6.0
高危
1 个模型检测该样本为恶意!
重新分析
更多

fd3630012a7ac43760c87b269ee586565b54a515c5e43e2b80aa0adb5436b7da

86a2e2169ce9139baade58932d4b519b.exe

分析耗时

119s

最近分析

文件大小

6.2MB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20190503 6.0.6.653
Alibaba 20190426 0.4.0.6
Baidu 20190318 1.0.0.2
Avast 20190509 18.4.3895.0
Tencent 20190509 1.0.0.1
Kingsoft 20190509 2013.8.14.323
CrowdStrike 20190212 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620954058.132751
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620954047.805626
IsDebuggerPresent
failed 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620954061.929751
__exception__
stacktrace: 
86a2e2169ce9139baade58932d4b519b+0x701e3 @ 0x4701e3
86a2e2169ce9139baade58932d4b519b+0x732a4 @ 0x4732a4
86a2e2169ce9139baade58932d4b519b+0x73890 @ 0x473890
86a2e2169ce9139baade58932d4b519b+0x7673b @ 0x47673b
86a2e2169ce9139baade58932d4b519b+0x83c3b @ 0x483c3b
86a2e2169ce9139baade58932d4b519b+0x6c479 @ 0x46c479
86a2e2169ce9139baade58932d4b519b+0x1545e @ 0x41545e
86a2e2169ce9139baade58932d4b519b+0x16c30 @ 0x416c30
86a2e2169ce9139baade58932d4b519b+0x1f3c2 @ 0x41f3c2
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x75464601
GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x75464663
GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x754644ed
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x775b0d27
CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x775b794a
86a2e2169ce9139baade58932d4b519b+0x16bf5 @ 0x416bf5

registers.esp: 1634748
registers.edi: 0
registers.eax: 1634748
registers.ebp: 1634828
registers.edx: 0
registers.ebx: 123
registers.esi: 30933436
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedface
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1240107401&cup2hreq=cb1e4bbf1d05b9fd91725750a04afe286b8dc766ac39f533bae8f62e54c332fc
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620924997&mv=m&mvi=1&pl=23&shardbypass=yes
request GET http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620924997&mv=m&mvi=1&pl=23&shardbypass=yes
request POST https://update.googleapis.com/service/update2?cup2key=10:1240107401&cup2hreq=cb1e4bbf1d05b9fd91725750a04afe286b8dc766ac39f533bae8f62e54c332fc
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1240107401&cup2hreq=cb1e4bbf1d05b9fd91725750a04afe286b8dc766ac39f533bae8f62e54c332fc
Allocates read-write-execute memory (usually to unpack itself) (5 个事件)
Time & API Arguments Status Return Repeated
1620954047.649626
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620954047.649626
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620954047.649626
NtProtectVirtualMemory
process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040f000
success 0 0
1620954048.945751
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620953690.699395
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000003e70000
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 个事件)
Time & API Arguments Status Return Repeated
1620954053.726751
GetDiskFreeSpaceExW
root_path: C:\Telecontrol\IEC104OPCServer\
free_bytes_available: 8600306909957483753
total_number_of_free_bytes: 0
total_number_of_bytes: 4294967295
failed 0 0
1620954053.726751
GetDiskFreeSpaceExW
root_path: C:\Telecontrol\
free_bytes_available: 8600306909957483753
total_number_of_free_bytes: 0
total_number_of_bytes: 4294967295
failed 0 0
1620954053.726751
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19606016000
total_number_of_free_bytes: 0
total_number_of_bytes: 34252779520
success 1 0
1620954055.882751
GetDiskFreeSpaceExW
root_path: C:\Telecontrol\IEC104OPCServer\
free_bytes_available: 8600306909957483753
total_number_of_free_bytes: 0
total_number_of_bytes: 4294967295
failed 0 0
1620954055.882751
GetDiskFreeSpaceExW
root_path: C:\Telecontrol\
free_bytes_available: 8600306909957483753
total_number_of_free_bytes: 0
total_number_of_bytes: 4294967295
failed 0 0
1620954055.882751
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19606016000
total_number_of_free_bytes: 0
total_number_of_bytes: 34252779520
success 1 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5D1AO.tmp\_isetup\_shfoldr.dll
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5KQAG.tmp\86a2e2169ce9139baade58932d4b519b.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-5D1AO.tmp\_isetup\_shfoldr.dll
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)
CMC Trojan.Win32.Inject!O
Queries for potentially installed applications (2 个事件)
Time & API Arguments Status Return Repeated
1620954051.538751
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{6670FF6B-3EDE-4723-837D-3C0194CB4880}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{6670FF6B-3EDE-4723-837D-3C0194CB4880}_is1
options: 0
failed 2 0
1620954051.538751
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{6670FF6B-3EDE-4723-837D-3C0194CB4880}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{6670FF6B-3EDE-4723-837D-3C0194CB4880}_is1
options: 0
failed 2 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x40d0c4 VirtualFree
0x40d0c8 VirtualAlloc
0x40d0cc LocalFree
0x40d0d0 LocalAlloc
0x40d0d4 WideCharToMultiByte
0x40d0d8 TlsSetValue
0x40d0dc TlsGetValue
0x40d0e0 MultiByteToWideChar
0x40d0e4 GetModuleHandleA
0x40d0e8 GetLastError
0x40d0ec GetCommandLineA
0x40d0f0 WriteFile
0x40d0f4 SetFilePointer
0x40d0f8 SetEndOfFile
0x40d0fc RtlUnwind
0x40d100 ReadFile
0x40d104 RaiseException
0x40d108 GetStdHandle
0x40d10c GetFileSize
0x40d110 GetSystemTime
0x40d114 GetFileType
0x40d118 ExitProcess
0x40d11c CreateFileA
0x40d120 CloseHandle
Library user32.dll:
0x40d128 MessageBoxA
Library oleaut32.dll:
0x40d130 VariantChangeTypeEx
0x40d134 VariantCopyInd
0x40d138 VariantClear
0x40d13c SysStringLen
0x40d140 SysAllocStringLen
Library advapi32.dll:
0x40d148 RegQueryValueExA
0x40d14c RegOpenKeyExA
0x40d150 RegCloseKey
0x40d154 OpenProcessToken
Library kernel32.dll:
0x40d160 WriteFile
0x40d164 VirtualQuery
0x40d168 VirtualProtect
0x40d16c VirtualFree
0x40d170 VirtualAlloc
0x40d174 Sleep
0x40d178 SizeofResource
0x40d17c SetLastError
0x40d180 SetFilePointer
0x40d184 SetErrorMode
0x40d188 SetEndOfFile
0x40d18c RemoveDirectoryA
0x40d190 ReadFile
0x40d194 LockResource
0x40d198 LoadResource
0x40d19c LoadLibraryA
0x40d1a0 IsDBCSLeadByte
0x40d1a8 GetVersionExA
0x40d1b0 GetSystemInfo
0x40d1b8 GetProcAddress
0x40d1bc GetModuleHandleA
0x40d1c0 GetModuleFileNameA
0x40d1c4 GetLocaleInfoA
0x40d1c8 GetLastError
0x40d1cc GetFullPathNameA
0x40d1d0 GetFileSize
0x40d1d4 GetFileAttributesA
0x40d1d8 GetExitCodeProcess
0x40d1e0 GetCurrentProcess
0x40d1e4 GetCommandLineA
0x40d1e8 GetACP
0x40d1ec InterlockedExchange
0x40d1f0 FormatMessageA
0x40d1f4 FindResourceA
0x40d1f8 DeleteFileA
0x40d1fc CreateProcessA
0x40d200 CreateFileA
0x40d204 CreateDirectoryA
0x40d208 CloseHandle
Library user32.dll:
0x40d210 TranslateMessage
0x40d214 SetWindowLongA
0x40d218 PeekMessageA
0x40d220 MessageBoxA
0x40d224 LoadStringA
0x40d228 ExitWindowsEx
0x40d22c DispatchMessageA
0x40d230 DestroyWindow
0x40d234 CreateWindowExA
0x40d238 CallWindowProcA
0x40d23c CharPrevA
Library comctl32.dll:
0x40d244 InitCommonControls
Library advapi32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49191 203.208.40.34 update.googleapis.com 443
192.168.56.101 49192 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49193 58.63.233.66 r1---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60088 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620924997&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620924997&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620924997&mv=m&mvi=1&pl=23&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620924997&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6263
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.