SmartHawk

11.8

0-day

48 个模型检测该样本为恶意！

重新分析

下载样本

8736ffe12cdc4791e4c340a1da9f52025faea789d2a6f75bda4e24e2a7ff5be8

88b0042ee1c7aec435ab5540b1d52799.exe

分析耗时

98s

最近分析

文件大小

438.5KB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=88 ATTRIBUTE CONFIDENCE ELDORADO FAREIT GDSDA GENERICKD HESV HIGH CONFIDENCE HIGHCONFIDENCE HQYJUA KRYPTIK MALICIOUS PE MALWARE@#MMP83G3U5RGS MALWAREX PACKEDNET R002C0PH820 R347247 SCORE SUSGEN UNSAFE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FVT!88B0042EE1C7	20201023	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.9fa9f251	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20201023	18.4.3895.0
Kingsoft		20201023	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619706289.731499 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619706307.997999 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619706309.887999 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619706313.575999 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619706313.809999 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (17 个事件)

Time & API	Arguments	Status	Return	Repeated
1619685964.359625 IsDebuggerPresent		failed	0	0
1619685964.359625 IsDebuggerPresent		failed	0	0
1619686011.953625 IsDebuggerPresent		failed	0	0
1619686012.453625 IsDebuggerPresent		failed	0	0
1619686012.953625 IsDebuggerPresent		failed	0	0
1619686013.453625 IsDebuggerPresent		failed	0	0
1619686013.953625 IsDebuggerPresent		failed	0	0
1619686014.453625 IsDebuggerPresent		failed	0	0
1619686014.953625 IsDebuggerPresent		failed	0	0
1619686015.453625 IsDebuggerPresent		failed	0	0
1619686015.953625 IsDebuggerPresent		failed	0	0
1619686016.453625 IsDebuggerPresent		failed	0	0
1619686016.953625 IsDebuggerPresent		failed	0	0
1619686017.453625 IsDebuggerPresent		failed	0	0
1619686017.953625 IsDebuggerPresent		failed	0	0
1619706295.294999 IsDebuggerPresent		failed	0	0
1619706295.294999 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619706294.122499 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\qdZzbJwTrsvqQe"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619685964.375625 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619706313.559999 __exception__	stacktrace: 0x235e845 0x235dc83 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1569128 registers.edi: 38891160 registers.eax: 0 registers.ebp: 1569172 registers.edx: 8 registers.ebx: 0 registers.esi: 1760878491 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 53 3d fc 39 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x238203a	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619706313.559999
__exception__

stacktrace:

0x235e845
0x235dc83
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1569128
registers.edi: 38891160
registers.eax: 0
registers.ebp: 1569172
registers.edx: 8
registers.ebx: 0
registers.esi: 1760878491
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 53 3d fc 39
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x238203a

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 171 个事件)

Time & API	Arguments	Status	Return
1619685963.640625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a70000	success	0
1619685963.640625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c20000	success	0
1619685964.140625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x023e0000	success	0
1619685964.140625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025b0000	success	0
1619685964.265625 NtProtectVirtualMemory	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success	0
1619685964.359625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00500000	success	0
1619685964.359625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00580000	success	0
1619685964.359625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0037a000	success	0
1619685964.359625 NtProtectVirtualMemory	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success	0
1619685964.359625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00372000	success	0
1619685964.640625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00382000	success	0
1619685964.734625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a5000	success	0
1619685964.750625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ab000	success	0
1619685964.750625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a7000	success	0
1619685964.890625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00383000	success	0
1619685964.984625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0038c000	success	0
1619685965.625625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00384000	success	0
1619685965.640625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00386000	success	0
1619685965.734625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00600000	success	0
1619685965.875625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0039a000	success	0
1619685965.875625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00397000	success	0
1619685966.328625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00396000	success	0
1619685966.328625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0038a000	success	0
1619685966.343625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00387000	success	0
1619685966.531625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00388000	success	0
1619685966.765625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00601000	success	0
1619685966.843625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00389000	success	0
1619685966.906625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a50000	success	0
1619685966.984625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00602000	success	0
1619685966.984625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a51000	success	0
1619685967.015625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00603000	success	0
1619686008.062625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a52000	success	0
1619686008.140625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00606000	success	0
1619686008.172625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025b1000	success	0
1619686008.297625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00607000	success	0
1619686008.422625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0037c000	success	0
1619686008.437625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00608000	success	0
1619686008.500625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00609000	success	0
1619686008.562625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a53000	success	0
1619686008.562625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0038d000	success	0
1619686008.578625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060a000	success	0
1619686008.703625 NtProtectVirtualMemory	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 290816 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04640400	failed	3221225550
1619686011.609625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060b000	success	0
1619686011.625625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a54000	success	0
1619686011.625625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060c000	success	0
1619686011.625625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060d000	success	0
1619686011.625625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060e000	success	0
1619686011.718625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060f000	success	0
1619686011.859625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04b30000	success	0
1619686011.906625 NtAllocateVirtualMemory	process_identifier: 2772 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04b31000	success	0

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\qdZzbJwTrsvqQe" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp35FA.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qdZzbJwTrsvqQe" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp35FA.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686012.640625 ShellExecuteExW	parameters: /Create /TN "Updates\qdZzbJwTrsvqQe" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp35FA.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.919891392440299

section

{'size_of_data': '0x0006d000', 'virtual_address': '0x00002000', 'entropy': 7.919891392440299, 'name': '.text', 'virtual_size': '0x0006cf94'}

description

A section with a high entropy has been found

entropy

0.9954337899543378

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686008.703625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619706306.762999 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\qdZzbJwTrsvqQe" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp35FA.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qdZzbJwTrsvqQe" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp35FA.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686018.218625 NtAllocateVirtualMemory	process_identifier: 368 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00009618 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp35FA.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619686018.218625 WriteProcessMemory	process_identifier: 368 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL»ç^àL.k @ À@ÔjWà H.text4K L `.rsrcàN@@.reloc R@B process_handle: 0x00009618 base_address: 0x00400000	success	1
1619686018.234625 WriteProcessMemory	process_identifier: 368 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNametgyNJtBJkvgCcIckcaKHAF.exe(LegalCopyright `OriginalFilenametgyNJtBJkvgCcIckcaKHAF.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00009618 base_address: 0x00448000	success	1
1619686018.234625 WriteProcessMemory	process_identifier: 368 buffer: `0; process_handle: 0x00009618 base_address: 0x0044a000	success	1
1619686018.234625 WriteProcessMemory	process_identifier: 368 buffer: @ process_handle: 0x00009618 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686018.218625 WriteProcessMemory	process_identifier: 368 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL»ç^àL.k @ À@ÔjWà H.text4K L `.rsrcàN@@.reloc R@B process_handle: 0x00009618 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 called NtSetContextThread to modify thread in remote process 368
1619686018.234625 NtSetContextThread	thread_handle: 0x00007214 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4483886 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 368	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 resumed a thread in remote process 368
1619686018.250625 NtResumeThread	thread_handle: 0x00007214 suspend_count: 1 process_identifier: 368	success	0	0

Executed a process and injected code into it, probably while unpacking (26 个事件)

Time & API	Arguments	Status	Return
1619685964.359625 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2772	success	0
1619685964.375625 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2772	success	0
1619685964.390625 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2772	success	0
1619686011.953625 NtResumeThread	thread_handle: 0x000014a8 suspend_count: 1 process_identifier: 2772	success	0
1619686011.953625 NtResumeThread	thread_handle: 0x0000b7e0 suspend_count: 1 process_identifier: 2772	success	0
1619686012.640625 CreateProcessInternalW	thread_identifier: 1824 thread_handle: 0x0000ffa0 process_identifier: 2288 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qdZzbJwTrsvqQe" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp35FA.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00001744 inherit_handles: 0	success	1
1619686018.218625 CreateProcessInternalW	thread_identifier: 2008 thread_handle: 0x00007214 process_identifier: 368 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00009618 inherit_handles: 0	success	1
1619686018.218625 NtGetContextThread	thread_handle: 0x00007214	success	0
1619686018.218625 NtAllocateVirtualMemory	process_identifier: 368 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00009618 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619686018.218625 WriteProcessMemory	process_identifier: 368 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL»ç^àL.k @ À@ÔjWà H.text4K L `.rsrcàN@@.reloc R@B process_handle: 0x00009618 base_address: 0x00400000	success	1
1619686018.218625 WriteProcessMemory	process_identifier: 368 buffer: process_handle: 0x00009618 base_address: 0x00402000	success	1
1619686018.234625 WriteProcessMemory	process_identifier: 368 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNametgyNJtBJkvgCcIckcaKHAF.exe(LegalCopyright `OriginalFilenametgyNJtBJkvgCcIckcaKHAF.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00009618 base_address: 0x00448000	success	1
1619686018.234625 WriteProcessMemory	process_identifier: 368 buffer: `0; process_handle: 0x00009618 base_address: 0x0044a000	success	1
1619686018.234625 WriteProcessMemory	process_identifier: 368 buffer: @ process_handle: 0x00009618 base_address: 0x7efde008	success	1
1619686018.234625 NtSetContextThread	thread_handle: 0x00007214 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4483886 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 368	success	0
1619686018.250625 NtResumeThread	thread_handle: 0x00007214 suspend_count: 1 process_identifier: 368	success	0
1619686018.250625 NtResumeThread	thread_handle: 0x0000b7dc suspend_count: 1 process_identifier: 2772	success	0
1619686018.312625 NtGetContextThread	thread_handle: 0x0000b7dc	success	0
1619686018.312625 NtGetContextThread	thread_handle: 0x0000b7dc	success	0
1619686018.312625 NtResumeThread	thread_handle: 0x0000b7dc suspend_count: 1 process_identifier: 2772	success	0
1619706295.294999 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 368	success	0
1619706295.294999 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 368	success	0
1619706295.309999 NtResumeThread	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 368	success	0
1619706309.715999 NtResumeThread	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 368	success	0
1619706309.747999 NtResumeThread	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 368	success	0
1619706313.575999 NtResumeThread	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 368	success	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34316006
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FVT!88B0042EE1C7
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c26d1 )
Alibaba	Trojan:MSIL/AgentTesla.9fa9f251
K7GW	Trojan ( 0056c26d1 )
Cybereason	malicious.ce8acd
Arcabit	Trojan.Generic.D20B9EE6
Invincea	Mal/Generic-S
Cyren	W32/MSIL_Kryptik.BJF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Hesv.gen
BitDefender	Trojan.GenericKD.34316006
NANO-Antivirus	Trojan.Win32.Hesv.hqyjua
Ad-Aware	Trojan.GenericKD.34316006
Sophos	Mal/Generic-S
Comodo	Malware@#mmp83g3u5rgs
DrWeb	Trojan.PackedNET.405
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PH820
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
FireEye	Generic.mg.88b0042ee1c7aec4
Emsisoft	Trojan.GenericKD.34316006 (B)
SentinelOne	DFI - Malicious PE
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Hesv.gen
GData	Trojan.GenericKD.34316006
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.MSIL.R347247
ALYac	Trojan.GenericKD.34316006
MAX	malware (ai score=88)
Malwarebytes	Spyware.AgentTesla
ESET-NOD32	a variant of MSIL/Kryptik.XHF
TrendMicro-HouseCall	TROJ_GEN.R002C0PH820
Ikarus	Trojan.MSIL.Crypt
eGambit	Unsafe.AI_Score_87%
Fortinet	MSIL/Kryptik.4462!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Generic/Trojan.3de

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.24.14:443
dead_host	216.58.200.238:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-07 21:02:43

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238 A 172.217.160.110	216.58.200.238
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.