7.0
高危
14 个模型检测该样本为恶意!
重新分析
更多

8d32f8597af30fc2d560aeb7f6ab9c3042bd802a4105b70be423de6f24e6066a

8aaadb7a0df7a933d7dcffd870a6de5a.exe

分析耗时

116s

最近分析

文件大小

231.1KB
静态报毒 动态报毒 AOTH CONFIDENCE MODERATE CONFIDENCE PLOCK QVM05 SCORE SUSPICIOUS PE TIGGRE UNSAFE ZXYB 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20190422 6.0.6.653
Alibaba 20190402 0.3.0.4
Baidu 20190318 1.0.0.2
Avast 20190422 18.4.3895.0
Tencent 20190422 1.0.0.1
Kingsoft 20190422 2013.8.14.323
CrowdStrike win/malicious_confidence_60% (W) 20190212 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1620812444.386645
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620812444.433645
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620812445.964645
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620812870.351
IsDebuggerPresent
failed 0 0
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\chrome.exe
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620812871.226
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1451331524&cup2hreq=cb94cbf4971138bcc1aca3035e02457c82fd91d08dcb7885673355b7812ac1c5
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620783619&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=171fdc2eea780e85&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620783857&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:1451331524&cup2hreq=cb94cbf4971138bcc1aca3035e02457c82fd91d08dcb7885673355b7812ac1c5
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1451331524&cup2hreq=cb94cbf4971138bcc1aca3035e02457c82fd91d08dcb7885673355b7812ac1c5
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620812506.276645
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000003310000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (1 个事件)
file C:\Program Files (x86)\wiwe\wiwe\Uninstall.exe
Creates a shortcut to an executable file (11 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 个事件)
Time & API Arguments Status Return Repeated
1620812445.761645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620812445.839645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620812445.933645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620812446.011645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620812446.104645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620812446.370645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620812446.479645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620812446.729645
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 个事件)
Cyren W32/Trojan.ZXYB-7790
ClamAV Win.Malware.Score-6915874-0
Kaspersky UDS:DangerousObject.Multi.Generic
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Endgame malicious (moderate confidence)
Trapmine suspicious.low.ml.score
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.MSIL.aoth
Microsoft Trojan:Win32/Tiggre!plock
ZoneAlarm UDS:DangerousObject.Multi.Generic
eGambit Unsafe.AI_Score_98%
CrowdStrike win/malicious_confidence_60% (W)
Qihoo-360 HEUR/QVM05.1.A047.Malware.Gen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x42b1dc VirtualFree
0x42b1e0 VirtualAlloc
0x42b1e4 LocalFree
0x42b1e8 LocalAlloc
0x42b1ec GetVersion
0x42b1f0 GetCurrentThreadId
0x42b1f4 WideCharToMultiByte
0x42b1f8 GetThreadLocale
0x42b1fc GetStartupInfoA
0x42b200 GetLocaleInfoA
0x42b204 GetCommandLineA
0x42b208 FreeLibrary
0x42b20c ExitProcess
0x42b210 WriteFile
0x42b218 RtlUnwind
0x42b21c RaiseException
0x42b220 GetStdHandle
Library user32.dll:
0x42b228 GetKeyboardType
0x42b22c MessageBoxA
Library advapi32.dll:
0x42b234 RegQueryValueExA
0x42b238 RegOpenKeyExA
0x42b23c RegCloseKey
Library oleaut32.dll:
0x42b244 SysFreeString
0x42b248 SysReAllocStringLen
Library kernel32.dll:
0x42b250 TlsSetValue
0x42b254 TlsGetValue
0x42b258 LocalAlloc
0x42b25c GetModuleHandleA
Library advapi32.dll:
0x42b264 RegCloseKey
0x42b268 OpenThreadToken
0x42b26c OpenProcessToken
0x42b270 GetTokenInformation
0x42b274 FreeSid
0x42b278 EqualSid
Library kernel32.dll:
0x42b288 WriteFile
0x42b28c WinExec
0x42b290 WaitForSingleObject
0x42b294 TerminateProcess
0x42b29c Sleep
0x42b2a0 SetFileTime
0x42b2a4 SetFilePointer
0x42b2a8 SetErrorMode
0x42b2ac SetEndOfFile
0x42b2b0 ReadFile
0x42b2b4 OpenProcess
0x42b2b8 MultiByteToWideChar
0x42b2c0 LoadLibraryA
0x42b2c4 GlobalFree
0x42b2c8 GlobalAlloc
0x42b2cc GetVersion
0x42b2d4 GetProcAddress
0x42b2d8 GetModuleHandleA
0x42b2dc GetLocalTime
0x42b2e0 GetLastError
0x42b2e4 GetFileTime
0x42b2e8 GetFileSize
0x42b2ec GetExitCodeProcess
0x42b2f0 GetCurrentThread
0x42b2f4 GetCurrentProcess
0x42b2f8 FreeLibrary
0x42b2fc FindClose
0x42b30c CompareFileTime
0x42b310 CloseHandle
Library gdi32.dll:
0x42b318 StretchDIBits
0x42b31c StretchBlt
0x42b320 SetWindowOrgEx
0x42b324 SetTextColor
0x42b328 SetStretchBltMode
0x42b32c SetRectRgn
0x42b330 SetROP2
0x42b334 SetPixel
0x42b338 SetDIBits
0x42b33c SetBrushOrgEx
0x42b340 SetBkMode
0x42b344 SetBkColor
0x42b348 SelectObject
0x42b34c SaveDC
0x42b350 RestoreDC
0x42b354 OffsetRgn
0x42b358 MoveToEx
0x42b35c IntersectClipRect
0x42b360 GetStockObject
0x42b364 GetPixel
0x42b368 GetDIBits
0x42b36c ExtSelectClipRgn
0x42b370 ExcludeClipRect
0x42b374 DeleteObject
0x42b378 DeleteDC
0x42b37c CreateSolidBrush
0x42b380 CreateRectRgn
0x42b384 CreateDIBitmap
0x42b388 CreateDIBSection
0x42b38c CreateCompatibleDC
0x42b394 CreateBrushIndirect
0x42b398 CreateBitmap
0x42b39c CombineRgn
0x42b3a0 BitBlt
Library user32.dll:
0x42b3a8 WaitMessage
0x42b3ac ValidateRect
0x42b3b0 TranslateMessage
0x42b3b4 ShowWindow
0x42b3b8 SetWindowPos
0x42b3bc SetTimer
0x42b3c0 SetParent
0x42b3c4 SetForegroundWindow
0x42b3c8 SetFocus
0x42b3cc SetCursor
0x42b3d0 SendMessageA
0x42b3d4 ScreenToClient
0x42b3d8 ReleaseDC
0x42b3dc PostQuitMessage
0x42b3e0 OffsetRect
0x42b3e4 KillTimer
0x42b3e8 IsZoomed
0x42b3ec IsWindowVisible
0x42b3f0 IsWindowEnabled
0x42b3f4 IsWindow
0x42b3f8 IsIconic
0x42b3fc InvalidateRect
0x42b400 GetWindowRgn
0x42b404 GetWindowRect
0x42b408 GetWindowDC
0x42b40c GetUpdateRgn
0x42b410 GetSystemMetrics
0x42b414 GetSystemMenu
0x42b418 GetSysColor
0x42b41c GetParent
0x42b420 GetWindow
0x42b424 GetKeyState
0x42b428 GetFocus
0x42b42c GetDCEx
0x42b430 GetDC
0x42b434 GetCursorPos
0x42b438 GetClientRect
0x42b43c GetCapture
0x42b440 FillRect
0x42b444 ExitWindowsEx
0x42b448 EnumWindows
0x42b44c EndPaint
0x42b450 EnableWindow
0x42b454 EnableMenuItem
0x42b458 DrawIcon
0x42b45c DestroyWindow
0x42b460 DestroyIcon
0x42b464 DeleteMenu
0x42b468 CopyImage
0x42b46c ClientToScreen
0x42b470 BeginPaint
0x42b474 CharLowerBuffA
Library winmm.dll:
0x42b47c timeKillEvent
0x42b480 timeSetEvent
Library oleaut32.dll:
0x42b488 SysAllocStringLen
Library ole32.dll:
0x42b490 OleInitialize
Library comctl32.dll:
0x42b498 ImageList_Draw
0x42b4a0 ImageList_Create
0x42b4a4 InitCommonControls
Library shell32.dll:
0x42b4ac SHGetFileInfoA
Library user32.dll:
0x42b4b4 wvsprintfA
0x42b4b8 SetWindowLongA
0x42b4bc SetPropA
0x42b4c0 SendMessageA
0x42b4c4 RemovePropA
0x42b4c8 RegisterClassA
0x42b4cc PostMessageA
0x42b4d0 PeekMessageA
0x42b4d4 MessageBoxA
0x42b4d8 LoadIconA
0x42b4dc LoadCursorA
0x42b4e4 GetWindowTextA
0x42b4e8 GetWindowLongA
0x42b4ec GetPropA
0x42b4f0 GetClassLongA
0x42b4f4 GetClassInfoA
0x42b4f8 FindWindowA
0x42b4fc DrawTextA
0x42b500 DispatchMessageA
0x42b504 DefWindowProcA
0x42b508 CreateWindowExA
0x42b50c CallWindowProcA
Library gdi32.dll:
0x42b518 GetObjectA
0x42b51c CreateFontIndirectA
0x42b520 AddFontResourceA
Library kernel32.dll:
0x42b52c SetFileAttributesA
0x42b534 RemoveDirectoryA
0x42b538 LoadLibraryA
0x42b540 GetVersionExA
0x42b544 GetTimeFormatA
0x42b548 GetTempPathA
0x42b54c GetSystemDirectoryA
0x42b550 GetShortPathNameA
0x42b558 GetModuleHandleA
0x42b55c GetModuleFileNameA
0x42b560 GetFullPathNameA
0x42b564 GetFileAttributesA
0x42b568 GetDiskFreeSpaceA
0x42b56c GetDateFormatA
0x42b570 GetComputerNameA
0x42b574 GetCommandLineA
0x42b578 FindNextFileA
0x42b57c FindFirstFileA
0x42b584 DeleteFileA
0x42b588 CreateFileA
0x42b58c CreateDirectoryA
0x42b590 CompareStringA
Library advapi32.dll:
0x42b598 RegSetValueExA
0x42b59c RegQueryValueExA
0x42b5a0 RegQueryInfoKeyA
0x42b5a4 RegOpenKeyExA
0x42b5a8 RegEnumKeyExA
0x42b5ac RegCreateKeyExA
0x42b5b4 GetUserNameA
Library shell32.dll:
0x42b5bc ShellExecuteExA
0x42b5c0 ShellExecuteA
Library cabinet.dll:
0x42b5c8 FDIDestroy
0x42b5cc FDICopy
0x42b5d0 FDICreate

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49190 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49191 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49188 203.208.40.66 update.googleapis.com 443
192.168.56.101 49189 203.208.41.33 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=171fdc2eea780e85&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620783857&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=171fdc2eea780e85&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620783857&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620783619&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620783619&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.