8.8
极危
45 个模型检测该样本为恶意!
重新分析
更多

69c3291f3aa642ab5a9260f08a5b90abc5f6f1140c636d291a2e88b8000f7a65

7d18976bcb1afb14c5858d724721aca6.exe

分析耗时

96s

最近分析

文件大小

747.0KB
静态报毒 动态报毒 AGENTTESLA AHYM AI SCORE=88 ATTRIBUTE AVSARHER BSK66A ELDORADO ERJA FAREIT GDSDA GENERICKD GENKRYPTIK GENOME HIGH CONFIDENCE HIGHCONFIDENCE HTMIJN KRYPTIK NVQON@0 PACKEDNET PWSX R057C0DI220 R349657 TASKUN TSCOPE UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:MSIL/AgentTesla.e7ffcd7e 20190527 0.3.0.5
Avast Win32:PWSX-gen [Trj] 20200911 18.4.3895.0
Tencent Msil.Trojan.Taskun.Ahym 20200911 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200911 2013.8.14.323
McAfee Fareit-FZD!7D18976BCB1A 20200910 6.0.6.653
CrowdStrike 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (8 个事件)
Time & API Arguments Status Return Repeated
1619649228.651139
IsDebuggerPresent
failed 0 0
1619649228.651139
IsDebuggerPresent
failed 0 0
1619649277.010139
IsDebuggerPresent
failed 0 0
1619649277.510139
IsDebuggerPresent
failed 0 0
1619649278.026139
IsDebuggerPresent
failed 0 0
1619649278.526139
IsDebuggerPresent
failed 0 0
1619676202.283751
IsDebuggerPresent
failed 0 0
1619676202.283751
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619649228.698139
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 个事件)
Time & API Arguments Status Return Repeated
1619649228.104139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619649228.104139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f0000
success 0 0
1619649228.432139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005b0000
success 0 0
1619649228.432139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619649228.526139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619649228.651139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00720000
success 0 0
1619649228.651139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00760000
success 0 0
1619649228.651139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0066a000
success 0 0
1619649228.666139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619649228.666139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00662000
success 0 0
1619649228.948139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00672000
success 0 0
1619649229.120139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00695000
success 0 0
1619649229.120139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069b000
success 0 0
1619649229.120139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00697000
success 0 0
1619649229.276139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00673000
success 0 0
1619649229.291139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0067c000
success 0 0
1619649229.745139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00674000
success 0 0
1619649229.745139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00676000
success 0 0
1619649229.838139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd0000
success 0 0
1619649229.885139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00677000
success 0 0
1619649229.901139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00686000
success 0 0
1619649263.432139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0066c000
success 0 0
1619649263.495139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd1000
success 0 0
1619649263.510139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0068a000
success 0 0
1619649263.510139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00687000
success 0 0
1619649263.526139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00678000
success 0 0
1619649263.588139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00679000
success 0 0
1619649263.604139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048c0000
success 0 0
1619649263.666139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048c1000
success 0 0
1619649263.713139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd2000
success 0 0
1619649263.729139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048c2000
success 0 0
1619649263.745139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd3000
success 0 0
1619649263.776139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd6000
success 0 0
1619649263.885139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 580608
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05720400
failed 3221225550 0
1619649276.010139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd7000
success 0 0
1619649276.026139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x048c3000
success 0 0
1619649276.026139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0067d000
success 0 0
1619649276.026139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd8000
success 0 0
1619649276.057139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd9000
success 0 0
1619649276.166139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fda000
success 0 0
1619649276.198139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fdb000
success 0 0
1619649276.541139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fdc000
success 0 0
1619649276.791139
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fdd000
success 0 0
1619649276.791139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05720178
failed 3221225550 0
1619649276.791139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x057201a0
failed 3221225550 0
1619649276.791139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x057201c8
failed 3221225550 0
1619649276.791139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x057201f0
failed 3221225550 0
1619649276.791139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05720218
failed 3221225550 0
1619649276.791139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x057ae94e
failed 3221225550 0
1619649276.791139
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x057ae942
failed 3221225550 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.981801525874745 section {'size_of_data': '0x000b5e00', 'virtual_address': '0x00002000', 'entropy': 7.981801525874745, 'name': '.text', 'virtual_size': '0x000b5c90'} description A section with a high entropy has been found
entropy 0.9745478901540523 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619649263.870139
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619676202.799751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (6 个事件)
Time & API Arguments Status Return Repeated
1619649277.588139
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2852
process_handle: 0x000018ec
failed 0 0
1619649277.588139
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2852
process_handle: 0x000018ec
success 0 0
1619649277.916139
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2648
process_handle: 0x00004c08
failed 0 0
1619649277.916139
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2648
process_handle: 0x00004c08
success 0 0
1619649278.260139
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 472
process_handle: 0x0000dff0
failed 0 0
1619649278.260139
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 472
process_handle: 0x0000dff0
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (4 个事件)
Time & API Arguments Status Return Repeated
1619649277.276139
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000483c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649277.682139
NtAllocateVirtualMemory
process_identifier: 2648
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00003cdc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649278.041139
NtAllocateVirtualMemory
process_identifier: 472
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000b318
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649278.370139
NtAllocateVirtualMemory
process_identifier: 1868
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00005b74
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Manipulates memory of a non-child process indicative of process injection (6 个事件)
Process injection Process 912 manipulating memory of non-child process 2852
Process injection Process 912 manipulating memory of non-child process 2648
Process injection Process 912 manipulating memory of non-child process 472
Time & API Arguments Status Return Repeated
1619649277.276139
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000483c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649277.682139
NtAllocateVirtualMemory
process_identifier: 2648
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00003cdc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649278.041139
NtAllocateVirtualMemory
process_identifier: 472
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000b318
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619649278.370139
WriteProcessMemory
process_identifier: 1868
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷´£à 0úî @ `@… K 8@  H.textôù ú `.rsrc8 ü@@.reloc @@B
process_handle: 0x00005b74
base_address: 0x00400000
success 1 0
1619649278.385139
WriteProcessMemory
process_identifier: 1868
buffer:  €8€P€h€€  ¬äL#êä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.0"InternalName&LegalCopyright*LegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00005b74
base_address: 0x00482000
success 1 0
1619649278.385139
WriteProcessMemory
process_identifier: 1868
buffer:  ð9
process_handle: 0x00005b74
base_address: 0x00484000
success 1 0
1619649278.385139
WriteProcessMemory
process_identifier: 1868
buffer: @
process_handle: 0x00005b74
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619649278.370139
WriteProcessMemory
process_identifier: 1868
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷´£à 0úî @ `@… K 8@  H.textôù ú `.rsrc8 ü@@.reloc @@B
process_handle: 0x00005b74
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 912 called NtSetContextThread to modify thread in remote process 1868
Time & API Arguments Status Return Repeated
1619649278.385139
NtSetContextThread
thread_handle: 0x0000dff0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4725230
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1868
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 912 resumed a thread in remote process 1868
Time & API Arguments Status Return Repeated
1619649278.620139
NtResumeThread
thread_handle: 0x0000dff0
suspend_count: 1
process_identifier: 1868
success 0 0
Executed a process and injected code into it, probably while unpacking (27 个事件)
Time & API Arguments Status Return Repeated
1619649228.651139
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 912
success 0 0
1619649228.666139
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 912
success 0 0
1619649228.745139
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 912
success 0 0
1619649276.963139
NtResumeThread
thread_handle: 0x000102c4
suspend_count: 1
process_identifier: 912
success 0 0
1619649276.979139
NtResumeThread
thread_handle: 0x00005fb4
suspend_count: 1
process_identifier: 912
success 0 0
1619649277.260139
CreateProcessInternalW
thread_identifier: 2948
thread_handle: 0x0000b6a4
process_identifier: 2852
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000483c
inherit_handles: 0
success 1 0
1619649277.276139
NtGetContextThread
thread_handle: 0x0000b6a4
success 0 0
1619649277.276139
NtAllocateVirtualMemory
process_identifier: 2852
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000483c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649277.682139
CreateProcessInternalW
thread_identifier: 2344
thread_handle: 0x000018ec
process_identifier: 2648
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00003cdc
inherit_handles: 0
success 1 0
1619649277.682139
NtGetContextThread
thread_handle: 0x000018ec
success 0 0
1619649277.682139
NtAllocateVirtualMemory
process_identifier: 2648
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00003cdc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649278.041139
CreateProcessInternalW
thread_identifier: 1664
thread_handle: 0x00004c08
process_identifier: 472
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000b318
inherit_handles: 0
success 1 0
1619649278.041139
NtGetContextThread
thread_handle: 0x00004c08
success 0 0
1619649278.041139
NtAllocateVirtualMemory
process_identifier: 472
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000b318
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619649278.370139
CreateProcessInternalW
thread_identifier: 2468
thread_handle: 0x0000dff0
process_identifier: 1868
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7d18976bcb1afb14c5858d724721aca6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00005b74
inherit_handles: 0
success 1 0
1619649278.370139
NtGetContextThread
thread_handle: 0x0000dff0
success 0 0
1619649278.370139
NtAllocateVirtualMemory
process_identifier: 1868
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00005b74
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619649278.370139
WriteProcessMemory
process_identifier: 1868
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷´£à 0úî @ `@… K 8@  H.textôù ú `.rsrc8 ü@@.reloc @@B
process_handle: 0x00005b74
base_address: 0x00400000
success 1 0
1619649278.385139
WriteProcessMemory
process_identifier: 1868
buffer:
process_handle: 0x00005b74
base_address: 0x00402000
success 1 0
1619649278.385139
WriteProcessMemory
process_identifier: 1868
buffer:  €8€P€h€€  ¬äL#êä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.0"InternalName&LegalCopyright*LegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00005b74
base_address: 0x00482000
success 1 0
1619649278.385139
WriteProcessMemory
process_identifier: 1868
buffer:  ð9
process_handle: 0x00005b74
base_address: 0x00484000
success 1 0
1619649278.385139
WriteProcessMemory
process_identifier: 1868
buffer: @
process_handle: 0x00005b74
base_address: 0x7efde008
success 1 0
1619649278.385139
NtSetContextThread
thread_handle: 0x0000dff0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4725230
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1868
success 0 0
1619649278.620139
NtResumeThread
thread_handle: 0x0000dff0
suspend_count: 1
process_identifier: 1868
success 0 0
1619676202.283751
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1868
success 0 0
1619676202.299751
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1868
success 0 0
1619676202.361751
NtResumeThread
thread_handle: 0x00000194
suspend_count: 1
process_identifier: 1868
success 0 0
File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.PackedNET.414
MicroWorld-eScan Trojan.GenericKD.34453621
FireEye Generic.mg.7d18976bcb1afb14
ALYac Trojan.GenericKD.34453621
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2464481
Sangfor Malware
K7AntiVirus Trojan ( 0056d82f1 )
Alibaba Trojan:MSIL/AgentTesla.e7ffcd7e
K7GW Trojan ( 0056d82f1 )
Cybereason malicious.ba389e
Arcabit Trojan.Generic.D20DB875
Invincea Mal/Generic-S
Cyren W32/MSIL_Troj.YM.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.Taskun.gen
BitDefender Trojan.GenericKD.34453621
NANO-Antivirus Trojan.Win32.Taskun.htmijn
Avast Win32:PWSX-gen [Trj]
Tencent Msil.Trojan.Taskun.Ahym
Ad-Aware Trojan.GenericKD.34453621
Comodo TrojWare.Win32.Genome.nvqon@0
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R057C0DI220
Sophos Mal/Generic-S
MAX malware (ai score=88)
Antiy-AVL Trojan/MSIL.Taskun
Microsoft Trojan:MSIL/AgentTesla.PBI!MTB
ZoneAlarm HEUR:Trojan.MSIL.Taskun.gen
GData Trojan.GenericKD.34453621
AhnLab-V3 Trojan/Win32.MSIL.R349657
McAfee Fareit-FZD!7D18976BCB1A
VBA32 TScope.Trojan.MSIL
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.XNL
TrendMicro-HouseCall TROJ_GEN.R057C0DI220
Yandex Trojan.AvsArher.bSK66A
Ikarus Trojan.MSIL.Inject
Fortinet MSIL/GenKryptik.ERJA!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
Qihoo-360 Win32/Trojan.PWS.d75
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-31 09:19:12

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.