3.6
中危
该样本未表现出任何异常!
重新分析
更多

79d07f0be59c8282f81529dc1b079eb9dd77222105816f393612f8ad83a02aad

8060a7586a9873898f61eb73f0f6f93b.exe

分析耗时

96s

最近分析

文件大小

8.8MB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (11 个事件)
Time & API Arguments Status Return Repeated
1620849764.613751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e38000
success 0 0
1620849764.613751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c41000
success 0 0
1620849768.129751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x1008e000
success 0 0
1620849768.129751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02b8b000
success 0 0
1620849768.129751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02ed6000
success 0 0
1620849768.129751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
1620849768.129751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75641000
success 0 0
1620849768.129751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b41000
success 0 0
1620849769.645751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73af9000
success 0 0
1620849769.660751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1620849770.535751
NtProtectVirtualMemory
process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73961000
success 0 0
Creates executable files on the filesystem (9 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\msvcp90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxmsw30u_adv_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxbase30u_net_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\msvcr90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxbase30u_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\msvcm90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxmsw30u_core_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\python27.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxmsw30u_html_vc90.dll
Drops an executable to the user AppData folder (20 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxbase30u_net_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\_ssl.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\python27.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\select.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wx._windows_.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wx._core_.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\bz2.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxmsw30u_core_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\msvcm90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\_hashlib.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\msvcp90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\msvcr90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\unicodedata.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wx._controls_.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxmsw30u_html_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\_socket.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wx._misc_.pyd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxbase30u_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wxmsw30u_adv_vc90.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\_MEI24242\wx._gdi_.pyd
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.012359976535693 section {'size_of_data': '0x00005000', 'virtual_address': '0x0000c000', 'entropy': 7.012359976535693, 'name': '.rdata', 'virtual_size': '0x00004f68'} description A section with a high entropy has been found
entropy 7.463860486583722 section {'size_of_data': '0x0000ee00', 'virtual_address': '0x00021000', 'entropy': 7.463860486583722, 'name': '.rsrc', 'virtual_size': '0x0000eca4'} description A section with a high entropy has been found
entropy 0.6411290322580645 description Overall entropy of this PE file is high
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1970-01-01 08:00:00

Imports

Library KERNEL32.dll:
0x41e230 CreateProcessW
0x41e240 FormatMessageA
0x41e244 GetCommandLineW
0x41e248 GetCurrentProcess
0x41e24c GetCurrentProcessId
0x41e250 GetCurrentThreadId
0x41e258 GetExitCodeProcess
0x41e25c GetLastError
0x41e260 GetModuleFileNameW
0x41e264 GetModuleHandleA
0x41e268 GetProcAddress
0x41e26c GetShortPathNameW
0x41e270 GetStartupInfoW
0x41e278 GetTempPathW
0x41e27c GetTickCount
0x41e288 LoadLibraryA
0x41e28c LoadLibraryExW
0x41e290 MultiByteToWideChar
0x41e298 SetDllDirectoryW
0x41e2a4 Sleep
0x41e2a8 TerminateProcess
0x41e2ac TlsGetValue
0x41e2b4 VirtualProtect
0x41e2b8 VirtualQuery
0x41e2bc WaitForSingleObject
0x41e2c0 WideCharToMultiByte
Library msvcrt.dll:
0x41e2c8 __argc
0x41e2cc __dllonexit
0x41e2d0 __lconv_init
0x41e2d4 __set_app_type
0x41e2d8 __setusermatherr
0x41e2dc __wargv
0x41e2e0 __wgetmainargs
0x41e2e4 __winitenv
0x41e2e8 _amsg_exit
0x41e2ec _cexit
0x41e2f0 _findclose
0x41e2f4 _fileno
0x41e2f8 _fmode
0x41e2fc _fullpath
0x41e300 _get_osfhandle
0x41e304 _getpid
0x41e308 _initterm
0x41e30c _iob
0x41e310 _lock
0x41e314 _onexit
0x41e318 _setmode
0x41e31c _stat
0x41e320 _strdup
0x41e324 _unlock
0x41e328 _vsnprintf
0x41e32c _vsnwprintf
0x41e330 _wcmdln
0x41e334 _wfindfirst
0x41e338 _wfindnext
0x41e33c _wfopen
0x41e340 _wmkdir
0x41e344 _wremove
0x41e348 _wrmdir
0x41e34c _wstat
0x41e350 _wtempnam
0x41e354 abort
0x41e358 calloc
0x41e35c clearerr
0x41e360 exit
0x41e364 fclose
0x41e368 feof
0x41e36c ferror
0x41e370 fflush
0x41e374 fprintf
0x41e378 fread
0x41e37c free
0x41e380 fseek
0x41e384 ftell
0x41e388 fwrite
0x41e38c getenv
0x41e390 malloc
0x41e394 mbstowcs
0x41e398 memcpy
0x41e39c setbuf
0x41e3a0 setlocale
0x41e3a4 signal
0x41e3a8 sprintf
0x41e3ac strcat
0x41e3b0 strchr
0x41e3b4 strcmp
0x41e3b8 strcpy
0x41e3bc strlen
0x41e3c0 strncat
0x41e3c4 strncmp
0x41e3c8 strncpy
0x41e3cc strrchr
0x41e3d0 strtok
0x41e3d4 vfprintf
0x41e3d8 wcscat
0x41e3dc wcscmp
0x41e3e0 wcscpy
0x41e3e4 wcslen
Library USER32.dll:
0x41e3ec MessageBoxA
Library WS2_32.dll:
0x41e3f4 ntohl

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.