19.4
0-day
61 个模型检测该样本为恶意!
重新分析
更多

594af48b4da21f654d0ceadede4257865f96d9ae3b1f2ef4a96298a9385c7b2c

7e7130afe38ebb675e2fb694e1f42825.exe

分析耗时

131s

最近分析

文件大小

406.5KB
静态报毒 动态报毒 100% 7XF2KWCRTVQ AGEN AI SCORE=100 AIDETECTVM ALI2000010 ARTEMIS ATTRIBUTE CONFIDENCE DELF GENERICKD GPRG HIGH CONFIDENCE HIGHCONFIDENCE HOAX HPSOGS JYAG KRYPTIK MALWARE2 MALWARE@#2YXTI3QGZEMP3 MILICRY R346410 SAGE SAGECRYPT SCORE SUSGEN SUSPICIOUS PE UNSAFE YMACCO ZEXAF ZOW@AGRZM8II ZWOQ+QIQFLQ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!7E7130AFE38E 20201012 6.0.6.653
Alibaba Ransom:Win32/generic.ali2000010 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201013 18.4.3895.0
Kingsoft 20201014 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619653078.82725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619653079.007188
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619653081.719227
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619653081.828227
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619653086.13061
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619653086.13061
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619653081.719227
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619653079.772188
WriteConsoleW
buffer: 成功: 成功创建计划任务 "N0mFUQoa"。
console_handle: 0x00000007
success 1 0
1619653086.05261
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619653086.13061
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619653073.28025
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 个事件)
section .text1
section .data1
section .trace
section _RDATA
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name RCDATA
resource name SVT
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:740123081&cup2hreq=be4380c3e353e72e3e39e604a734e053c9a347984e7a0effecc10ca5818e39e1
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619624176&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=c78aafee1d3d4c00&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619624176&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:740123081&cup2hreq=be4380c3e353e72e3e39e604a734e053c9a347984e7a0effecc10ca5818e39e1
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:740123081&cup2hreq=be4380c3e353e72e3e39e604a734e053c9a347984e7a0effecc10ca5818e39e1
Allocates read-write-execute memory (usually to unpack itself) (50 out of 393 个事件)
Time & API Arguments Status Return Repeated
1619653075.07725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02b00000
success 0 0
1619653075.07725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 270336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b10000
success 0 0
1619653076.73325
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.74925
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.74925
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.74925
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.76525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.81225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.82725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.85825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.87425
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.89025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.92125
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.93725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.95225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.96825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.98325
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653076.98325
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.03025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.06225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.07725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.10825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.12425
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.14025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.14025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.14025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.15525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.15525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.15525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.17125
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.18725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.20225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.21825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.21825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.26525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.31225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.32725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.35825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.42125
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.43725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.46825
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.48325
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.48325
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.48325
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.49925
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.51525
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.53025
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.56225
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.57725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619653077.57725
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe
Creates a suspicious process (4 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline bcdedit.exe /set {default} recoveryenabled no
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7e7130afe38ebb675e2fb694e1f42825.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1619653078.81225
ShellExecuteExW
parameters: /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
filepath: schtasks
filepath_r: schtasks
show_type: 0
success 1 0
1619653079.96825
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
show_type: 0
success 1 0
1619653085.719227
ShellExecuteExW
parameters: delete shadows /all /quiet
filepath: vssadmin.exe
filepath_r: vssadmin.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619653079.96825
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7e7130afe38ebb675e2fb694e1f42825.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7e7130afe38ebb675e2fb694e1f42825.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.911366360055763 section {'size_of_data': '0x00001600', 'virtual_address': '0x00049000', 'entropy': 7.911366360055763, 'name': '.text', 'virtual_size': '0x000015a0'} description A section with a high entropy has been found
entropy 7.48984395487257 section {'size_of_data': '0x0001bc00', 'virtual_address': '0x0004f000', 'entropy': 7.48984395487257, 'name': '.rsrc', 'virtual_size': '0x0001baf0'} description A section with a high entropy has been found
entropy 0.2872996300863132 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619653086.03661
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1619653085.469227
EnumServicesStatusW
service_handle: 0x006af7a8
service_type: 48
service_status: 3
success 1 0
Installs itself for autorun at Windows startup (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\tmpsij43m\analyzer.py
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7e7130afe38ebb675e2fb694e1f42825.exe
Runs bcdedit commands specific to ransomware (2 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline bcdedit.exe /set {default} recoveryenabled no
Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 1360 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7e7130afe38ebb675e2fb694e1f42825.exe
file C:\Python27\Lib\site-packages\pip\_vendor\packaging\markers.py
file C:\Python27\Tools\Scripts\copytime.py
file C:\tmpsij43m\modules\packages\js.py
file C:\Python27\Lib\site-packages\pip\_vendor\webencodings\mklabels.py
file C:\Python27\Lib\encodings\tis_620.py
file C:\Python27\Tools\Scripts\ndiff.py
file C:\Python27\Lib\sqlite3\test\hooks.py
file C:\Python27\Lib\test\test_iterlen.py
file C:\Python27\Lib\site-packages\setuptools\command\rotate.py
file C:\Python27\Lib\test\pythoninfo.py
file C:\Python27\Lib\site-packages\pip\_vendor\lockfile\__init__.py
file C:\Python27\Lib\test\test_multibytecodec.py
file C:\Python27\Lib\wsgiref\util.py
file C:\Python27\Lib\xml\dom\xmlbuilder.py
file C:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\__init__.py
file C:\Python27\Lib\test\test_import.py
file C:\Python27\Lib\encodings\uu_codec.py
file C:\Python27\Lib\test\test_generators.py
file C:\Python27\Lib\test\test_robotparser.py
file C:\Python27\Lib\site-packages\pip\_vendor\packaging\__init__.py
file C:\Python27\Lib\site-packages\setuptools\unicode_utils.py
file C:\Python27\Lib\test\test_textwrap.py
file C:\Python27\Lib\json\tests\test_pass3.py
file C:\Python27\include\pythonrun.h
file C:\Python27\Lib\test\sample_doctest_no_doctests.py
file C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
file C:\Python27\Lib\test\test_fileinput.py
file C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
file C:\Python27\Tools\Scripts\fixnotice.py
file C:\Python27\Lib\encodings\bz2_codec.py
file C:\Python27\Lib\sysconfig.py
file C:\Python27\Tools\Scripts\lll.py
file C:\Python27\Lib\test\test_sax.py
file C:\Python27\Lib\test\test_macpath.py
file C:\Python27\Lib\test\test_future_builtins.py
file C:\Python27\include\dtoa.h
file C:\Python27\Lib\__phello__.foo.py
file C:\Python27\Lib\idlelib\idle_test\__init__.py
file C:\Python27\Lib\site-packages\pip\_vendor\msgpack\__init__.py
file C:\Python27\Lib\test\badsyntax_future4.py
file C:\Python27\Lib\encodings\mac_arabic.py
file C:\Python27\Lib\test\test_imghdr.py
file C:\Python27\Lib\test\test_zipfile64.py
file C:\Python27\Lib\test\test_cl.py
file C:\Python27\Lib\test\test_capi.py
file C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
file C:\Python27\Lib\test\test_userstring.py
file C:\Python27\Lib\site-packages\pip\_vendor\requests\models.py
Removes the Shadow Copy to avoid recovery of the system (1 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
Uses suspicious command line tools or Windows utilities (2 个事件)
cmdline "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
cmdline vssadmin.exe delete shadows /all /quiet
The process wscript.exe wrote an executable file to disk (1 个事件)
file C:\Windows\SysWOW64\wscript.exe
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-07-26 19:52:35

Imports

Library KERNEL32.dll:
0x4300a8 OutputDebugStringW
0x4300ac LoadLibraryExW
0x4300b0 HeapReAlloc
0x4300bc GetModuleFileNameA
0x4300c0 HeapSize
0x4300c4 SetFilePointerEx
0x4300c8 FlushFileBuffers
0x4300cc GetConsoleMode
0x4300d0 GetConsoleCP
0x4300d4 GetModuleFileNameW
0x4300d8 AreFileApisANSI
0x4300dc GetModuleHandleExW
0x4300e0 ExitProcess
0x4300e4 GetFileType
0x4300e8 GetOEMCP
0x4300ec GetACP
0x4300f0 IsValidCodePage
0x4300f4 IsDebuggerPresent
0x4300f8 EnumSystemLocalesW
0x4300fc GetUserDefaultLCID
0x430100 IsValidLocale
0x430104 GetLocaleInfoW
0x430108 LCMapStringW
0x43010c GlobalLock
0x430110 GetStartupInfoW
0x430114 TlsFree
0x430118 TlsSetValue
0x43011c TlsGetValue
0x430120 TlsAlloc
0x430124 TerminateProcess
0x430128 SetStdHandle
0x43012c WriteConsoleW
0x430130 GetFileSize
0x430134 ReadConsoleW
0x430138 CreateFileW
0x43013c SetEndOfFile
0x430144 LoadLibraryExA
0x430148 GetModuleHandleExA
0x43014c GetCurrentProcessId
0x430154 GetFileAttributesA
0x43015c GetLastError
0x430160 OpenProcess
0x430168 SetLastError
0x430178 GetCPInfo
0x43017c ReadFile
0x430180 GlobalUnlock
0x430184 CloseHandle
0x430188 GetModuleHandleA
0x43018c GetProcAddress
0x430190 CreateEventA
0x430194 WaitForSingleObject
0x430198 ResetEvent
0x4301a0 lstrlenA
0x4301a4 GetCurrentThreadId
0x4301a8 lstrcatA
0x4301ac GetModuleHandleW
0x4301b0 GetCommandLineA
0x4301b4 RaiseException
0x4301b8 RtlUnwind
0x4301bc FormatMessageA
0x4301c0 GetThreadLocale
0x4301c4 GetStringTypeW
0x4301c8 MultiByteToWideChar
0x4301cc WideCharToMultiByte
0x4301e0 DecodePointer
0x4301e4 EncodePointer
0x4301e8 HeapAlloc
0x4301ec LoadLibraryA
0x4301f0 LoadLibraryW
0x4301f4 GlobalAlloc
0x4301f8 lstrcpyA
0x4301fc GetProcessHeap
0x430200 HeapFree
0x430204 CreateFileA
0x430208 GetCurrentProcess
0x43020c Sleep
0x430210 WriteFile
0x430214 GetStdHandle
Library USER32.dll:
0x43026c IsWindow
0x430274 AttachThreadInput
0x430278 GetDlgCtrlID
0x43027c EnableMenuItem
0x430280 GetMenu
0x430284 SendMessageA
0x430288 LoadBitmapA
0x43028c EnumWindowStationsW
0x430294 DefWindowProcA
0x430298 ReleaseDC
0x43029c GetWindow
0x4302a0 RegisterClassExA
0x4302a4 LoadIconA
0x4302a8 LoadCursorA
0x4302ac RedrawWindow
0x4302b0 SendDlgItemMessageW
0x4302b4 SetScrollRange
0x4302b8 SendMessageW
0x4302bc GetPropW
0x4302c0 CopyRect
0x4302c4 DestroyCaret
0x4302c8 HideCaret
0x4302cc EnableWindow
0x4302d0 DestroyMenu
0x4302d4 TrackPopupMenu
0x4302d8 CheckMenuRadioItem
0x4302dc GetSubMenu
0x4302e0 GetDlgItem
0x4302e4 GetDC
0x4302e8 GetWindowRect
0x4302ec LoadMenuA
0x4302f0 GetCursorPos
0x4302f4 GetClassLongA
0x4302f8 ShowCaret
0x4302fc SendMessageTimeoutA
0x430300 GetParent
0x430304 IsWindowVisible
0x430308 GetWindowTextA
0x43030c CallWindowProcA
0x430310 SetCaretPos
0x430314 MapWindowPoints
0x430318 SetDlgItemTextA
0x43031c EndDialog
0x430320 FindWindowA
0x430324 SendInput
0x430328 CreateCaret
0x43032c GetWindowLongA
Library GDI32.dll:
0x430058 GetObjectA
0x43005c SetBrushOrgEx
0x430064 ExtTextOutA
0x430068 GetCurrentObject
0x43006c GetPaletteEntries
0x430078 CreateRectRgn
0x43007c SetAbortProc
0x430080 GetStockObject
0x430084 GetDeviceCaps
0x430088 SetTextColor
0x43008c SetBkColor
0x430090 GetBitmapBits
Library WINSPOOL.DRV:
0x430380 EnumPrintersA
0x430384 OpenPrinterA
0x43038c GetPrinterA
0x430394 ClosePrinter
0x430398 EnumJobsA
Library ADVAPI32.dll:
0x430004 GetTokenInformation
0x430008 OpenProcessToken
0x430018 AccessCheck
0x43001c LookupAccountNameW
0x430020 GetFileSecurityA
0x430024 LookupAccountSidA
0x430028 GetAclInformation
0x43002c ImpersonateSelf
Library SHELL32.dll:
0x430258 SHQueryRecycleBinA
0x43025c SHEmptyRecycleBinA
Library ole32.dll:
0x4303c8 CreateItemMoniker
0x4303d0 CoCreateInstance
Library OLEAUT32.dll:
0x430224 OleLoadPicture
0x430228 OleSavePictureFile
Library WININET.dll:
0x43034c InternetOpenA
0x43035c InternetConnectA
Library WS2_32.dll:
0x4303a0 closesocket
0x4303a4 send
0x4303a8 WSAGetLastError
Library NETAPI32.dll:
0x43021c NetAuditClear
Library PSAPI.DLL:
0x430240 EnumDeviceDrivers
0x430248 EnumProcesses
Library WINMM.dll:
0x430364 timeGetTime
0x430368 waveOutWrite
0x43036c waveOutClose
0x430370 timeBeginPeriod
0x430378 waveOutOpen
Library CRYPT32.dll:
Library IPHLPAPI.DLL:
0x4300a0 GetBestInterface
Library COMCTL32.dll:
0x430040
Library gdiplus.dll:
0x4303b0 GdipFree
0x4303b4 GdipDisposeImage
0x4303b8 GdipCloneImage
0x4303bc GdipAlloc
Library Secur32.dll:
Library IMM32.dll:
0x430098 ImmEscapeA
Library WINHTTP.dll:
0x430344 WinHttpSendRequest

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 50964 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49185 192.168.56.1 139
192.168.56.101 49187 192.168.56.1 139
192.168.56.101 49189 192.168.56.1 139
192.168.56.101 50939 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 50650 203.208.41.66 update.googleapis.com 443
192.168.56.101 50980 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=c78aafee1d3d4c00&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619624176&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=c78aafee1d3d4c00&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619624176&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619624176&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619624176&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.