SmartHawk

9.2

极危

47 个模型检测该样本为恶意！

重新分析

下载样本

e33cd4567a22274d37c8dd41b7ac5300bc0f5f3ded012e299451d588ee412ca8

90435895cbcb840ff19df865ebc4bbf4.exe

分析耗时

96s

最近分析

文件大小

520.5KB

静态报毒动态报毒 AI SCORE=82 AWHN CLOUD CONFIDENCE CRYPTERX ELDORADO EQGF FAREIT FORMBOOK GENKRYPTIK HIGH CONFIDENCE HQBB KCKRL KRYPTIK MSILPERSEUS NOON OSHWY@0 R06BC0DHE20 RNKBEND SPYBOTNET SUSGEN TSCOPE UMAL UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:MSIL/Formbook.81363320	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Tencent	Msil.Trojan-spy.Noon.Hqbb	20200822	1.0.0.1
Kingsoft		20200822	2013.8.14.323
McAfee	Fareit-FYE!90435895CBCB	20200822	6.0.6.653
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619713463.855626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619713466.245626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619713468.198626 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (6 个事件)

Time & API	Arguments	Status	Return	Repeated
1619713410.745 IsDebuggerPresent		failed	0	0
1619713410.761 IsDebuggerPresent		failed	0	0
1619713461.089 IsDebuggerPresent		failed	0	0
1619713461.573 IsDebuggerPresent		failed	0	0
1619713462.276626 IsDebuggerPresent		failed	0	0
1619713462.276626 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619713410.808 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619713468.105626 __exception__	stacktrace: 0x489f295 0x489e6d0 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3861668 registers.edi: 37471768 registers.eax: 0 registers.ebp: 3861712 registers.edx: 8 registers.ebx: 0 registers.esi: 29558537 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 56 1a 54 9b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4df2ae7	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619713468.105626
__exception__

stacktrace:

0x489f295
0x489e6d0
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3861668
registers.edi: 37471768
registers.eax: 0
registers.ebp: 3861712
registers.edx: 8
registers.ebx: 0
registers.esi: 29558537
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 56 1a 54 9b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4df2ae7

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 167 个事件)

Time & API	Arguments	Status	Return
1619713410.167 NtAllocateVirtualMemory	process_identifier: 284 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00d10000	success	0
1619713410.167 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ec0000	success	0
1619713410.495 NtAllocateVirtualMemory	process_identifier: 284 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00b40000	success	0
1619713410.495 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00cb0000	success	0
1619713410.62 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619713410.745 NtAllocateVirtualMemory	process_identifier: 284 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02300000	success	0
1619713410.745 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x024f0000	success	0
1619713410.761 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0036a000	success	0
1619713410.776 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619713410.776 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00362000	success	0
1619713411.12 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00372000	success	0
1619713411.23 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00395000	success	0
1619713411.23 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0039b000	success	0
1619713411.23 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00397000	success	0
1619713411.37 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00373000	success	0
1619713411.48 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0037c000	success	0
1619713412.12 NtAllocateVirtualMemory	process_identifier: 284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00374000	success	0
1619713412.136 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00376000	success	0
1619713412.292 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success	0
1619713412.448 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0038a000	success	0
1619713412.448 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00387000	success	0
1619713412.683 NtAllocateVirtualMemory	process_identifier: 284 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad1000	success	0
1619713412.823 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00386000	success	0
1619713413.261 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00377000	success	0
1619713413.261 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad4000	success	0
1619713413.401 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00378000	success	0
1619713413.495 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00379000	success	0
1619713413.511 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c00000	success	0
1619713454.511 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad5000	success	0
1619713454.558 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00cb1000	success	0
1619713454.683 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad6000	success	0
1619713454.855 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0036c000	success	0
1619713454.87 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad7000	success	0
1619713454.933 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad8000	success	0
1619713454.98 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c01000	success	0
1619713454.995 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad9000	success	0
1619713455.151 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 256512 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x052c0400	failed	3221225550
1619713460.495 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ada000	success	0
1619713460.526 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c02000	success	0
1619713460.526 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00adb000	success	0
1619713460.573 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00adc000	success	0
1619713460.589 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00add000	success	0
1619713460.667 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ade000	success	0
1619713460.714 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00adf000	success	0
1619713460.745 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04e90000	success	0
1619713460.745 NtAllocateVirtualMemory	process_identifier: 284 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04e91000	success	0
1619713460.745 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x052c0178	failed	3221225550
1619713460.761 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x052c01a0	failed	3221225550
1619713460.761 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x052c01c8	failed	3221225550
1619713460.761 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x052c01f0	failed	3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.691927269796783

section

{'size_of_data': '0x00081800', 'virtual_address': '0x00002000', 'entropy': 7.691927269796783, 'name': '.text', 'virtual_size': '0x00081674'}

description

A section with a high entropy has been found

entropy

0.9961538461538462

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619713455.136 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619713461.355 NtAllocateVirtualMemory	process_identifier: 196 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002338 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619713461.355 WriteProcessMemory	process_identifier: 196 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELËU^à`~ @ À@8~Sø H.text^ ` `.rsrcøb@@.reloc f@B process_handle: 0x00002338 base_address: 0x00400000	success	1
1619713461.37 WriteProcessMemory	process_identifier: 196 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNametaAzdtnfxIfgpxKRPbRIBCNjQyQW.exe(LegalCopyright l!OriginalFilenametaAzdtnfxIfgpxKRPbRIBCNjQyQW.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00002338 base_address: 0x00448000	success	1
1619713461.37 WriteProcessMemory	process_identifier: 196 buffer: p> process_handle: 0x00002338 base_address: 0x0044a000	success	1
1619713461.37 WriteProcessMemory	process_identifier: 196 buffer: @ process_handle: 0x00002338 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619713461.355 WriteProcessMemory	process_identifier: 196 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELËU^à`~ @ À@8~Sø H.text^ ` `.rsrcøb@@.reloc f@B process_handle: 0x00002338 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 called NtSetContextThread to modify thread in remote process 196
1619713461.37 NtSetContextThread	thread_handle: 0x00009024 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4488846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 196	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 resumed a thread in remote process 196
1619713461.792 NtResumeThread	thread_handle: 0x00009024 suspend_count: 1 process_identifier: 196	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.78:443

Executed a process and injected code into it, probably while unpacking (23 个事件)

Time & API	Arguments	Status	Return
1619713410.761 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 284	success	0
1619713410.776 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 284	success	0
1619713410.808 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 284	success	0
1619713460.933 NtResumeThread	thread_handle: 0x000100e0 suspend_count: 1 process_identifier: 284	success	0
1619713460.964 NtResumeThread	thread_handle: 0x00009b18 suspend_count: 1 process_identifier: 284	success	0
1619713460.995 NtGetContextThread	thread_handle: 0x00009b18	success	0
1619713460.995 NtGetContextThread	thread_handle: 0x00009b18	success	0
1619713460.995 NtResumeThread	thread_handle: 0x00009b18 suspend_count: 1 process_identifier: 284	success	0
1619713461.355 CreateProcessInternalW	thread_identifier: 2956 thread_handle: 0x00009024 process_identifier: 196 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\90435895cbcb840ff19df865ebc4bbf4.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\90435895cbcb840ff19df865ebc4bbf4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00002338 inherit_handles: 0	success	1
1619713461.355 NtGetContextThread	thread_handle: 0x00009024	success	0
1619713461.355 NtAllocateVirtualMemory	process_identifier: 196 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002338 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619713461.355 WriteProcessMemory	process_identifier: 196 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELËU^à`~ @ À@8~Sø H.text^ ` `.rsrcøb@@.reloc f@B process_handle: 0x00002338 base_address: 0x00400000	success	1
1619713461.37 WriteProcessMemory	process_identifier: 196 buffer: process_handle: 0x00002338 base_address: 0x00402000	success	1
1619713461.37 WriteProcessMemory	process_identifier: 196 buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNametaAzdtnfxIfgpxKRPbRIBCNjQyQW.exe(LegalCopyright l!OriginalFilenametaAzdtnfxIfgpxKRPbRIBCNjQyQW.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00002338 base_address: 0x00448000	success	1
1619713461.37 WriteProcessMemory	process_identifier: 196 buffer: p> process_handle: 0x00002338 base_address: 0x0044a000	success	1
1619713461.37 WriteProcessMemory	process_identifier: 196 buffer: @ process_handle: 0x00002338 base_address: 0x7efde008	success	1
1619713461.37 NtSetContextThread	thread_handle: 0x00009024 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4488846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 196	success	0
1619713461.792 NtResumeThread	thread_handle: 0x00009024 suspend_count: 1 process_identifier: 196	success	0
1619713462.276626 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 196	success	0
1619713462.292626 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 196	success	0
1619713462.433626 NtResumeThread	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 196	success	0
1619713465.917626 NtResumeThread	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 196	success	0
1619713466.089626 NtResumeThread	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 196	success	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILPerseus.230090
FireEye	Generic.mg.90435895cbcb840f
CAT-QuickHeal	TrojanSpy.MSIL
ALYac	Gen:Variant.MSILPerseus.230090
Cylance	Unsafe
K7AntiVirus	Trojan ( 0056c6e31 )
Alibaba	TrojanSpy:MSIL/Formbook.81363320
K7GW	Trojan ( 0056c6e31 )
TrendMicro	TROJ_GEN.R06BC0DHE20
Cyren	W32/MSIL_Kryptik.BKI.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Agent-9378464-0
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Gen:Variant.MSILPerseus.230090
Tencent	Msil.Trojan-spy.Noon.Hqbb
Ad-Aware	Gen:Variant.MSILPerseus.230090
Comodo	TrojWare.Win32.UMal.oshwy@0
F-Secure	Trojan.TR/Kryptik.kckrl
DrWeb	BackDoor.SpyBotNET.17
VIPRE	Trojan.Win32.Generic!BT
MaxSecure	Trojan.Malware.300983.susgen
Sophos	Troj/MSIL-PMO
Jiangmin	TrojanSpy.MSIL.awhn
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.kckrl
Antiy-AVL	Trojan/MSIL.Kryptik
Microsoft	Trojan:MSIL/Formbook.VN!MTB
Arcabit	Trojan.MSILPerseus.D382CA
AegisLab	Trojan.MSIL.Noon.l!c
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Gen:Variant.MSILPerseus.230090
McAfee	Fareit-FYE!90435895CBCB
MAX	malware (ai score=82)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack.PNG.Generic
ESET-NOD32	a variant of MSIL/Kryptik.XIP
TrendMicro-HouseCall	TROJ_GEN.R06BC0DHE20
Rising	Spyware.Noon!8.E7C9 (CLOUD)
Ikarus	Trojan.MSIL.Inject
Fortinet	MSIL/GenKryptik.EQGF!tr
AVG	Win32:CrypterX-gen [Trj]
Panda	Trj/RnkBend.A
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	Generic/Trojan.Spy.beb

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-13 16:19:26

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	63430	239.255.255.250	3702
192.168.56.101	65005	239.255.255.250	3702
192.168.56.101	65007	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.