13.4
0-day
58 个模型检测该样本为恶意!
重新分析
更多

743cd5b161539860d7779adcc10b393ebb812c8c201b98c974b43ff1f404c34d

76a16bed1a858e75f1ef97d567013ada.exe

分析耗时

81s

最近分析

文件大小

668.0KB
静态报毒 动态报毒 100% AGEN AGENSLA AI SCORE=89 AIRX AQFW AVSARHER BSK66A CONFIDENCE ELDORADO ERFX FAREIT FORMBOOK GDSDA GENKRYPTIK HGIASOYA HIGH CONFIDENCE HWQNEU KCLOUD KRYPT KRYPTIK MALICIOUS PE MALWARE@#1MFLCN9YPIKTY MSILPERSEUS PACKEDNET PM0@AY@4DGB PSWTROJ PWSX QQPASS QQROB R349402 REMCOS SAVE SCORE STATIC AI SUSGEN TROJANPSW TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FYV!76A16BED1A85 20210222 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Alibaba TrojanPSW:MSIL/Formbook.e23514cf 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20210222 21.1.5827.0
Tencent Msil.Trojan-qqpass.Qqrob.Airx 20210222 1.0.0.1
Kingsoft Win32.PSWTroj.Undef.(kcloud) 20210222 2017.9.26.565
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619649271.830612
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619666584.167125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (14 个事件)
Time & API Arguments Status Return Repeated
1619649225.752612
IsDebuggerPresent
failed 0 0
1619649225.752612
IsDebuggerPresent
failed 0 0
1619649271.205612
IsDebuggerPresent
failed 0 0
1619649271.705612
IsDebuggerPresent
failed 0 0
1619649272.220612
IsDebuggerPresent
failed 0 0
1619649272.705612
IsDebuggerPresent
failed 0 0
1619649273.220612
IsDebuggerPresent
failed 0 0
1619649273.705612
IsDebuggerPresent
failed 0 0
1619649274.220612
IsDebuggerPresent
failed 0 0
1619649274.705612
IsDebuggerPresent
failed 0 0
1619649275.220612
IsDebuggerPresent
failed 0 0
1619649275.705612
IsDebuggerPresent
failed 0 0
1619666587.089375
IsDebuggerPresent
failed 0 0
1619666587.089375
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619666584.964125
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\oSFTHqCzIjydoa"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619649225.783612
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 159 个事件)
Time & API Arguments Status Return Repeated
1619649224.924612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00410000
success 0 0
1619649224.924612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00480000
success 0 0
1619649225.283612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00410000
success 0 0
1619649225.283612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00440000
success 0 0
1619649225.439612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619649225.752612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a40000
success 0 0
1619649225.752612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b60000
success 0 0
1619649225.752612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619649225.752612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619649225.752612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619649226.064612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00432000
success 0 0
1619649226.142612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e5000
success 0 0
1619649226.158612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004eb000
success 0 0
1619649226.158612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e7000
success 0 0
1619649226.361612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00433000
success 0 0
1619649226.439612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043c000
success 0 0
1619649226.564612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae0000
success 0 0
1619649226.580612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00434000
success 0 0
1619649227.220612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00435000
success 0 0
1619649227.220612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00436000
success 0 0
1619649227.361612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02170000
success 0 0
1619649227.361612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619649227.439612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00437000
success 0 0
1619649227.486612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae1000
success 0 0
1619649260.533612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae3000
success 0 0
1619649260.861612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042c000
success 0 0
1619649260.955612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004da000
success 0 0
1619649260.955612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d7000
success 0 0
1619649260.970612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d6000
success 0 0
1619649260.970612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae4000
success 0 0
1619649260.986612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00438000
success 0 0
1619649261.017612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae5000
success 0 0
1619649261.127612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 478720
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05570400
failed 3221225550 0
1619649270.408612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae6000
success 0 0
1619649270.455612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00439000
success 0 0
1619649270.502612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae7000
success 0 0
1619649270.517612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae8000
success 0 0
1619649270.627612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae9000
success 0 0
1619649270.658612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aea000
success 0 0
1619649270.939612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aeb000
success 0 0
1619649270.986612
NtAllocateVirtualMemory
process_identifier: 2200
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aec000
success 0 0
1619649270.986612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05570178
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055701a0
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055701c8
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055701f0
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05570218
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055e5ace
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055e5ac2
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 72
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055e5200
failed 3221225550 0
1619649271.002612
NtProtectVirtualMemory
process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x055e5adc
failed 3221225550 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\oSFTHqCzIjydoa" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7B6.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSFTHqCzIjydoa" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7B6.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619649272.877612
ShellExecuteExW
parameters: /Create /TN "Updates\oSFTHqCzIjydoa" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7B6.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.928193604795759 section {'size_of_data': '0x000a6400', 'virtual_address': '0x00002000', 'entropy': 7.928193604795759, 'name': '.text', 'virtual_size': '0x000a62a8'} description A section with a high entropy has been found
entropy 0.9962546816479401 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619649261.111612
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619666588.464375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619666605.558375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2200
process_handle: 0x00000230
failed 0 0
1619666605.558375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2200
process_handle: 0x00000230
failed 3221225738 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\oSFTHqCzIjydoa" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7B6.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSFTHqCzIjydoa" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7B6.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619649275.408612
NtAllocateVirtualMemory
process_identifier: 1564
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d784
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Checks the version of Bios, possibly for anti-virtualization (2 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Detects virtualization software with SCSI Disk Identifier trick(s) (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7B6.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619649275.408612
WriteProcessMemory
process_identifier: 1564
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿B_à  ö> @ `@…ðK @  H.textDô ö `.rsrc ø@@.reloc @þ@B
process_handle: 0x0000d784
base_address: 0x00400000
success 1 0
1619649275.439612
WriteProcessMemory
process_identifier: 1564
buffer:  €P€8€€h€  Œ,#êŒ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamepclHhnqZrYCXdXZHLRPpmwVW.exe(LegalCopyright dOriginalFilenamepclHhnqZrYCXdXZHLRPpmwVW.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000d784
base_address: 0x00462000
success 1 0
1619649275.439612
WriteProcessMemory
process_identifier: 1564
buffer:  @4
process_handle: 0x0000d784
base_address: 0x00464000
success 1 0
1619649275.439612
WriteProcessMemory
process_identifier: 1564
buffer: @
process_handle: 0x0000d784
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619649275.408612
WriteProcessMemory
process_identifier: 1564
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿B_à  ö> @ `@…ðK @  H.textDô ö `.rsrc ø@@.reloc @þ@B
process_handle: 0x0000d784
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2200 called NtSetContextThread to modify thread in remote process 1564
Time & API Arguments Status Return Repeated
1619649275.439612
NtSetContextThread
thread_handle: 0x00002a2c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4592702
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1564
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2200 resumed a thread in remote process 1564
Time & API Arguments Status Return Repeated
1619649275.705612
NtResumeThread
thread_handle: 0x00002a2c
suspend_count: 1
process_identifier: 1564
success 0 0
Detects VirtualBox through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
Detects VMWare through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Detects the presence of Wine emulator (1 个事件)
Time & API Arguments Status Return Repeated
1619649271.533612
LdrGetProcedureAddress
ordinal: 0
module: KERNEL32
module_address: 0x76340000
function_address: 0x0040d5cc
function_name: wine_get_unix_file_name
failed 3221225785 0
Executed a process and injected code into it, probably while unpacking (24 个事件)
Time & API Arguments Status Return Repeated
1619649225.752612
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2200
success 0 0
1619649225.767612
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2200
success 0 0
1619649225.799612
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2200
success 0 0
1619649271.174612
NtResumeThread
thread_handle: 0x0000fe28
suspend_count: 1
process_identifier: 2200
success 0 0
1619649271.189612
NtResumeThread
thread_handle: 0x00001840
suspend_count: 1
process_identifier: 2200
success 0 0
1619649272.377612
NtResumeThread
thread_handle: 0x0000ed08
suspend_count: 1
process_identifier: 2200
success 0 0
1619649272.877612
CreateProcessInternalW
thread_identifier: 952
thread_handle: 0x00000c48
process_identifier: 3060
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSFTHqCzIjydoa" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp7B6.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000980c
inherit_handles: 0
success 1 0
1619649275.408612
CreateProcessInternalW
thread_identifier: 2604
thread_handle: 0x00002a2c
process_identifier: 1564
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\76a16bed1a858e75f1ef97d567013ada.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\76a16bed1a858e75f1ef97d567013ada.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000d784
inherit_handles: 0
success 1 0
1619649275.408612
NtGetContextThread
thread_handle: 0x00002a2c
success 0 0
1619649275.408612
NtAllocateVirtualMemory
process_identifier: 1564
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d784
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619649275.408612
WriteProcessMemory
process_identifier: 1564
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿B_à  ö> @ `@…ðK @  H.textDô ö `.rsrc ø@@.reloc @þ@B
process_handle: 0x0000d784
base_address: 0x00400000
success 1 0
1619649275.424612
WriteProcessMemory
process_identifier: 1564
buffer:
process_handle: 0x0000d784
base_address: 0x00402000
success 1 0
1619649275.439612
WriteProcessMemory
process_identifier: 1564
buffer:  €P€8€€h€  Œ,#êŒ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamepclHhnqZrYCXdXZHLRPpmwVW.exe(LegalCopyright dOriginalFilenamepclHhnqZrYCXdXZHLRPpmwVW.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000d784
base_address: 0x00462000
success 1 0
1619649275.439612
WriteProcessMemory
process_identifier: 1564
buffer:  @4
process_handle: 0x0000d784
base_address: 0x00464000
success 1 0
1619649275.439612
WriteProcessMemory
process_identifier: 1564
buffer: @
process_handle: 0x0000d784
base_address: 0x7efde008
success 1 0
1619649275.439612
NtSetContextThread
thread_handle: 0x00002a2c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4592702
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1564
success 0 0
1619649275.705612
NtResumeThread
thread_handle: 0x00002a2c
suspend_count: 1
process_identifier: 1564
success 0 0
1619649275.705612
NtResumeThread
thread_handle: 0x00000c48
suspend_count: 1
process_identifier: 2200
success 0 0
1619649275.720612
NtGetContextThread
thread_handle: 0x00000c48
success 0 0
1619649275.720612
NtGetContextThread
thread_handle: 0x00000c48
success 0 0
1619649275.720612
NtResumeThread
thread_handle: 0x00000c48
suspend_count: 1
process_identifier: 2200
success 0 0
1619666587.089375
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1564
success 0 0
1619666587.089375
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1564
success 0 0
1619666587.151375
NtResumeThread
thread_handle: 0x00000198
suspend_count: 1
process_identifier: 1564
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.MSILPerseus.231893
FireEye Generic.mg.76a16bed1a858e75
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FYV!76A16BED1A85
Cylance Unsafe
Zillya Trojan.Agensla.Win32.5607
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:MSIL/Formbook.e23514cf
K7GW Trojan ( 0056d6351 )
K7AntiVirus Trojan ( 0056d6351 )
Arcabit Trojan.MSILPerseus.D389D5
BitDefenderTheta Gen:NN.ZemsilF.34574.Pm0@ay@4DGb
Cyren W32/MSIL_Kryptik.BLT.gen!Eldorado
Symantec Trojan.Formbook
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Gen:Variant.MSILPerseus.231893
NANO-Antivirus Trojan.Win32.Agensla.hwqneu
Paloalto generic.ml
Tencent Msil.Trojan-qqpass.Qqrob.Airx
Ad-Aware Gen:Variant.MSILPerseus.231893
Emsisoft Trojan.Crypt (A)
Comodo Malware@#1mflcn9ypikty
F-Secure Heuristic.HEUR/AGEN.1138776
DrWeb Trojan.PackedNET.409
VIPRE Trojan.Win32.Generic!BT
TrendMicro Backdoor.MSIL.REMCOS.SM
McAfee-GW-Edition Fareit-FYV!76A16BED1A85
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.PSW.MSIL.aqfw
eGambit Generic.Malware
Avira HEUR/AGEN.1138776
MAX malware (ai score=89)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:MSIL/Formbook.MK!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Gen:Variant.MSILPerseus.231893
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R349402
VBA32 TScope.Trojan.MSIL
ALYac Gen:Variant.MSILPerseus.231893
Malwarebytes Trojan.Crypt.MSIL
ESET-NOD32 a variant of MSIL/Kryptik.XMH
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2040-01-14 19:12:02

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.