17.8
0-day
49 个模型检测该样本为恶意!
重新分析
更多

a4f25a24fbcffae3e89a9dae33ff5745f94891af95f78c4900fc166d46f7b44f

8d5dea2ef665ad1ebdd2d7d2a9be0eec.exe

分析耗时

76s

最近分析

文件大小

293.5KB
静态报毒 动态报毒 100% AGEN AGENSLA AI SCORE=87 ATTRIBUTE BLUTEAL BTOJ9Y CLOUD CONFIDENCE DNETINJ ECKR ELDORADO GDSDA GENERICKD GENERICRXKT GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE IGENT KRYPTIK MALICIOUS PE QQPASS QQROB R049C0WES20 R338376 SCORE SIGGEN9 SM0@AI2CTF TROJANPSW UNSAFE ZDGOK ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKT-ON!8D5DEA2EF665 20200611 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba TrojanPSW:MSIL/Kryptik.39f9c085 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20200611 2013.8.14.323
Tencent Msil.Trojan-qqpass.Qqrob.Eckr 20200611 1.0.0.1
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619686173.226465
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619715086.987626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619686137.851465
IsDebuggerPresent
failed 0 0
1619715085.174626
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619715086.658626
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain dave2h.ddns.net
Allocates read-write-execute memory (usually to unpack itself) (50 out of 137 个事件)
Time & API Arguments Status Return Repeated
1619686136.883465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00670000
success 0 0
1619686136.883465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00770000
success 0 0
1619686137.664465
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619686137.867465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058a000
success 0 0
1619686137.867465
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619686137.867465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00582000
success 0 0
1619686138.164465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00592000
success 0 0
1619686138.226465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00593000
success 0 0
1619686138.242465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1619686138.242465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c7000
success 0 0
1619686138.258465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059c000
success 0 0
1619686138.633465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00594000
success 0 0
1619686138.633465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00595000
success 0 0
1619686138.664465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00596000
success 0 0
1619686138.680465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af0000
success 0 0
1619686171.789465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
1619686171.930465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005aa000
success 0 0
1619686171.930465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619686171.930465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058b000
success 0 0
1619686172.023465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a6000
success 0 0
1619686172.148465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b2000
success 0 0
1619686172.211465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c5000
success 0 0
1619686172.414465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e60000
success 0 0
1619686172.414465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00771000
success 0 0
1619686172.492465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af1000
success 0 0
1619686172.523465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00597000
success 0 0
1619686172.555465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04e20000
success 0 0
1619686172.555465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fc0000
success 0 0
1619686172.555465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fc1000
success 0 0
1619686172.586465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fc2000
success 0 0
1619686172.601465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fc3000
success 0 0
1619686172.601465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fc4000
success 0 0
1619686172.601465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fc5000
success 0 0
1619686172.633465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00598000
success 0 0
1619686172.648465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af2000
success 0 0
1619686172.648465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fc8000
success 0 0
1619686172.648465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fcc000
success 0 0
1619686172.648465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fdd000
success 0 0
1619686172.648465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fde000
success 0 0
1619686172.664465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fdf000
success 0 0
1619686172.664465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af3000
success 0 0
1619686172.883465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af4000
success 0 0
1619686172.898465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059a000
success 0 0
1619686173.008465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059b000
success 0 0
1619686173.008465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f90000
success 0 0
1619686173.008465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f91000
success 0 0
1619686173.023465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00583000
success 0 0
1619686173.023465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1619686173.023465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1619686173.023465
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Executes one or more WMI queries (1 个事件)
wmi SELECT * FROM Win32_VideoController
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.953782884156319 section {'size_of_data': '0x00048c00', 'virtual_address': '0x00002000', 'entropy': 7.953782884156319, 'name': '.text', 'virtual_size': '0x00048a88'} description A section with a high entropy has been found
entropy 0.9931740614334471 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619686174.039465
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619715086.580626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 185.244.30.75
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619686173.726465
NtAllocateVirtualMemory
process_identifier: 2604
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000310
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619715087.096626
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 8d5dea2ef665ad1ebdd2d7d2a9be0eec.exe tried to sleep 5456442 seconds, actually delayed analysis time by 5456442 seconds
Checks the version of Bios, possibly for anti-virtualization (2 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Detects virtualization software with SCSI Disk Identifier trick(s) (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service reg_value C:\Program Files (x86)\DSL Service\dslsvc.exe
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619686173.726465
WriteProcessMemory
process_identifier: 2604
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x00000310
base_address: 0x00400000
success 1 0
1619686173.742465
WriteProcessMemory
process_identifier: 2604
buffer: à ”7
process_handle: 0x00000310
base_address: 0x00420000
success 1 0
1619686173.742465
WriteProcessMemory
process_identifier: 2604
buffer: @
process_handle: 0x00000310
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619686173.726465
WriteProcessMemory
process_identifier: 2604
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x00000310
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 368 called NtSetContextThread to modify thread in remote process 2604
Time & API Arguments Status Return Repeated
1619686173.742465
NtSetContextThread
thread_handle: 0x0000030c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8d5dea2ef665ad1ebdd2d7d2a9be0eec.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 368 resumed a thread in remote process 2604
Time & API Arguments Status Return Repeated
1619686174.008465
NtResumeThread
thread_handle: 0x0000030c
suspend_count: 1
process_identifier: 2604
success 0 0
Detects VirtualBox through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
Detects VMWare through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Detects the presence of Wine emulator (1 个事件)
Time & API Arguments Status Return Repeated
1619686172.898465
LdrGetProcedureAddress
ordinal: 0
module: KERNEL32
module_address: 0x76340000
function_address: 0x0019e0c8
function_name: wine_get_unix_file_name
failed 3221225785 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (26 个事件)
Time & API Arguments Status Return Repeated
1619686137.851465
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 368
success 0 0
1619686137.961465
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 368
success 0 0
1619686171.976465
NtResumeThread
thread_handle: 0x000001cc
suspend_count: 1
process_identifier: 368
success 0 0
1619686173.726465
CreateProcessInternalW
thread_identifier: 2964
thread_handle: 0x0000030c
process_identifier: 2604
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8d5dea2ef665ad1ebdd2d7d2a9be0eec.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8d5dea2ef665ad1ebdd2d7d2a9be0eec.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000310
inherit_handles: 0
success 1 0
1619686173.726465
NtGetContextThread
thread_handle: 0x0000030c
success 0 0
1619686173.726465
NtAllocateVirtualMemory
process_identifier: 2604
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000310
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619686173.726465
WriteProcessMemory
process_identifier: 2604
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x00000310
base_address: 0x00400000
success 1 0
1619686173.726465
WriteProcessMemory
process_identifier: 2604
buffer:
process_handle: 0x00000310
base_address: 0x00402000
success 1 0
1619686173.742465
WriteProcessMemory
process_identifier: 2604
buffer: à ”7
process_handle: 0x00000310
base_address: 0x00420000
success 1 0
1619686173.742465
WriteProcessMemory
process_identifier: 2604
buffer:
process_handle: 0x00000310
base_address: 0x00422000
success 1 0
1619686173.742465
WriteProcessMemory
process_identifier: 2604
buffer: @
process_handle: 0x00000310
base_address: 0x7efde008
success 1 0
1619686173.742465
NtSetContextThread
thread_handle: 0x0000030c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2604
success 0 0
1619686174.008465
NtResumeThread
thread_handle: 0x0000030c
suspend_count: 1
process_identifier: 2604
success 0 0
1619686174.008465
NtResumeThread
thread_handle: 0x0000032c
suspend_count: 1
process_identifier: 368
success 0 0
1619686174.039465
NtGetContextThread
thread_handle: 0x0000032c
success 0 0
1619686174.039465
NtGetContextThread
thread_handle: 0x0000032c
success 0 0
1619686174.039465
NtResumeThread
thread_handle: 0x0000032c
suspend_count: 1
process_identifier: 368
success 0 0
1619715085.174626
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2604
success 0 0
1619715085.205626
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2604
success 0 0
1619715086.440626
NtResumeThread
thread_handle: 0x00000238
suspend_count: 1
process_identifier: 2604
success 0 0
1619715086.502626
NtResumeThread
thread_handle: 0x00000268
suspend_count: 1
process_identifier: 2604
success 0 0
1619715086.580626
NtResumeThread
thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 2604
success 0 0
1619715087.393626
NtResumeThread
thread_handle: 0x0000033c
suspend_count: 1
process_identifier: 2604
success 0 0
1619715087.408626
NtResumeThread
thread_handle: 0x00000350
suspend_count: 1
process_identifier: 2604
success 0 0
1619715087.596626
NtResumeThread
thread_handle: 0x00000368
suspend_count: 1
process_identifier: 2604
success 0 0
1619715108.190626
NtResumeThread
thread_handle: 0x00000390
suspend_count: 1
process_identifier: 2604
success 0 0
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
MicroWorld-eScan Trojan.GenericKD.33961257
FireEye Generic.mg.8d5dea2ef665ad1e
CAT-QuickHeal Trojan.Multi
McAfee GenericRXKT-ON!8D5DEA2EF665
Malwarebytes Spyware.Agent
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:MSIL/Kryptik.39f9c085
K7GW Trojan ( 005678d21 )
K7AntiVirus Trojan ( 005678d21 )
Arcabit Trojan.Generic.D2063529
Invincea heuristic
Cyren W32/A-17b8a5e1!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33961257
AegisLab Trojan.Multi.Generic.4!c
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Ad-Aware Trojan.GenericKD.33961257
Emsisoft Trojan.GenericKD.33961257 (B)
F-Secure Trojan.TR/Kryptik.zdgok
DrWeb Trojan.Siggen9.50299
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R049C0WES20
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Sophos Troj/DNetInj-SG
SentinelOne DFI - Malicious PE
Webroot W32.Trojan.Gen
Avira TR/Kryptik.zdgok
Endgame malicious (high confidence)
Microsoft Trojan:Win32/Bluteal!rfn
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33961257
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Kryptik.R338376
BitDefenderTheta Gen:NN.ZemsilF.34128.sm0@ai2CTF
MAX malware (ai score=87)
ESET-NOD32 a variant of MSIL/Kryptik.WBZ
TrendMicro-HouseCall TROJ_GEN.R049C0WES20
Tencent Msil.Trojan-qqpass.Qqrob.Eckr
Yandex Trojan.Igent.bTOj9Y.6
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/Agen.4908!tr
Cybereason malicious.475413
Panda Trj/GdSda.A
Qihoo-360 Generic/Trojan.PSW.374
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-28 07:13:08

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 51808 8.8.8.8 53
192.168.56.101 53657 8.8.8.8 53
192.168.56.101 58367 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.