SmartHawk

8.2

高危

51 个模型检测该样本为恶意！

重新分析

下载样本

b69f6ee64e6f0fd78926dc5f41314ac63de7bd5f60969185dc7e48470ca1d0a9

931fe7c266c67863c46390e9b82a8dba.exe

分析耗时

90s

最近分析

文件大小

686.0KB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=80 ALI1000139 ATTRIBUTE BLADABINDI CONFIDENCE ELDORADO EQMU EQMV GDSDA GENERICKD GENERICRXLS GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HSXBEI KRYPTIK M7QV MALICIOUS PE MALWARE@#13XNMHOFVV690 PACKED2 QM0@AIYXXZB R348117 REMCOS SCORE STARTER TROJANX UNSAFE WWDMO YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXLS-LX!931FE7C266C6	20201023	6.0.6.653
Alibaba	Trojan:Win32/starter.ali1000139	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20201023	18.4.3895.0
Kingsoft		20201023	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619699138.758626 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686134.478148 IsDebuggerPresent		failed	0	0
1619686134.478148 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619699139.352626 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\qIbTNOs"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686134.524148 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 75 个事件)

Time & API	Arguments	Status
1619686133.618148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00480000	success
1619686133.618148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00520000	success
1619686133.993148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00480000	success
1619686133.993148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e0000	success
1619686134.165148 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619686134.478148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00640000	success
1619686134.478148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b0000	success
1619686134.478148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ba000	success
1619686134.478148 NtProtectVirtualMemory	process_identifier: 648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619686134.478148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b2000	success
1619686134.728148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c2000	success
1619686134.899148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00495000	success
1619686134.899148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0049b000	success
1619686134.899148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00497000	success
1619686134.978148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c3000	success
1619686135.056148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c4000	success
1619686135.087148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c5000	success
1619686135.087148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003cc000	success
1619686135.478148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c6000	success
1619686135.493148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c8000	success
1619686135.618148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00670000	success
1619686135.853148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success
1619686135.853148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success
1619686136.024148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c9000	success
1619686136.040148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00680000	success
1619686136.165148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00671000	success
1619686136.181148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00486000	success
1619686136.243148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00681000	success
1619686136.290148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00682000	success
1619686136.306148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef40000	success
1619686136.306148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1619686136.306148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1619686136.306148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef48000	success
1619686136.306148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef30000	success
1619686136.306148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef30000	success
1619686136.337148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00672000	success
1619686136.603148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e1000	success
1619686136.681148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00683000	success
1619686136.681148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003cd000	success
1619686136.774148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00684000	success
1619686136.821148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00673000	success
1619686136.853148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00674000	success
1619686136.868148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00685000	success
1619686136.884148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00675000	success
1619686136.884148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003bc000	success
1619686136.884148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b3000	success
1619686136.884148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00676000	success
1619686136.915148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00679000	success
1619686136.931148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00686000	success
1619686136.946148 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0067a000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIbTNOs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2C94.tmp"
cmdline	schtasks.exe /Create /TN "Updates\qIbTNOs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2C94.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686190.384148 ShellExecuteExW	parameters: /Create /TN "Updates\qIbTNOs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2C94.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.925198710531593

section

{'size_of_data': '0x000a5800', 'virtual_address': '0x00002000', 'entropy': 7.925198710531593, 'name': '.text', 'virtual_size': '0x000a5714'}

description

A section with a high entropy has been found

entropy

0.9657184536834428

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686193.321148 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619686193.868148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2228 process_handle: 0x00000394	failed
1619686193.868148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2228 process_handle: 0x00000394	success
1619686194.462148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2216 process_handle: 0x0000039c	failed
1619686194.462148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2216 process_handle: 0x0000039c	success
1619686194.899148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2364 process_handle: 0x000003a4	failed
1619686194.899148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2364 process_handle: 0x000003a4	success
1619686195.712148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1652 process_handle: 0x000003ac	failed
1619686195.712148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1652 process_handle: 0x000003ac	success
1619686196.196148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1740 process_handle: 0x000003b4	failed
1619686196.196148 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1740 process_handle: 0x000003b4	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIbTNOs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2C94.tmp"
cmdline	schtasks.exe /Create /TN "Updates\qIbTNOs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2C94.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619686193.290148 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686194.071148 NtAllocateVirtualMemory	process_identifier: 2216 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686194.696148 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000398 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686195.118148 NtAllocateVirtualMemory	process_identifier: 1652 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686195.774148 NtAllocateVirtualMemory	process_identifier: 1740 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2C94.tmp

Manipulates memory of a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 648 manipulating memory of non-child process 2228
Process injection	Process 648 manipulating memory of non-child process 2216
Process injection	Process 648 manipulating memory of non-child process 2364
Process injection	Process 648 manipulating memory of non-child process 1652
Process injection	Process 648 manipulating memory of non-child process 1740
1619686193.290148 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619686194.071148 NtAllocateVirtualMemory	process_identifier: 2216 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619686194.696148 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000398 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619686195.118148 NtAllocateVirtualMemory	process_identifier: 1652 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619686195.774148 NtAllocateVirtualMemory	process_identifier: 1740 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Executed a process and injected code into it, probably while unpacking (19 个事件)

Time & API	Arguments	Status	Return
1619686134.478148 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 648	success	0
1619686134.493148 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 648	success	0
1619686134.556148 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 648	success	0
1619686190.368148 CreateProcessInternalW	thread_identifier: 2964 thread_handle: 0x00000344 process_identifier: 2604 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIbTNOs" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2C94.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000037c inherit_handles: 0	success	1
1619686193.274148 CreateProcessInternalW	thread_identifier: 1664 thread_handle: 0x00000338 process_identifier: 2228 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000038c inherit_handles: 0	success	1
1619686193.290148 NtGetContextThread	thread_handle: 0x00000338	success	0
1619686193.290148 NtAllocateVirtualMemory	process_identifier: 2228 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686194.056148 CreateProcessInternalW	thread_identifier: 1812 thread_handle: 0x00000394 process_identifier: 2216 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000390 inherit_handles: 0	success	1
1619686194.071148 NtGetContextThread	thread_handle: 0x00000394	success	0
1619686194.071148 NtAllocateVirtualMemory	process_identifier: 2216 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686194.696148 CreateProcessInternalW	thread_identifier: 2948 thread_handle: 0x0000039c process_identifier: 2364 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000398 inherit_handles: 0	success	1
1619686194.696148 NtGetContextThread	thread_handle: 0x0000039c	success	0
1619686194.696148 NtAllocateVirtualMemory	process_identifier: 2364 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000398 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686195.118148 CreateProcessInternalW	thread_identifier: 2008 thread_handle: 0x000003a4 process_identifier: 1652 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x000003a0 inherit_handles: 0	success	1
1619686195.118148 NtGetContextThread	thread_handle: 0x000003a4	success	0
1619686195.118148 NtAllocateVirtualMemory	process_identifier: 1652 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619686195.759148 CreateProcessInternalW	thread_identifier: 2056 thread_handle: 0x000003ac process_identifier: 1740 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\931fe7c266c67863c46390e9b82a8dba.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x000003a8 inherit_handles: 0	success	1
1619686195.774148 NtGetContextThread	thread_handle: 0x000003ac	success	0
1619686195.774148 NtAllocateVirtualMemory	process_identifier: 1740 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43679577
FireEye	Generic.mg.931fe7c266c67863
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Qihoo-360	Generic/Backdoor.23a
McAfee	GenericRXLS-LX!931FE7C266C6
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c9dd1 )
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 0056caea1 )
Cybereason	malicious.625818
Arcabit	Trojan.Generic.D29A7F59
Cyren	W32/MSIL_Kryptik.BKR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
BitDefender	Trojan.GenericKD.43679577
NANO-Antivirus	Trojan.Win32.Remcos.hsxbei
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.43679577
Emsisoft	Trojan.GenericKD.43679577 (B)
Comodo	Malware@#13xnmhofvv690
F-Secure	Trojan.TR/AD.Bladabindi.wwdmo
DrWeb	Trojan.Packed2.42550
Zillya	Trojan.GenKryptik.Win32.55670
Invincea	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Webroot	W32.Trojan.Gen
Avira	TR/AD.Bladabindi.wwdmo
Antiy-AVL	Trojan[Backdoor]/MSIL.Remcos
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
AegisLab	Trojan.Win32.Generic.m7QV
ZoneAlarm	HEUR:Backdoor.MSIL.Remcos.gen
GData	Trojan.GenericKD.43679577
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Kryptik.R348117
BitDefenderTheta	Gen:NN.ZemsilF.34570.Qm0@aiYXxZb
ALYac	Trojan.GenericKD.43679577
MAX	malware (ai score=80)
Malwarebytes	Trojan.MalPack.PNG.Generic
ESET-NOD32	a variant of MSIL/GenKryptik.EQMU
SentinelOne	DFI - Malicious PE
Fortinet	MSIL/Kryptik.EQMV!tr
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-17 07:26:14

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.