SmartHawk

5.0

中危

4 个模型检测该样本为恶意！

重新分析

下载样本

14e84ba7756bf6ed2aeecad6dcb1c10662c49dbe80d306464edc8e774a1c1358

82e39d2cc6dc1b3793b696dfeeea4f15.exe

分析耗时

94s

最近分析

文件大小

112.6KB

静态报毒动态报毒 F47V0811 WISDOMEYES

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee		20171125	6.0.6.653
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9809	20171124	1.0.0.2
Kingsoft		20171125	2013.8.14.323
Tencent		20171125	1.0.0.1
Avast		20171125	17.8.3705.0
CrowdStrike		20171016	1.0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620834045.397499 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (7 个事件)

Time & API	Arguments	Status
1620834045.444499 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75331000	success
1620834045.444499 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76881000	success
1620834046.366374 NtProtectVirtualMemory	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75331000	success
1620834046.366374 NtProtectVirtualMemory	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76881000	success
1620834046.928374 NtProtectVirtualMemory	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73da1000	success
1620834050.975374 NtProtectVirtualMemory	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x6e5c9000	success
1620834050.975374 NtProtectVirtualMemory	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x6e5c7000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nssA9A9.tmp\System.dll

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 个事件)

Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9809
TrendMicro-HouseCall	Suspicious_GEN.F47V0811
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Dropper.ch

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.155469364126976

section

{'size_of_data': '0x00005a00', 'virtual_address': '0x0000b000', 'entropy': 7.155469364126976, 'name': '.rdata', 'virtual_size': '0x00005920'}

description

A section with a high entropy has been found

entropy

0.25139664804469275

description

Overall entropy of this PE file is high

Queries for potentially installed applications (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620834051.319374 RegOpenKeyExA	access: 0x00000108 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\LinuxSampler regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\LinuxSampler options: 0	failed	2	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VirtualBox Dropped Files\2021-04-11T13_11_43.130072200Z\agent.pyw

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-01-31 04:21:10

Imports

Library ADVAPI32.dll:

• 0x44f340 RegCloseKey

• 0x44f344 RegCreateKeyExA

• 0x44f348 RegDeleteKeyA

• 0x44f34c RegDeleteValueA

• 0x44f350 RegEnumKeyA

• 0x44f354 RegEnumValueA

• 0x44f358 RegOpenKeyExA

• 0x44f35c RegQueryValueExA

• 0x44f360 RegSetValueExA

Library COMCTL32.DLL:

• 0x44f368 ImageList_AddMasked

• 0x44f36c ImageList_Create

• 0x44f370 ImageList_Destroy

• 0x44f374 InitCommonControls

Library GDI32.dll:

• 0x44f37c CreateBrushIndirect

• 0x44f380 CreateFontIndirectA

• 0x44f384 DeleteObject

• 0x44f388 GetDeviceCaps

• 0x44f38c SelectObject

• 0x44f390 SetBkColor

• 0x44f394 SetBkMode

• 0x44f398 SetTextColor

Library KERNEL32.dll:

• 0x44f3a0 CloseHandle

• 0x44f3a4 CompareFileTime

• 0x44f3a8 CopyFileA

• 0x44f3ac CreateDirectoryA

• 0x44f3b0 CreateFileA

• 0x44f3b4 CreateProcessA

• 0x44f3b8 CreateThread

• 0x44f3bc DeleteFileA

• 0x44f3c0 ExitProcess

• 0x44f3c4 ExpandEnvironmentStringsA

• 0x44f3c8 FindClose

• 0x44f3cc FindFirstFileA

• 0x44f3d0 FindNextFileA

• 0x44f3d4 FreeLibrary

• 0x44f3d8 GetCommandLineA

• 0x44f3dc GetCurrentProcess

• 0x44f3e0 GetDiskFreeSpaceA

• 0x44f3e4 GetExitCodeProcess

• 0x44f3e8 GetFileAttributesA

• 0x44f3ec GetFileSize

• 0x44f3f0 GetFullPathNameA

• 0x44f3f4 GetLastError

• 0x44f3f8 GetModuleFileNameA

• 0x44f3fc GetModuleHandleA

• 0x44f400 GetPrivateProfileStringA

• 0x44f404 GetProcAddress

• 0x44f408 GetShortPathNameA

• 0x44f40c GetSystemDirectoryA

• 0x44f410 GetTempFileNameA

• 0x44f414 GetTempPathA

• 0x44f418 GetTickCount

• 0x44f41c GetVersion

• 0x44f420 GetWindowsDirectoryA

• 0x44f424 GlobalAlloc

• 0x44f428 GlobalFree

• 0x44f42c GlobalLock

• 0x44f430 GlobalUnlock

• 0x44f434 LoadLibraryA

• 0x44f438 LoadLibraryExA

• 0x44f43c MoveFileA

• 0x44f440 MulDiv

• 0x44f444 MultiByteToWideChar

• 0x44f448 ReadFile

• 0x44f44c RemoveDirectoryA

• 0x44f450 SearchPathA

• 0x44f454 SetCurrentDirectoryA

• 0x44f458 SetErrorMode

• 0x44f45c SetFileAttributesA

• 0x44f460 SetFilePointer

• 0x44f464 SetFileTime

• 0x44f468 Sleep

• 0x44f46c WaitForSingleObject

• 0x44f470 WriteFile

• 0x44f474 WritePrivateProfileStringA

• 0x44f478 lstrcatA

• 0x44f47c lstrcmpA

• 0x44f480 lstrcmpiA

• 0x44f484 lstrcpynA

• 0x44f488 lstrlenA

Library ole32.dll:

• 0x44f490 CoCreateInstance

• 0x44f494 CoTaskMemFree

• 0x44f498 OleInitialize

• 0x44f49c OleUninitialize

Library SHELL32.DLL:

• 0x44f4a4 SHBrowseForFolderA

• 0x44f4a8 SHFileOperationA

• 0x44f4ac SHGetFileInfoA

• 0x44f4b0 SHGetPathFromIDListA

• 0x44f4b4 SHGetSpecialFolderLocation

• 0x44f4b8 ShellExecuteA

Library USER32.dll:

• 0x44f4c0 AppendMenuA

• 0x44f4c4 BeginPaint

• 0x44f4c8 CallWindowProcA

• 0x44f4cc CharNextA

• 0x44f4d0 CharPrevA

• 0x44f4d4 CheckDlgButton

• 0x44f4d8 CloseClipboard

• 0x44f4dc CreateDialogParamA

• 0x44f4e0 CreatePopupMenu

• 0x44f4e4 CreateWindowExA

• 0x44f4e8 DefWindowProcA

• 0x44f4ec DestroyWindow

• 0x44f4f0 DialogBoxParamA

• 0x44f4f4 DispatchMessageA

• 0x44f4f8 DrawTextA

• 0x44f4fc EmptyClipboard

• 0x44f500 EnableMenuItem

• 0x44f504 EnableWindow

• 0x44f508 EndDialog

• 0x44f50c EndPaint

• 0x44f510 ExitWindowsEx

• 0x44f514 FillRect

• 0x44f518 FindWindowExA

• 0x44f51c GetClassInfoA

• 0x44f520 GetClientRect

• 0x44f524 GetDC

• 0x44f528 GetDlgItem

• 0x44f52c GetDlgItemTextA

• 0x44f530 GetMessagePos

• 0x44f534 GetSysColor

• 0x44f538 GetSystemMenu

• 0x44f53c GetSystemMetrics

• 0x44f540 GetWindowLongA

• 0x44f544 GetWindowRect

• 0x44f548 InvalidateRect

• 0x44f54c IsWindow

• 0x44f550 IsWindowEnabled

• 0x44f554 IsWindowVisible

• 0x44f558 LoadBitmapA

• 0x44f55c LoadCursorA

• 0x44f560 LoadImageA

• 0x44f564 MessageBoxIndirectA

• 0x44f568 OpenClipboard

• 0x44f56c PeekMessageA

• 0x44f570 PostQuitMessage

• 0x44f574 RegisterClassA

• 0x44f578 ScreenToClient

• 0x44f57c SendMessageA

• 0x44f580 SendMessageTimeoutA

• 0x44f584 SetClassLongA

• 0x44f588 SetClipboardData

• 0x44f58c SetCursor

• 0x44f590 SetDlgItemTextA

• 0x44f594 SetForegroundWindow

• 0x44f598 SetTimer

• 0x44f59c SetWindowLongA

• 0x44f5a0 SetWindowPos

• 0x44f5a4 SetWindowTextA

• 0x44f5a8 ShowWindow

• 0x44f5ac SystemParametersInfoA

• 0x44f5b0 TrackPopupMenu

• 0x44f5b4 wsprintfA

Library VERSION.dll:

• 0x44f5bc GetFileVersionInfoA

• 0x44f5c0 GetFileVersionInfoSizeA

• 0x44f5c4 VerQueryValueA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
teredo.ipv6.microsoft.com
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 172.217.160.78	142.250.66.110

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.