14.0
0-day
55 个模型检测该样本为恶意!
重新分析
更多

79aee42afbd9b6b6c639d56411291d60d0fa0058a71b831460cf0476ed99ed36

79f3e491257594a7dc80b5c2f310f9b6.exe

分析耗时

77s

最近分析

文件大小

415.0KB
静态报毒 动态报毒 100% AGEN AGENSLA AI SCORE=100 BEHAVIOR BTZWF6 CONFIDENCE ELDORADO FSEQ GDSDA GENERICKD HIGH CONFIDENCE IGENT KCLOUD KRYPTIK MALWARE@#64YBVIEJSI6R NANOBOT OCCAMY R + TROJ R066C0PHC20 SCORE SIGGEN2 STATIC AI SUSGEN SUSPICIOUS PE TROJANX TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF ZM0@AC2ZBMC 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:MSIL/NanoBot.91f56b1a 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent 20201229 1.0.0.1
Kingsoft Win32.Hack.Undef.(kcloud) 20201229 2017.9.26.565
McAfee Trojan-FSEQ!79F3E4912575 20201229 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619650586.101249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619650587.569249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619650589.288249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619649222.803952
IsDebuggerPresent
failed 0 0
1619650574.241249
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619649225.334952
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (7 个事件)
Time & API Arguments Status Return Repeated
1619650589.272249
__exception__
stacktrace: 
0x124f495
0x124e840
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3862176
registers.edi: 3862204
registers.eax: 0
registers.ebp: 3862220
registers.edx: 158
registers.ebx: 0
registers.esi: 42777556
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 16 06 59 55 e9 55 ff
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x124f88a
success 0 0
1619650614.397249
__exception__
stacktrace: 
0x51717e2
0x124eecd
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3860572
registers.edi: 43272056
registers.eax: 15802029
registers.ebp: 3860628
registers.edx: 1
registers.ebx: 42934260
registers.esi: 173822320
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 69 c6 04 7f c4 b2
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x517505f
success 0 0
1619650614.569249
__exception__
stacktrace: 
0x124eecd
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3860636
registers.edi: 43025924
registers.eax: 0
registers.ebp: 3862268
registers.edx: 5
registers.ebx: 42934260
registers.esi: 233941160
registers.ecx: 15
exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 c4 f9 ff ff
exception.instruction: cmp dword ptr [eax + 8], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5171dda
success 0 0
1619650614.616249
__exception__
stacktrace: 
0x5172093
0x124eecd
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3860556
registers.edi: 43316136
registers.eax: 43449004
registers.ebp: 3860628
registers.edx: 43449004
registers.ebx: 43444552
registers.esi: 0
registers.ecx: 1911774966
exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 d4 95 f8 6c
exception.instruction: cmp dword ptr [esi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x517ab9c
success 0 0
1619650614.632249
__exception__
stacktrace: 
0x51720f3
0x124eecd
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3860556
registers.edi: 3860612
registers.eax: 0
registers.ebp: 3860628
registers.edx: 3860524
registers.ebx: 42934260
registers.esi: 43449720
registers.ecx: 0
exception.instruction_r: 39 09 e8 82 99 ee 6c 89 45 bc 33 d2 89 55 dc 8b
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x517ae9f
success 0 0
1619650619.929249
__exception__
stacktrace: 
0x5172da4
0x124eecd
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3860508
registers.edi: 0
registers.eax: 56346467
registers.ebp: 3860628
registers.edx: 2
registers.ebx: 0
registers.esi: 1408661677
registers.ecx: 0
exception.instruction_r: 39 09 e8 43 05 a0 6c 83 78 04 00 0f 84 3f 02 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x56642de
success 0 0
1619650627.929249
__exception__
stacktrace: 
_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
DllRegisterServerInternal+0x3df02 GetPrivateContextsPerfCounters-0x19797 mscorwks+0x94168 @ 0x73fc4168
0x47bb3e
system+0x7a24ea @ 0x71aa24ea
system+0x7a30b4 @ 0x71aa30b4
system+0x7a2c0a @ 0x71aa2c0a
system+0x7a0de4 @ 0x71aa0de4
system+0x79e6da @ 0x71a9e6da
system+0x79f065 @ 0x71a9f065
microsoft+0x12fb46 @ 0x7371fb46
0x124e444
system+0x1f84fa @ 0x714f84fa
0xb40ebc
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
0x566469c
0x124efb8
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3860844
registers.edi: 5308416
registers.eax: 4294967288
registers.ebp: 3860888
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 5308416
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3646952750&cup2hreq=92dd9330649720f4898e14dfc0b4e69694d993e0b7106960513355162c4ea2ed
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619621058&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e4dff13bcb8db65&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619621058&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3646952750&cup2hreq=92dd9330649720f4898e14dfc0b4e69694d993e0b7106960513355162c4ea2ed
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3646952750&cup2hreq=92dd9330649720f4898e14dfc0b4e69694d993e0b7106960513355162c4ea2ed
Allocates read-write-execute memory (usually to unpack itself) (50 out of 128 个事件)
Time & API Arguments Status Return Repeated
1619649221.787952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00240000
success 0 0
1619649221.787952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a0000
success 0 0
1619649222.584952
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619649222.818952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002fa000
success 0 0
1619649222.818952
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619649222.818952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f2000
success 0 0
1619649223.271952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00312000
success 0 0
1619649223.412952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00313000
success 0 0
1619649223.443952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005eb000
success 0 0
1619649223.443952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e7000
success 0 0
1619649223.506952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0031c000
success 0 0
1619649223.818952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00314000
success 0 0
1619649223.818952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00315000
success 0 0
1619649223.865952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00316000
success 0 0
1619649223.881952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b00000
success 0 0
1619649223.959952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033a000
success 0 0
1619649223.959952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00337000
success 0 0
1619649223.959952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034a000
success 0 0
1619649223.990952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002fb000
success 0 0
1619649224.412952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00336000
success 0 0
1619649224.459952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00317000
success 0 0
1619649224.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00bd0000
success 0 0
1619649224.506952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a1000
success 0 0
1619649224.646952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e5000
success 0 0
1619649224.662952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00342000
success 0 0
1619649224.850952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0031a000
success 0 0
1619649224.975952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00bd1000
success 0 0
1619649225.053952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x054c0000
success 0 0
1619649225.053952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05580000
success 0 0
1619649225.053952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05581000
success 0 0
1619649225.084952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05582000
success 0 0
1619649225.100952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00318000
success 0 0
1619649225.131952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b01000
success 0 0
1619649225.131952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05583000
success 0 0
1619649225.131952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05584000
success 0 0
1619649225.162952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05585000
success 0 0
1619649225.162952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b02000
success 0 0
1619649225.240952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b03000
success 0 0
1619649225.256952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00319000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a50000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05586000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0558a000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0559b000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0559c000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b04000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0559d000
success 0 0
1619649225.490952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0559e000
success 0 0
1619649225.506952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b05000
success 0 0
1619649225.506952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0559f000
success 0 0
1619649225.615952
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b06000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619650615.694249
CreateProcessInternalW
thread_identifier: 2188
thread_handle: 0x000003fc
process_identifier: 2168
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000040c
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.947730197162492 section {'size_of_data': '0x00067200', 'virtual_address': '0x00002000', 'entropy': 7.947730197162492, 'name': '.text', 'virtual_size': '0x00067018'} description A section with a high entropy has been found
entropy 0.9951749095295537 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619650575.007249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619650585.351249
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 376
process_handle: 0x00000218
failed 0 0
1619650585.351249
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 376
process_handle: 0x00000218
failed 3221225738 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline "netsh" wlan show profile
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619649225.725952
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000224
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619650597.819249
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 79f3e491257594a7dc80b5c2f310f9b6.exe tried to sleep 2728269 seconds, actually delayed analysis time by 2728269 seconds
Harvests credentials from local FTP client softwares (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619649225.725952
WriteProcessMemory
process_identifier: 2144
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELï˜^à †Þ¥ À@ @…Œ¥OÀØà  H.textä… † `.rsrcØÀˆ@@.reloc àŒ@B
process_handle: 0x00000224
base_address: 0x00400000
success 1 0
1619649225.740952
WriteProcessMemory
process_identifier: 2144
buffer: €0€HXÀ||4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNameEhsRZnuQcKBkHsaMQwapK.exe(LegalCopyright \OriginalFilenameEhsRZnuQcKBkHsaMQwapK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000224
base_address: 0x0044c000
success 1 0
1619649225.740952
WriteProcessMemory
process_identifier: 2144
buffer:   à5
process_handle: 0x00000224
base_address: 0x0044e000
success 1 0
1619649225.740952
WriteProcessMemory
process_identifier: 2144
buffer: @
process_handle: 0x00000224
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619649225.725952
WriteProcessMemory
process_identifier: 2144
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELï˜^à †Þ¥ À@ @…Œ¥OÀØà  H.textä… † `.rsrcØÀˆ@@.reloc àŒ@B
process_handle: 0x00000224
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619650627.944249
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x00b428a2
module_address: 0x00400000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 852135 0
Harvests credentials from local email clients (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 376 called NtSetContextThread to modify thread in remote process 2144
Time & API Arguments Status Return Repeated
1619649225.740952
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4498910
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2144
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 376 resumed a thread in remote process 2144
Time & API Arguments Status Return Repeated
1619649226.053952
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 2144
success 0 0
Executed a process and injected code into it, probably while unpacking (22 个事件)
Time & API Arguments Status Return Repeated
1619649222.803952
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 376
success 0 0
1619649222.928952
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 376
success 0 0
1619649225.725952
CreateProcessInternalW
thread_identifier: 2860
thread_handle: 0x00000220
process_identifier: 2144
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\79f3e491257594a7dc80b5c2f310f9b6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\79f3e491257594a7dc80b5c2f310f9b6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000224
inherit_handles: 0
success 1 0
1619649225.725952
NtGetContextThread
thread_handle: 0x00000220
success 0 0
1619649225.725952
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000224
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619649225.725952
WriteProcessMemory
process_identifier: 2144
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELï˜^à †Þ¥ À@ @…Œ¥OÀØà  H.textä… † `.rsrcØÀˆ@@.reloc àŒ@B
process_handle: 0x00000224
base_address: 0x00400000
success 1 0
1619649225.725952
WriteProcessMemory
process_identifier: 2144
buffer:
process_handle: 0x00000224
base_address: 0x00402000
success 1 0
1619649225.740952
WriteProcessMemory
process_identifier: 2144
buffer: €0€HXÀ||4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ÜStringFileInfo¸000004b0,FileDescription 0FileVersion0.0.0.0TInternalNameEhsRZnuQcKBkHsaMQwapK.exe(LegalCopyright \OriginalFilenameEhsRZnuQcKBkHsaMQwapK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000224
base_address: 0x0044c000
success 1 0
1619649225.740952
WriteProcessMemory
process_identifier: 2144
buffer:   à5
process_handle: 0x00000224
base_address: 0x0044e000
success 1 0
1619649225.740952
WriteProcessMemory
process_identifier: 2144
buffer: @
process_handle: 0x00000224
base_address: 0x7efde008
success 1 0
1619649225.740952
NtSetContextThread
thread_handle: 0x00000220
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4498910
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2144
success 0 0
1619649226.053952
NtResumeThread
thread_handle: 0x00000220
suspend_count: 1
process_identifier: 2144
success 0 0
1619650574.241249
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2144
success 0 0
1619650574.272249
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2144
success 0 0
1619650587.444249
NtResumeThread
thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 2144
success 0 0
1619650587.491249
NtResumeThread
thread_handle: 0x00000300
suspend_count: 1
process_identifier: 2144
success 0 0
1619650595.288249
NtResumeThread
thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 2144
success 0 0
1619650595.288249
NtResumeThread
thread_handle: 0x00000380
suspend_count: 1
process_identifier: 2144
success 0 0
1619650596.319249
NtResumeThread
thread_handle: 0x000003c0
suspend_count: 1
process_identifier: 2144
success 0 0
1619650597.319249
NtResumeThread
thread_handle: 0x000003c4
suspend_count: 1
process_identifier: 2144
success 0 0
1619650615.694249
CreateProcessInternalW
thread_identifier: 2188
thread_handle: 0x000003fc
process_identifier: 2168
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000040c
inherit_handles: 1
success 1 0
1619650616.756374
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2168
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.33683989
FireEye Generic.mg.79f3e491257594a7
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Backdoor.Agent.NanoBot.Gen
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 00564dc81 )
Alibaba Backdoor:MSIL/NanoBot.91f56b1a
K7GW Trojan ( 00564dc81 )
Cybereason malicious.125759
Arcabit Trojan.Generic.D201FA15
Cyren W32/MSIL_Kryptik.ANX.gen!Eldorado
Symantec Trojan.Gen.2
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.MSIL.NanoBot.gen
BitDefender Trojan.GenericKD.33683989
ViRobot Trojan.Win32.Agent.424960.G
Ad-Aware Trojan.GenericKD.33683989
Sophos Mal/Generic-R + Troj/MSIL-OKC
Comodo Malware@#64ybviejsi6r
F-Secure Heuristic.HEUR/AGEN.1134071
DrWeb Trojan.PWS.Siggen2.47555
TrendMicro TROJ_GEN.R066C0PHC20
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
MaxSecure Trojan.Malware.73691366.susgen
Emsisoft Trojan.GenericKD.33683989 (B)
Ikarus Trojan.MSIL.Inject
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1134071
MAX malware (ai score=100)
Antiy-AVL Trojan[Backdoor]/MSIL.NanoBot
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Trojan:Win32/Occamy.C79
AegisLab Trojan.MSIL.NanoBot.m!c
ZoneAlarm HEUR:Backdoor.MSIL.NanoBot.gen
GData Trojan.GenericKD.33683989
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.C4071717
McAfee Trojan-FSEQ!79F3E4912575
TACHYON Trojan-PWS/W32.DN-Agensla.424960
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.Crypt.MSIL.Generic
ESET-NOD32 a variant of MSIL/Kryptik.VNK
TrendMicro-HouseCall TROJ_GEN.R066C0PHC20
Yandex Trojan.Igent.bTzWf6.5
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Fortinet Malicious_Behavior.SB
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-18 15:17:18

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49185 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49183 203.208.41.34 update.googleapis.com 443
192.168.56.101 49184 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49186 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619621058&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619621058&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e4dff13bcb8db65&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619621058&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e4dff13bcb8db65&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619621058&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.