6.0
高危
56 个模型检测该样本为恶意!
重新分析
更多

070cd31f685e0809b19433735d15f8265662b44391b41807de19c8e96400bb87

8c7d068e16d932a9f0e5c983419b9f75.exe

分析耗时

132s

最近分析

文件大小

150.5KB
静态报毒 动态报毒 100% AI SCORE=89 BSCOPE CLOUD CONFIDENCE DISKWRITER GDSDA GENCIRC HGAFVN HIGH CONFIDENCE KILLMBR MALWARE@#21OJPUSC4UG6A MBRINFECTOR MODERATE OCCAMY QWGW R02FC0PCU20 SCORE SIGGEN9 SUSGEN UNSAFE VNQAY WACATAC 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.grp 20200414 6.0.6.653
Alibaba Trojan:Win32/DiskWriter.86c644f8 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200413 18.4.3895.0
Kingsoft 20200414 2013.8.14.323
Tencent Malware.Win32.Gencirc.10b99aaf 20200414 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
Creates a suspicious process (1 个事件)
cmdline schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8c7d068e16d932a9f0e5c983419b9f75.exe"
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619686134.863755
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8c7d068e16d932a9f0e5c983419b9f75.exe"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (2 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wininit reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8c7d068e16d932a9f0e5c983419b9f75.exe
cmdline schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8c7d068e16d932a9f0e5c983419b9f75.exe"
Expresses interest in specific running processes (1 个事件)
process: potential process injection target csrss.exe
Uses Sysinternals tools in order to add additional command line functionality (1 个事件)
cmdline schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8c7d068e16d932a9f0e5c983419b9f75.exe"
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 192.168.56.101:49191
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
MicroWorld-eScan Gen:Heur.Ransom.RTH.1
CAT-QuickHeal Trojan.DiskWriter
McAfee RDN/Generic.grp
Zillya Trojan.DiskWriter.Win32.807
Sangfor Malware
K7AntiVirus Trojan ( 0055f5981 )
Alibaba Trojan:Win32/DiskWriter.86c644f8
K7GW Trojan ( 0055f5981 )
Cybereason malicious.e16d93
Arcabit Trojan.Ransom.RTH.1
Invincea heuristic
Symantec Trojan Horse
ESET-NOD32 a variant of Win32/KillMBR.NDS
APEX Malicious
GData Win32.Malware.MBRInfector.A
Kaspersky Trojan.Win32.DiskWriter.ebe
BitDefender Gen:Heur.Ransom.RTH.1
NANO-Antivirus Trojan.Win32.KillMBR.hgafvn
ViRobot Trojan.Win32.S.KillMBR.154112
Avast Win32:Trojan-gen
Rising Trojan.KillMBR!8.F58 (CLOUD)
Ad-Aware Gen:Heur.Ransom.RTH.1
Sophos Troj/KillMBR-S
Comodo Malware@#21ojpusc4ug6a
F-Secure Trojan.TR/KillMBR.vnqay
DrWeb Trojan.Siggen9.27655
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R02FC0PCU20
McAfee-GW-Edition RDN/Generic.grp
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.8c7d068e16d932a9
Emsisoft Gen:Heur.Ransom.RTH.1 (B)
Cyren W32/Trojan.QWGW-0615
Webroot W32.Trojan.Gen
Avira TR/KillMBR.vnqay
eGambit Unsafe.AI_Score_97%
Antiy-AVL Trojan/Win32.Wacatac
Microsoft Trojan:Win32/Occamy.C
Endgame malicious (high confidence)
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm Trojan.Win32.DiskWriter.ebe
Acronis suspicious
VBA32 BScope.Trojan.DiskWriter
ALYac Trojan.Diskwriter.gen
MAX malware (ai score=89)
Cylance Unsafe
TrendMicro-HouseCall TROJ_GEN.R02FC0PCU20
Tencent Malware.Win32.Gencirc.10b99aaf
Ikarus Trojan.Win32.KillMBR
MaxSecure Trojan.Malware.1728101.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x434128 VirtualFree
0x43412c VirtualAlloc
0x434130 LocalFree
0x434134 LocalAlloc
0x434138 GetVersion
0x43413c GetCurrentThreadId
0x434148 VirtualQuery
0x43414c WideCharToMultiByte
0x434150 MultiByteToWideChar
0x434154 lstrlenA
0x434158 lstrcpynA
0x43415c LoadLibraryExA
0x434160 GetThreadLocale
0x434164 GetStartupInfoA
0x434168 GetProcAddress
0x43416c GetModuleHandleA
0x434170 GetModuleFileNameA
0x434174 GetLocaleInfoA
0x434178 GetCommandLineA
0x43417c FreeLibrary
0x434180 FindFirstFileA
0x434184 FindClose
0x434188 ExitProcess
0x43418c WriteFile
0x434194 RtlUnwind
0x434198 RaiseException
0x43419c GetStdHandle
Library user32.dll:
0x4341a4 GetKeyboardType
0x4341a8 LoadStringA
0x4341ac MessageBoxA
0x4341b0 CharNextA
Library advapi32.dll:
0x4341b8 RegQueryValueExA
0x4341bc RegOpenKeyExA
0x4341c0 RegCloseKey
Library oleaut32.dll:
0x4341c8 SysFreeString
0x4341cc SysReAllocStringLen
0x4341d0 SysAllocStringLen
Library kernel32.dll:
0x4341d8 TlsSetValue
0x4341dc TlsGetValue
0x4341e0 LocalAlloc
0x4341e4 GetModuleHandleA
Library advapi32.dll:
0x4341ec RegSetValueExA
0x4341f0 RegOpenKeyExA
0x4341f4 RegFlushKey
0x4341f8 RegDeleteValueA
0x4341fc RegCreateKeyExA
0x434200 RegCloseKey
0x434204 OpenProcessToken
0x43420c FreeSid
Library kernel32.dll:
0x43421c WriteFile
0x434220 WinExec
0x434224 WaitForSingleObject
0x434228 VirtualQuery
0x43422c TerminateProcess
0x434230 SetFilePointer
0x434234 SetEvent
0x434238 SetEndOfFile
0x43423c ResetEvent
0x434240 ReadFile
0x434244 OpenProcess
0x434250 GetVersionExA
0x434254 GetThreadLocale
0x434258 GetStringTypeExA
0x43425c GetStdHandle
0x434260 GetProcAddress
0x434264 GetModuleHandleA
0x434268 GetModuleFileNameA
0x43426c GetLocaleInfoA
0x434270 GetLocalTime
0x434274 GetLastError
0x434278 GetFullPathNameA
0x43427c GetDiskFreeSpaceA
0x434280 GetDateFormatA
0x434284 GetCurrentThreadId
0x434288 GetCurrentProcess
0x43428c GetCPInfo
0x434290 GetACP
0x434294 FormatMessageA
0x434298 FindFirstFileA
0x43429c FindClose
0x4342a8 EnumCalendarInfoA
0x4342b0 DeviceIoControl
0x4342b4 DeleteFileA
0x4342bc CreateFileA
0x4342c0 CreateEventA
0x4342c4 CompareStringA
0x4342c8 CloseHandle
Library user32.dll:
0x4342d0 PostMessageA
0x4342d4 MessageBoxA
0x4342d8 LoadStringA
0x4342dc GetSystemMetrics
0x4342e0 FindWindowA
0x4342e4 ExitWindowsEx
0x4342e8 CharNextA
0x4342ec CharToOemA
Library kernel32.dll:
0x4342f4 Sleep
Library shell32.dll:
0x4342fc ShellExecuteExA
Library oleaut32.dll:
0x434304 SafeArrayPtrOfIndex
0x434308 SafeArrayGetUBound
0x43430c SafeArrayGetLBound
0x434310 SafeArrayCreate
0x434314 VariantChangeType
0x434318 VariantCopy
0x43431c VariantClear
0x434320 VariantInit
Library advapi32.dll:
Library ntdll.dll:

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.