SmartHawk

7.2

高危

48 个模型检测该样本为恶意！

重新分析

下载样本

5b9380441a039105176ff39767fccf2a3e1f30b93cf98e090b88fbcb32344988

7ddda3378b0464394d0600849ba1d0b4.exe

分析耗时

113s

最近分析

文件大小

1.5MB

静态报毒动态报毒 100% ADUO AI SCORE=95 APPLICUNWNT@#2FRH4EI7GQM61 ARTEMIS BITREPEYP CCNG CLASSIC CONFIDENCE DEALAGENT DEALPLY FREEMAKE HFSADWARE HIGH HIGH CONFIDENCE IGENERIC INNOMOD INNOSETUP INSTALLCORE R01FH0CDA19 R196141 SCORE SUSPICIOUS PE UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!7DDDA3378B04	20190608	6.0.6.653
Baidu		20190318	1.0.0.2
Avast	Win32:PUP-gen [PUP]	20190606	18.4.3895.0
Alibaba	AdWare:Win32/InstallCore.cf9ce5e2	20190527	0.3.0.5
Kingsoft		20190608	2013.8.14.323
Tencent		20190608	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (D)	20190212	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620968215.043751 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620968207.199124 IsDebuggerPresent		failed	0	0

This executable is signed

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:4134395546&cup2hreq=99ba2234c947345887632bbb37f07c510e68bdd9b4ace90350d80fdfd5182d78

Performs some HTTP requests (3 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620938900&mv=u&mvi=1&pl=23&shardbypass=yes
request	POST https://update.googleapis.com/service/update2?cup2key=10:4134395546&cup2hreq=99ba2234c947345887632bbb37f07c510e68bdd9b4ace90350d80fdfd5182d78

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:4134395546&cup2hreq=99ba2234c947345887632bbb37f07c510e68bdd9b4ace90350d80fdfd5182d78

Allocates read-write-execute memory (usually to unpack itself) (9 个事件)

Time & API	Arguments	Status
1620968203.214124 NtProtectVirtualMemory	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1620968203.214124 NtProtectVirtualMemory	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1620968203.214124 NtProtectVirtualMemory	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00410000	success
1620968206.699124 NtAllocateVirtualMemory	process_identifier: 944 region_size: 1101824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02330000	success
1620968206.714124 NtAllocateVirtualMemory	process_identifier: 944 region_size: 1097728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02440000	success
1620968207.574124 NtAllocateVirtualMemory	process_identifier: 944 region_size: 1101824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b20000	success
1620968207.589124 NtAllocateVirtualMemory	process_identifier: 944 region_size: 1097728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c30000	success
1620968208.636751 NtAllocateVirtualMemory	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00500000	success
1620968277.793374 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004280000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620968212.621751 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\Dela\ free_bytes_available: 8600306909957483753 total_number_of_free_bytes: 0 total_number_of_bytes: 4294967295	failed	0	0
1620968212.621751 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\ free_bytes_available: 19611807744 total_number_of_free_bytes: 0 total_number_of_bytes: 34252779520	success	1	0

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Public\Desktop\Google Chrome.lnk

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-HADVA.tmp\7ddda3378b0464394d0600849ba1d0b4.tmp

Queries for potentially installed applications (4 个事件)

Time & API	Arguments	Status	Return
1620968210.949751 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 options: 0	failed	2
1620968210.949751 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 options: 0	failed	2
1620968216.543751 RegOpenKeyExA	access: 0x00000008 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 options: 0	failed	2
1620968216.543751 RegOpenKeyExA	access: 0x00000008 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Dela_is1 options: 0	failed	2

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.27.142:443

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)

Bkav	W32.HfsAdware.9B47
MicroWorld-eScan	Application.DealAgent.ADUO
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Artemis!7DDDA3378B04
Malwarebytes	PUP.Optional.InstallCore
VIPRE	Trojan.Win32.Generic!BT
BitDefender	Application.DealAgent.ADUO
K7GW	Adware ( 005104571 )
K7AntiVirus	Adware ( 005104571 )
NANO-Antivirus	Virus.InnoSetup.Gen.ccng
Symantec	Trojan.Gen.MBT
Avast	Win32:PUP-gen [PUP]
ClamAV	Win.Malware.Installcore-6912929-0
Kaspersky	not-a-virus:HEUR:AdWare.Win32.DealPly.gen
Alibaba	AdWare:Win32/InstallCore.cf9ce5e2
ViRobot	Adware.Installcore.1544224.AP
Rising	PUF.InstallCore!1.AB2C (CLASSIC)
Ad-Aware	Application.DealAgent.ADUO
Sophos	InnoMod (PUA)
Comodo	ApplicUnwnt@#2frh4ei7gqm61
DrWeb	Program.Freemake.1
Zillya	Adware.DealPly.Win32.176388
Invincea	heuristic
McAfee-GW-Edition	Artemis
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.7ddda3378b046439
Emsisoft	Application.Downloader (A)
SentinelOne	DFI - Suspicious PE
Fortinet	Riskware/InstallCore_Gen
Endgame	malicious (high confidence)
Arcabit	Application.DealAgent.ADUO
SUPERAntiSpyware	PUP.InstallCore/Variant
ZoneAlarm	not-a-virus:AdWare.Win32.DealPly.heur
Microsoft	PUA:Win32/Bitrepeyp.A
AhnLab-V3	PUP/Win32.InstallCore.R196141
Acronis	suspicious
VBA32	Adware.DealPly
MAX	malware (ai score=95)
Cylance	Unsafe
ESET-NOD32	Win32/InstallCore.Gen.A potentially unwanted
TrendMicro-HouseCall	TROJ_GEN.R01FH0CDA19
Yandex	PUA.DealPly!
GData	Win32.Application.InstallCore.LO
AVG	Win32:PUP-gen [PUP]
Cybereason	malicious.78b046
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (D)
Qihoo-360	Win32/Virus.Adware.5f0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x40e0b4 DeleteCriticalSection

• 0x40e0b8 LeaveCriticalSection

• 0x40e0bc EnterCriticalSection

• 0x40e0c0 InitializeCriticalSection

• 0x40e0c4 VirtualFree

• 0x40e0c8 VirtualAlloc

• 0x40e0cc LocalFree

• 0x40e0d0 LocalAlloc

• 0x40e0d4 WideCharToMultiByte

• 0x40e0d8 TlsSetValue

• 0x40e0dc TlsGetValue

• 0x40e0e0 MultiByteToWideChar

• 0x40e0e4 GetModuleHandleA

• 0x40e0e8 GetLastError

• 0x40e0ec GetCommandLineA

• 0x40e0f0 WriteFile

• 0x40e0f4 SetFilePointer

• 0x40e0f8 SetEndOfFile

• 0x40e0fc RtlUnwind

• 0x40e100 ReadFile

• 0x40e104 RaiseException

• 0x40e108 GetStdHandle

• 0x40e10c GetFileSize

• 0x40e110 GetSystemTime

• 0x40e114 GetFileType

• 0x40e118 ExitProcess

• 0x40e11c CreateFileA

• 0x40e120 CloseHandle

Library user32.dll:

• 0x40e128 MessageBoxA

Library oleaut32.dll:

• 0x40e130 VariantChangeTypeEx

• 0x40e134 VariantCopyInd

• 0x40e138 VariantClear

• 0x40e13c SysStringLen

• 0x40e140 SysAllocStringLen

Library advapi32.dll:

• 0x40e148 RegQueryValueExA

• 0x40e14c RegOpenKeyExA

• 0x40e150 RegCloseKey

• 0x40e154 OpenProcessToken

• 0x40e158 LookupPrivilegeValueA

Library kernel32.dll:

• 0x40e160 WriteFile

• 0x40e164 VirtualQuery

• 0x40e168 VirtualProtect

• 0x40e16c VirtualFree

• 0x40e170 VirtualAlloc

• 0x40e174 Sleep

• 0x40e178 SizeofResource

• 0x40e17c SetLastError

• 0x40e180 SetFilePointer

• 0x40e184 SetErrorMode

• 0x40e188 SetEndOfFile

• 0x40e18c RemoveDirectoryA

• 0x40e190 ReadFile

• 0x40e194 LockResource

• 0x40e198 LoadResource

• 0x40e19c LoadLibraryA

• 0x40e1a0 IsDBCSLeadByte

• 0x40e1a4 GetWindowsDirectoryA

• 0x40e1a8 GetVersionExA

• 0x40e1ac GetVersion

• 0x40e1b0 GetUserDefaultLangID

• 0x40e1b4 GetSystemInfo

• 0x40e1b8 GetSystemDirectoryA

• 0x40e1bc GetSystemDefaultLCID

• 0x40e1c0 GetProcAddress

• 0x40e1c4 GetModuleHandleA

• 0x40e1c8 GetModuleFileNameA

• 0x40e1cc GetLocaleInfoA

• 0x40e1d0 GetLastError

• 0x40e1d4 GetFullPathNameA

• 0x40e1d8 GetFileSize

• 0x40e1dc GetFileAttributesA

• 0x40e1e0 GetExitCodeProcess

• 0x40e1e4 GetEnvironmentVariableA

• 0x40e1e8 GetCurrentProcess

• 0x40e1ec GetCommandLineA

• 0x40e1f0 GetACP

• 0x40e1f4 InterlockedExchange

• 0x40e1f8 FormatMessageA

• 0x40e1fc FindResourceA

• 0x40e200 DeleteFileA

• 0x40e204 CreateProcessA

• 0x40e208 CreateFileA

• 0x40e20c CreateDirectoryA

• 0x40e210 CloseHandle

Library user32.dll:

• 0x40e218 TranslateMessage

• 0x40e21c SetWindowLongA

• 0x40e220 PeekMessageA

• 0x40e224 MsgWaitForMultipleObjects

• 0x40e228 MessageBoxA

• 0x40e22c LoadStringA

• 0x40e230 ExitWindowsEx

• 0x40e234 DispatchMessageA

• 0x40e238 DestroyWindow

• 0x40e23c CreateWindowExA

• 0x40e240 CallWindowProcA

• 0x40e244 CharPrevA

Library comctl32.dll:

• 0x40e24c InitCommonControls

Library advapi32.dll:

• 0x40e254 AdjustTokenPrivileges

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
r1---sn-j5o76n7l.gvt1.com	A 58.63.233.66 CNAME r1.sn-j5o76n7l.gvt1.com	58.63.233.66
redirector.gvt1.com	A 203.208.41.65	203.208.41.65
update.googleapis.com	A 203.208.40.98	203.208.40.98
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49188	203.208.40.98 update.googleapis.com	443
192.168.56.101	49189	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49190	58.63.233.66 r1---sn-j5o76n7l.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620938900&mv=u&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620938900&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o76n7l.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620938900&mv=u&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620938900&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.