12.4
0-day

eda5ce3fb4175c9fe2c58cb70ea820f1af106e494ec353763fc660cc1ca177c0

896da26ef3efd9f70c66954f328fd371.exe

分析耗时

123s

最近分析

文件大小

2.5MB
静态报毒 动态报毒 97CMOUNSS2LHLVU7USRQ COOLMEDIA FUSIONCORE GENERIC PUA PL GENERIC@ML GKKKYH HIGH CONFIDENCE INSTALLCORE MALICIOUS RDMK TSINGSOFT UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20200213 6.0.6.653
Alibaba 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:PUP-gen [PUP] 20200213 18.4.3895.0
Tencent 20200214 1.0.0.1
Kingsoft 20200214 2013.8.14.323
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620950465.429374
IsDebuggerPresent
failed 0 0
This executable is signed
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\chrome.exe
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620950486.694626
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section .itext
section .didata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620950513.007626
__exception__
stacktrace:
itd_downloadfile-0x1da itdownload+0x2b072 @ 0x3a2b072
itd_downloadfile-0xbc5 itdownload+0x2a687 @ 0x3a2a687
itd_downloadfile+0x4e itd_downloadfiles-0x62 itdownload+0x2b29a @ 0x3a2b29a
TMethodImplementationIntercept+0x12d57e dbkFCallWrapperAddr-0x88da2 896da26ef3efd9f70c66954f328fd371+0x1ce89a @ 0x5ce89a
TMethodImplementationIntercept+0x12f899 dbkFCallWrapperAddr-0x86a87 896da26ef3efd9f70c66954f328fd371+0x1d0bb5 @ 0x5d0bb5
TMethodImplementationIntercept+0x136147 dbkFCallWrapperAddr-0x801d9 896da26ef3efd9f70c66954f328fd371+0x1d7463 @ 0x5d7463
TMethodImplementationIntercept+0x128253 dbkFCallWrapperAddr-0x8e0cd 896da26ef3efd9f70c66954f328fd371+0x1c956f @ 0x5c956f
TMethodImplementationIntercept+0x126fc5 dbkFCallWrapperAddr-0x8f35b 896da26ef3efd9f70c66954f328fd371+0x1c82e1 @ 0x5c82e1
TMethodImplementationIntercept+0x18b1e1 dbkFCallWrapperAddr-0x2b13f 896da26ef3efd9f70c66954f328fd371+0x22c4fd @ 0x62c4fd
TMethodImplementationIntercept+0x18b284 dbkFCallWrapperAddr-0x2b09c 896da26ef3efd9f70c66954f328fd371+0x22c5a0 @ 0x62c5a0
TMethodImplementationIntercept+0x19b38b dbkFCallWrapperAddr-0x1af95 896da26ef3efd9f70c66954f328fd371+0x23c6a7 @ 0x63c6a7
TMethodImplementationIntercept+0x1ac2a7 dbkFCallWrapperAddr-0xa079 896da26ef3efd9f70c66954f328fd371+0x24d5c3 @ 0x64d5c3
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1636816
registers.edi: 63206048
registers.eax: 1636816
registers.ebp: 1636896
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://rp.appuniverseapplication.com/
suspicious_features GET method with no useragent header suspicious_request GET http://1223.dragonparking.com/?site=rp.appuniverseapplication.com
suspicious_features POST method with no referer header suspicious_request POST http://rp.appuniverseapplication.com/
suspicious_features POST method with no referer header suspicious_request POST http://os.appuniverseapplication.com/
suspicious_features HTTP version 1.0 used suspicious_request GET http://post.securestudies.com/packages/RI1034/ContentI3.exe
suspicious_features POST method with no referer header suspicious_request POST http://os2.appuniverseapplication.com/
Performs some HTTP requests (13 个事件)
request GET http://rp.appuniverseapplication.com/
request GET http://1223.dragonparking.com/?site=rp.appuniverseapplication.com
request POST http://rp.appuniverseapplication.com/
request GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
request GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAPcYwoSMi%2FL8DFvBZHrSfY%3D
request POST http://os.appuniverseapplication.com/
request GET http://post.securestudies.com/packages/RI1034/ContentI3.exe
request GET http://1223.dragonparking.com/?site=os.appuniverseapplication.com
request POST http://os2.appuniverseapplication.com/
request GET http://1223.dragonparking.com/?site=os2.appuniverseapplication.com
request GET https://dp.diandongzhi.com/?acct=1223&site=rp.appuniverseapplication.com
request GET https://dp.diandongzhi.com/?acct=1223&site=os.appuniverseapplication.com
request GET https://dp.diandongzhi.com/?acct=1223&site=os2.appuniverseapplication.com
Sends data using the HTTP POST Method (3 个事件)
request POST http://rp.appuniverseapplication.com/
request POST http://os.appuniverseapplication.com/
request POST http://os2.appuniverseapplication.com/
Allocates read-write-execute memory (usually to unpack itself) (10 个事件)
Time & API Arguments Status Return Repeated
1620950464.538374
NtProtectVirtualMemory
process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620950464.538374
NtProtectVirtualMemory
process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 688128
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620950464.538374
NtProtectVirtualMemory
process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004b6000
success 0 0
1620950464.538374
NtProtectVirtualMemory
process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004b8000
success 0 0
1620950466.397626
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02650000
success 0 0
1620950477.694626
NtAllocateVirtualMemory
process_identifier: 364
region_size: 933888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05580000
success 0 0
1620950477.772626
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1208320
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05771000
success 0 0
1620950477.772626
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 929792
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05898000
success 0 0
1620950477.975626
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05ad0000
success 0 0
1620950538.350249
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004010000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task. (1 个事件)
description 896da26ef3efd9f70c66954f328fd371.tmp tried to sleep 161 seconds, actually delayed analysis time by 161 seconds
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 个事件)
Time & API Arguments Status Return Repeated
1620950485.116626
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4786541
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620950486.694626
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4786541
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620950489.804626
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4786541
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
Steals private information from local Internet browsers (28 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\MEIPreload\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\pnacl\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SafetyTips\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SwReporter\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Floc\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OriginTrials\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Subresource Filter\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Safe Browsing\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\hyphen-data\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cache\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crowd Deny\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\AutofillStates\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\GrShaderCache\Cache
Creates executable files on the filesystem (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-42L12.tmp\isxdl.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-42L12.tmp\ezdatzsazzxt.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-42L12.tmp\itdownload.dll
Drops an executable to the user AppData folder (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-1D5SK.tmp\896da26ef3efd9f70c66954f328fd371.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-42L12.tmp\ezdatzsazzxt.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-42L12.tmp\isxdl.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-42L12.tmp\itdownload.dll
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620950472.179626
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
An executable file was downloaded by the process 896da26ef3efd9f70c66954f328fd371.tmp (1 个事件)
Time & API Arguments Status Return Repeated
1620950492.679626
recv
buffer: HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 27 Jul 2020 21:58:47 GMT Accept-Ranges: bytes ETag: "8054f1a6164d61:0" Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Thu, 13 May 2021 16:02:59 GMT Connection: close Content-Length: 3119472 MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $䒑: óÿi óÿi óÿi3½gi¦óÿi»nai„óÿi»nTiõóÿi©‹|i¥óÿi»nUiîðÿi óÿi¶óÿiυTi¥óÿi©‹li¿óÿi óþiÛòÿi»nPiŠóÿi»nei¡óÿi»nbi¡óÿiRich óÿiPELN_à  ('T9ü @'@00k?0´û.@0Ä€/p°F'°˜.@@'(.textÐ''(' `.rdataòÛ@'Ü,'@@.data¬í /d/@À.rsrcÄ0l/@@é;Ú ‹D$Š‹L$ˆÃˀ ÃS3ۉ‰^‰^f‰^ dž´ù*ˆžø‰žüFPdž‰ž‹ÆˆžèYˆž¸‹Æ
received: 1412
socket: 1352
success 1412 0
Expresses interest in specific running processes (1 个事件)
process 896da26ef3efd9f70c66954f328fd371.tmp
Queries for potentially installed applications (1 个事件)
Time & API Arguments Status Return Repeated
1620950470.679626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WMA Workshop Plus_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WMA Workshop Plus_is1
options: 0
failed 2 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.40.34
host 58.63.233.66
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\896da26ef3efd9f70c66954f328fd371.exe:Zone.Identifier:$DATA
File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 个事件)
Cylance Unsafe
K7AntiVirus Adware ( 0055e4471 )
K7GW Adware ( 0055e4471 )
APEX Malicious
Avast Win32:PUP-gen [PUP]
NANO-Antivirus Trojan.Win32.InstallCore.gkkkyh
Paloalto generic.ml
Endgame malicious (high confidence)
Sophos Generic PUA PL (PUA)
DrWeb Trojan.InstallCore.3848
Microsoft PUA:Win32/Tsingsoft
VBA32 Trojan.InstallCore
Malwarebytes PUP.Optional.CoolMedia
ESET-NOD32 a variant of Win32/FusionCore.AX potentially unwanted
Rising Trojan.Generic@ML.95 (RDMK:U/97cmOUNSs2LHLVU7USRQ)
Fortinet Riskware/FusionCore
AVG Win32:PUP-gen [PUP]
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620950474.741626
RegSetValueExA
key_handle: 0x00000450
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620950474.741626
RegSetValueExA
key_handle: 0x00000450
value: P²¸n_H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620950474.741626
RegSetValueExA
key_handle: 0x00000450
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620950474.741626
RegSetValueExW
key_handle: 0x00000450
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620950474.741626
RegSetValueExA
key_handle: 0x0000046c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620950474.741626
RegSetValueExA
key_handle: 0x0000046c
value: P²¸n_H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620950474.741626
RegSetValueExA
key_handle: 0x0000046c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620950474.804626
RegSetValueExW
key_handle: 0x0000044c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620950477.663626
RegSetValueExA
key_handle: 0x000004b8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620950477.663626
RegSetValueExA
key_handle: 0x000004b8
value: ðŽvp_H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620950477.663626
RegSetValueExA
key_handle: 0x000004b8
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620950477.663626
RegSetValueExW
key_handle: 0x000004b8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620950477.663626
RegSetValueExA
key_handle: 0x000004bc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620950477.679626
RegSetValueExA
key_handle: 0x000004bc
value: ðŽvp_H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620950477.679626
RegSetValueExA
key_handle: 0x000004bc
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process 896da26ef3efd9f70c66954f328fd371.tmp useragent
process 896da26ef3efd9f70c66954f328fd371.tmp useragent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-04-27 16:22:11

Imports

Library kernel32.dll:
0x4b42e0 GetACP
0x4b42e4 GetExitCodeProcess
0x4b42e8 LocalFree
0x4b42ec CloseHandle
0x4b42f0 SizeofResource
0x4b42f4 VirtualProtect
0x4b42f8 VirtualFree
0x4b42fc GetFullPathNameW
0x4b4300 ExitProcess
0x4b4304 HeapAlloc
0x4b4308 GetCPInfoExW
0x4b430c RtlUnwind
0x4b4310 GetCPInfo
0x4b4314 GetStdHandle
0x4b4318 GetModuleHandleW
0x4b431c FreeLibrary
0x4b4320 HeapDestroy
0x4b4324 ReadFile
0x4b4328 CreateProcessW
0x4b432c GetLastError
0x4b4330 GetModuleFileNameW
0x4b4334 SetLastError
0x4b4338 FindResourceW
0x4b433c CreateThread
0x4b4340 CompareStringW
0x4b4344 LoadLibraryA
0x4b4348 ResetEvent
0x4b434c GetVersion
0x4b4350 RaiseException
0x4b4354 FormatMessageW
0x4b4358 SwitchToThread
0x4b435c GetExitCodeThread
0x4b4360 GetCurrentThread
0x4b4364 LoadLibraryExW
0x4b4368 LockResource
0x4b436c GetCurrentThreadId
0x4b4374 VirtualQuery
0x4b4378 VirtualQueryEx
0x4b437c Sleep
0x4b4384 SetFilePointer
0x4b4388 LoadResource
0x4b438c SuspendThread
0x4b4390 GetTickCount
0x4b4394 GetFileSize
0x4b4398 GetStartupInfoW
0x4b439c GetFileAttributesW
0x4b43a4 GetThreadPriority
0x4b43a8 SetThreadPriority
0x4b43ac GetCurrentProcess
0x4b43b0 VirtualAlloc
0x4b43b4 GetSystemInfo
0x4b43b8 GetCommandLineW
0x4b43c0 GetProcAddress
0x4b43c4 ResumeThread
0x4b43c8 GetVersionExW
0x4b43cc VerifyVersionInfoW
0x4b43d0 HeapCreate
0x4b43d8 VerSetConditionMask
0x4b43dc GetDiskFreeSpaceW
0x4b43e0 FindFirstFileW
0x4b43e8 lstrlenW
0x4b43f0 SetEndOfFile
0x4b43f4 HeapFree
0x4b43f8 WideCharToMultiByte
0x4b43fc FindClose
0x4b4400 MultiByteToWideChar
0x4b4404 LoadLibraryW
0x4b4408 SetEvent
0x4b440c CreateFileW
0x4b4410 GetLocaleInfoW
0x4b4414 GetSystemDirectoryW
0x4b4418 DeleteFileW
0x4b441c GetLocalTime
0x4b4424 WaitForSingleObject
0x4b4428 WriteFile
0x4b442c ExitThread
0x4b4434 TlsGetValue
0x4b4438 GetDateFormatW
0x4b443c SetErrorMode
0x4b4440 IsValidLocale
0x4b4444 TlsSetValue
0x4b4448 CreateDirectoryW
0x4b4450 EnumCalendarInfoW
0x4b4454 LocalAlloc
0x4b445c RemoveDirectoryW
0x4b4460 CreateEventW
0x4b4464 SetThreadLocale
0x4b4468 GetThreadLocale
Library comctl32.dll:
0x4b4470 InitCommonControls
Library version.dll:
0x4b447c VerQueryValueW
0x4b4480 GetFileVersionInfoW
Library user32.dll:
0x4b4488 CreateWindowExW
0x4b448c TranslateMessage
0x4b4490 CharLowerBuffW
0x4b4494 CallWindowProcW
0x4b4498 CharUpperW
0x4b449c PeekMessageW
0x4b44a0 GetSystemMetrics
0x4b44a4 SetWindowLongW
0x4b44a8 MessageBoxW
0x4b44ac DestroyWindow
0x4b44b0 CharNextW
0x4b44b8 LoadStringW
0x4b44bc ExitWindowsEx
0x4b44c0 DispatchMessageW
Library oleaut32.dll:
0x4b44c8 SysAllocStringLen
0x4b44cc SafeArrayPtrOfIndex
0x4b44d0 VariantCopy
0x4b44d4 SafeArrayGetLBound
0x4b44d8 SafeArrayGetUBound
0x4b44dc VariantInit
0x4b44e0 VariantClear
0x4b44e4 SysFreeString
0x4b44e8 SysReAllocStringLen
0x4b44ec VariantChangeType
0x4b44f0 SafeArrayCreate
Library netapi32.dll:
0x4b44f8 NetWkstaGetInfo
0x4b44fc NetApiBufferFree
Library advapi32.dll:
0x4b4504 RegQueryValueExW
0x4b4510 RegCloseKey
0x4b4514 OpenProcessToken
0x4b4518 RegOpenKeyExW

Exports

Ordinal Address Name
3 0x453abc TMethodImplementationIntercept
2 0x40d3dc __dbk_fcall_wrapper
1 0x4b063c dbkFCallWrapperAddr

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49180 104.207.153.254 1223.dragonparking.com 80
192.168.56.101 49185 104.207.153.254 1223.dragonparking.com 80
192.168.56.101 49186 104.26.9.53 dp.diandongzhi.com 443
192.168.56.101 49192 165.193.78.234 post.securestudies.com 80
192.168.56.101 49197 165.193.78.234 post.securestudies.com 80
192.168.56.101 49179 204.11.56.48 os2.appuniverseapplication.com 80
192.168.56.101 49184 204.11.56.48 os2.appuniverseapplication.com 80
192.168.56.101 49190 204.11.56.48 os2.appuniverseapplication.com 80
192.168.56.101 49193 204.11.56.48 os2.appuniverseapplication.com 80
192.168.56.101 49194 204.11.56.48 os2.appuniverseapplication.com 80
192.168.56.101 49195 204.11.56.48 os2.appuniverseapplication.com 80
192.168.56.101 49187 93.184.220.29 ocsp.digicert.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://os.appuniverseapplication.com/
POST / HTTP/1.1
Accept: */*
Host: os.appuniverseapplication.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 1760
Cache-Control: no-cache

http://1223.dragonparking.com/?site=rp.appuniverseapplication.com
GET /?site=rp.appuniverseapplication.com HTTP/1.1
Accept: */*
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Cache-Control: no-cache
Host: 1223.dragonparking.com

http://post.securestudies.com/packages/RI1034/ContentI3.exe
GET /packages/RI1034/ContentI3.exe HTTP/1.0
Host: post.securestudies.com
User-Agent: InnoTools_Downloader

http://rp.appuniverseapplication.com/
POST / HTTP/1.1
Accept: */*
Host: rp.appuniverseapplication.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 1632
Cache-Control: no-cache

http://os2.appuniverseapplication.com/
POST / HTTP/1.1
Accept: */*
Host: os2.appuniverseapplication.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 1760
Cache-Control: no-cache

http://rp.appuniverseapplication.com/
GET / HTTP/1.1
Host: rp.appuniverseapplication.com

http://1223.dragonparking.com/?site=os2.appuniverseapplication.com
GET /?site=os2.appuniverseapplication.com HTTP/1.1
Accept: */*
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Cache-Control: no-cache
Host: 1223.dragonparking.com

http://1223.dragonparking.com/?site=os.appuniverseapplication.com
GET /?site=os.appuniverseapplication.com HTTP/1.1
Accept: */*
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Cache-Control: no-cache
Host: 1223.dragonparking.com

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

http://1223.dragonparking.com/?site=rp.appuniverseapplication.com
GET /?site=rp.appuniverseapplication.com HTTP/1.1
Connection: Keep-Alive
Host: 1223.dragonparking.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.