process_identifier: 2344	success	0
1619599983.684626 NtResumeThread	thread_handle: 0x00010228 suspend_count: 1 process_identifier: 2344	success	0
1619599984.387626 CreateProcessInternalW	thread_identifier: 3036 thread_handle: 0x0000910c process_identifier: 1124 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1BFA.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00008780 inherit_handles: 0	success	1
1619599986.746626 CreateProcessInternalW	thread_identifier: 2948 thread_handle: 0x0000ca44 process_identifier: 2952 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75207c7ddfc523a02d7ef12f633cb6a8.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75207c7ddfc523a02d7ef12f633cb6a8.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00008784 inherit_handles: 0	success	1
1619599986.746626 NtGetContextThread	thread_handle: 0x0000ca44	success	0
1619599986.746626 NtAllocateVirtualMemory	process_identifier: 2952 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00008784 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨ ^Ç à@ @ÇWàÿ H.textd§ ¨ `.rsrcÿàª@@.reloc²@B process_handle: 0x00008784 base_address: 0x00400000	success	1
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: process_handle: 0x00008784 base_address: 0x00402000	success	1
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: P8h àÌlãÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> process_handle: 0x00008784 base_address: 0x0040e000	success	1
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: À`7 process_handle: 0x00008784 base_address: 0x00410000	success	1
1619599986.746626 WriteProcessMemory	process_identifier: 2952 buffer: @ process_handle: 0x00008784 base_address: 0x7efde008	success	1
1619599986.746626 NtSetContextThread	thread_handle: 0x0000ca44 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2952	success	0
1619599987.168626 NtResumeThread	thread_handle: 0x0000ca44 suspend_count: 1 process_identifier: 2952	success	0
1619599987.871499 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2952	success	0
1619599987.871499 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2952	success	0
1619599987.934499 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 2952	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.729862
FireEye	Generic.mg.75207c7ddfc523a0
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FXU!75207C7DDFC5
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2369177
Sangfor	Malware
K7AntiVirus	Trojan ( 0056bdaa1 )
Alibaba	Trojan:MSIL/AgentTesla.0dad8ff7
K7GW	Trojan ( 0056bdaa1 )
Cybereason	malicious.ddfc52
Arcabit	Trojan.Razy.DB2306
BitDefenderTheta	Gen:NN.ZemsilCO.34700.Em0@aCkQbt
Cyren	W32/MSIL_Troj.YB.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Gen:Variant.Razy.729862
NANO-Antivirus	Trojan.Win32.Crypt.hrcnyk
Paloalto	generic.ml
Ad-Aware	Gen:Variant.Razy.729862
Emsisoft	Gen:Variant.Razy.729862 (B)
Comodo	Malware@#3o0r4qizwqmqt
F-Secure	Trojan.TR/Kryptik.dwzez
DrWeb	Trojan.PackedNET.402
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_FRS.0NA104H420
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Sophos	Mal/Generic-S
Jiangmin	Trojan.MSIL.qfkx
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.dwzez
Antiy-AVL	Trojan/MSIL.Kryptik
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:MSIL/AgentTesla.J!MTB
AegisLab	Trojan.MSIL.Crypt.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Gen:Variant.Razy.729862
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Infostealer.R346717
VBA32	TScope.Trojan.MSIL
ALYac	Gen:Variant.Razy.729862
MAX	malware (ai score=88)
Malwarebytes	Trojan.MalPack
ESET-NOD32	a variant of MSIL/Kryptik.XEG
TrendMicro-HouseCall	TROJ_FRS.0NA104H420
Ikarus	Trojan-Spy.MassLogger

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-03 12:56:06

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51813	239.255.255.250	1900
192.168.56.101	51815	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.