SmartHawk

10.4

0-day

46 个模型检测该样本为恶意！

重新分析

下载样本

cb9c2ad747702c3fa76f5b7ca580cd0d3f184dc9993a687f2cc2f61cb40a3e13

8c7645244431c377debc5580f340f5e5.exe

分析耗时

77s

最近分析

文件大小

759.5KB

静态报毒动态报毒 100% AGEN AGENTTESLA AI SCORE=88 BEHAVIOR CLOUD COBRA CONFIDENCE ECUG ELDORADO FAREIT GDSDA GENERICKD HIGH CONFIDENCE HODLXL KRYPTIK NOON PWSX R275087 SIGGEN2 UNSAFE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FWY!8C7645244431	20200821	6.0.6.653
Alibaba	TrojanSpy:MSIL/AgentTesla.9936d7a9	20190527	0.3.0.5
Avast	Win32:PWSX-gen [Trj]	20200821	18.4.3895.0
Baidu		20190318	1.0.0.2
Kingsoft		20200821	2013.8.14.323
Tencent	Msil.Trojan-spy.Noon.Ecug	20200821	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619716573.338124 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619716588.618501 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619716589.368501 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619716591.368501 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619716592.478501 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716531.899626 IsDebuggerPresent		failed	0	0
1619716576.415501 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716573.900124 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\vdDdVVfRkNhbE"。 console_handle: 0x00000007	success	1	0

This executable has a PDB path (1 个事件)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\jdCHisGnpf\src\obj\Debug\kycdR.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716567.446626 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716590.946501 __exception__	stacktrace: 0x232eb8d 0x232dfcd CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2289644 registers.edi: 2289676 registers.eax: 0 registers.ebp: 2289692 registers.edx: 158 registers.ebx: 0 registers.esi: 41746900 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 b8 9b ab fb 69 eb 86 8b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x232ef51	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619716590.946501
__exception__

stacktrace:

0x232eb8d
0x232dfcd
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2289644
registers.edi: 2289676
registers.eax: 0
registers.ebp: 2289692
registers.edx: 158
registers.ebx: 0
registers.esi: 41746900
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 b8 9b ab fb 69 eb 86 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x232ef51

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 个事件)

Time & API	Arguments	Status
1619716531.009626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005f0000	success
1619716531.009626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00750000	success
1619716531.743626 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619716531.899626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004da000	success
1619716531.899626 NtProtectVirtualMemory	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619716531.899626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d2000	success
1619716532.306626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e2000	success
1619716532.478626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e3000	success
1619716532.509626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0051b000	success
1619716532.509626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00517000	success
1619716532.603626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004ec000	success
1619716533.446626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e4000	success
1619716533.556626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e6000	success
1619716533.587626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e7000	success
1619716533.603626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00730000	success
1619716533.759626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0050a000	success
1619716533.774626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00502000	success
1619716533.821626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00515000	success
1619716533.962626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004fa000	success
1619716533.962626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f7000	success
1619716567.259626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0050c000	success
1619716567.306626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f6000	success
1619716567.306626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00731000	success
1619716567.337626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e8000	success
1619716567.353626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x04b80000	success
1619716567.353626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c30000	success
1619716567.353626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c31000	success
1619716567.368626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c32000	success
1619716567.384626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c33000	success
1619716567.384626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c34000	success
1619716567.399626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e9000	success
1619716567.415626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00732000	success
1619716567.415626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c35000	success
1619716567.415626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c36000	success
1619716567.415626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c37000	success
1619716567.415626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c3b000	success
1619716567.431626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c4c000	success
1619716567.431626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04c4d000	success
1619716567.431626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00733000	success
1619716572.540626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004db000	success
1619716572.618626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004ea000	success
1619716575.728626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04e80000	success
1619716576.118626 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00734000	success
1619716576.274501 NtAllocateVirtualMemory	process_identifier: 176 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x006b0000	success
1619716576.274501 NtAllocateVirtualMemory	process_identifier: 176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00760000	success
1619716576.384501 NtProtectVirtualMemory	process_identifier: 176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619716576.431501 NtAllocateVirtualMemory	process_identifier: 176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052a000	success
1619716576.431501 NtProtectVirtualMemory	process_identifier: 176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619716576.431501 NtAllocateVirtualMemory	process_identifier: 176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00522000	success
1619716576.478501 NtAllocateVirtualMemory	process_identifier: 176 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00532000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vdDdVVfRkNhbE" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFA2A.tmp"
cmdline	schtasks.exe /Create /TN "Updates\vdDdVVfRkNhbE" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFA2A.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716573.040626 ShellExecuteExW	parameters: /Create /TN "Updates\vdDdVVfRkNhbE" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFA2A.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.00025011558948

section

{'size_of_data': '0x000b9000', 'virtual_address': '0x00002000', 'entropy': 7.00025011558948, 'name': '.text', 'virtual_size': '0x000b8f3c'}

description

A section with a high entropy has been found

entropy

7.8059100624727575

section

{'size_of_data': '0x00004a00', 'virtual_address': '0x000bc000', 'entropy': 7.8059100624727575, 'name': '.rsrc', 'virtual_size': '0x00004884'}

description

A section with a high entropy has been found

entropy

0.9993412384716732

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716588.384501 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vdDdVVfRkNhbE" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFA2A.tmp"
cmdline	schtasks.exe /Create /TN "Updates\vdDdVVfRkNhbE" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFA2A.tmp"

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.40.34

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716575.728626 NtAllocateVirtualMemory	process_identifier: 176 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000035c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFA2A.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619716575.728626 WriteProcessMemory	process_identifier: 176 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë-_àXv @ À@ÐuKð H.text$V X `.rsrcðZ@@.reloc ^@B process_handle: 0x0000035c base_address: 0x00400000	success	1
1619716575.743626 WriteProcessMemory	process_identifier: 176 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameMbWSYZmFCCSwuIlewubPJEhnDy.exe(LegalCopyright hOriginalFilenameMbWSYZmFCCSwuIlewubPJEhnDy.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000035c base_address: 0x00448000	success	1
1619716575.743626 WriteProcessMemory	process_identifier: 176 buffer: p 6 process_handle: 0x0000035c base_address: 0x0044a000	success	1
1619716575.743626 WriteProcessMemory	process_identifier: 176 buffer: @ process_handle: 0x0000035c base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619716575.728626 WriteProcessMemory	process_identifier: 176 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë-_àXv @ À@ÐuKð H.text$V X `.rsrcðZ@@.reloc ^@B process_handle: 0x0000035c base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 called NtSetContextThread to modify thread in remote process 176
1619716575.743626 NtSetContextThread	thread_handle: 0x00000258 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486686 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 176	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2228 resumed a thread in remote process 176
1619716576.103626 NtResumeThread	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 176	success	0	0

Executed a process and injected code into it, probably while unpacking (24 个事件)

Time & API	Arguments	Status	Return
1619716531.899626 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 2228	success	0
1619716531.978626 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2228	success	0
1619716572.556626 NtResumeThread	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2228	success	0
1619716572.587626 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2228	success	0
1619716573.040626 CreateProcessInternalW	thread_identifier: 2548 thread_handle: 0x00000344 process_identifier: 2940 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vdDdVVfRkNhbE" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFA2A.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000388 inherit_handles: 0	success	1
1619716575.728626 CreateProcessInternalW	thread_identifier: 2468 thread_handle: 0x00000258 process_identifier: 176 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8c7645244431c377debc5580f340f5e5.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8c7645244431c377debc5580f340f5e5.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000035c inherit_handles: 0	success	1
1619716575.728626 NtGetContextThread	thread_handle: 0x00000258	success	0
1619716575.728626 NtAllocateVirtualMemory	process_identifier: 176 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000035c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619716575.728626 WriteProcessMemory	process_identifier: 176 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELë-_àXv @ À@ÐuKð H.text$V X `.rsrcðZ@@.reloc ^@B process_handle: 0x0000035c base_address: 0x00400000	success	1
1619716575.728626 WriteProcessMemory	process_identifier: 176 buffer: process_handle: 0x0000035c base_address: 0x00402000	success	1
1619716575.743626 WriteProcessMemory	process_identifier: 176 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameMbWSYZmFCCSwuIlewubPJEhnDy.exe(LegalCopyright hOriginalFilenameMbWSYZmFCCSwuIlewubPJEhnDy.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000035c base_address: 0x00448000	success	1
1619716575.743626 WriteProcessMemory	process_identifier: 176 buffer: p 6 process_handle: 0x0000035c base_address: 0x0044a000	success	1
1619716575.743626 WriteProcessMemory	process_identifier: 176 buffer: @ process_handle: 0x0000035c base_address: 0x7efde008	success	1
1619716575.743626 NtSetContextThread	thread_handle: 0x00000258 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486686 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 176	success	0
1619716576.103626 NtResumeThread	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 176	success	0
1619716576.118626 NtResumeThread	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2228	success	0
1619716576.118626 NtGetContextThread	thread_handle: 0x0000033c	success	0
1619716576.118626 NtGetContextThread	thread_handle: 0x0000033c	success	0
1619716576.118626 NtResumeThread	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2228	success	0
1619716576.415501 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 176	success	0
1619716576.462501 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 176	success	0
1619716589.290501 NtResumeThread	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 176	success	0
1619716589.306501 NtResumeThread	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 176	success	0
1619716591.149501 NtResumeThread	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 176	success	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Siggen2.51875
MicroWorld-eScan	Trojan.GenericKD.34166110
FireEye	Generic.mg.8c7645244431c377
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FWY!8C7645244431
Malwarebytes	Trojan.MalPack.ADC
Zillya	Trojan.Kryptik.Win32.2260605
Sangfor	Malware
K7AntiVirus	Trojan ( 0056a8f11 )
Alibaba	TrojanSpy:MSIL/AgentTesla.9936d7a9
K7GW	Trojan ( 0056a8f11 )
Arcabit	Trojan.Generic.D209555E
TrendMicro	TrojanSpy.MSIL.AGENTTESLA.BG
Cyren	W32/MSIL_Kryptik.AQI.gen!Eldorado
Symantec	Trojan.Gen.MBT
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.34166110
NANO-Antivirus	Trojan.Win32.Noon.hodlxl
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Noon.l!c
Rising	Spyware.Noon!8.E7C9 (CLOUD)
Ad-Aware	Trojan.GenericKD.34166110
F-Secure	Heuristic.HEUR/AGEN.1137285
VIPRE	Trojan.Win32.Generic.pak!cobra
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Avira	HEUR/AGEN.1137285
MAX	malware (ai score=88)
Antiy-AVL	Trojan[Spy]/MSIL.Noon
Microsoft	Trojan:MSIL/AgentTesla.PAZ!MTB
ViRobot	Trojan.Win32.Z.Suspectcrc.777728
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Trojan.GenericKD.34166110
AhnLab-V3	Trojan/Win32.RL_Agent.R275087
ALYac	Trojan.GenericKD.34166110
Cylance	Unsafe
ESET-NOD32	a variant of MSIL/Kryptik.WUW
TrendMicro-HouseCall	TrojanSpy.MSIL.AGENTTESLA.BG
Tencent	Msil.Trojan-spy.Noon.Ecug
Fortinet	Malicious_Behavior.SB
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Generic/Trojan.Spy.beb

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-13 22:33:13

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50537	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.