SmartHawk

11.4

0-day

48 个模型检测该样本为恶意！

重新分析

下载样本

e5551096094a8deafd3651d9e801c06817942aef7613db318e0d20a88f5d11a5

96e54003e538b6b51f7d334de67480c1.exe

分析耗时

82s

最近分析

文件大小

426.0KB

静态报毒动态报毒 AGENSLA AGENTTESLA AI SCORE=83 AM0@AAFBGDF ATTRIBUTE AUTO CLOUD CONFIDENCE ELDORADO EMOC FAREIT GDSDA GENERICKD GENERICKDZ GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE INJECT3 INJECTORX KRYPTIK LOKIBOT MODERATE OFGCC R340714 SCORE SONBOKLI SUSGEN TROJANPSW TROJANPWS VSNW11F20 ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FUV!96E54003E538	20200701	6.0.6.653
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Alibaba	TrojanPSW:MSIL/AgentTesla.1fae8752	20190527	0.3.0.5
Avast	Win32:InjectorX-gen [Trj]	20200703	18.4.3895.0
Baidu		20190318	1.0.0.2
Kingsoft		20200701	2013.8.14.323
Tencent	Win32.Trojan.Inject.Auto	20200701	1.0.0.1

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619798555.869875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619798574.1515 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619798577.3075 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619798579.9475 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619798581.3855 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798517.244502 IsDebuggerPresent		failed	0	0
1619798517.260502 IsDebuggerPresent		failed	0	0
1619798559.6665 IsDebuggerPresent		failed	0	0
1619798559.6665 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798556.588875 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\JcdWIm"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798517.322502 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798579.3855 __exception__	stacktrace: 0xdcf06e 0xdcdfe7 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1437556 registers.edi: 42255284 registers.eax: 0 registers.ebp: 1437600 registers.edx: 8 registers.ebx: 0 registers.esi: 1128320030 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 17 48 06 15 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x26a2aca	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619798579.3855
__exception__

stacktrace:

0xdcf06e
0xdcdfe7
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1437556
registers.edi: 42255284
registers.eax: 0
registers.ebp: 1437600
registers.edx: 8
registers.ebx: 0
registers.esi: 1128320030
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 17 48 06 15
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x26a2aca

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 133 个事件)

Time & API	Arguments	Status
1619798516.807502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00550000	success
1619798516.807502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a0000	success
1619798517.072502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a90000	success
1619798517.072502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c20000	success
1619798517.088502 NtProtectVirtualMemory	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619798517.244502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00940000	success
1619798517.244502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a20000	success
1619798517.260502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success
1619798517.276502 NtProtectVirtualMemory	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619798517.276502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00582000	success
1619798517.697502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00592000	success
1619798517.885502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00915000	success
1619798517.885502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0091b000	success
1619798517.885502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00917000	success
1619798518.197502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00593000	success
1619798518.307502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059c000	success
1619798518.526502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00594000	success
1619798518.588502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a70000	success
1619798518.838502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00595000	success
1619798519.494502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00596000	success
1619798519.635502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00906000	success
1619798519.760502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0090a000	success
1619798519.760502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00907000	success
1619798519.822502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success
1619798519.854502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a71000	success
1619798519.963502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00598000	success
1619798520.041502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a72000	success
1619798520.135502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a75000	success
1619798520.760502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00599000	success
1619798553.854502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a76000	success
1619798553.901502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a77000	success
1619798553.916502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a78000	success
1619798553.916502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01080000	success
1619798553.932502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a79000	success
1619798554.197502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a7d000	success
1619798554.369502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01081000	success
1619798554.369502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a7e000	success
1619798554.369502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a21000	success
1619798554.385502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a22000	success
1619798554.385502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a23000	success
1619798554.385502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a24000	success
1619798554.385502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a25000	success
1619798554.385502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a26000	success
1619798554.385502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a27000	success
1619798554.385502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a2b000	success
1619798554.401502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059d000	success
1619798554.416502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3c000	success
1619798554.416502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3d000	success
1619798554.416502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3e000	success
1619798554.416502 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a7f000	success

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\JcdWIm" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEF7B.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JcdWIm" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEF7B.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798555.541502 ShellExecuteExW	parameters: /Create /TN "Updates\JcdWIm" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEF7B.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.857758418584113

section

{'size_of_data': '0x00069e00', 'virtual_address': '0x00002000', 'entropy': 7.857758418584113, 'name': '.text', 'virtual_size': '0x00069c08'}

description

A section with a high entropy has been found

entropy

0.9952996474735605

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798572.4795 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798573.5575 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3068 process_handle: 0x00000234	failed	0	0
1619798573.5575 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3068 process_handle: 0x00000234	failed	3221225738	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\JcdWIm" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEF7B.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JcdWIm" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEF7B.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798558.791502 NtAllocateVirtualMemory	process_identifier: 952 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000035c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEF7B.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619798558.791502 WriteProcessMemory	process_identifier: 952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELpB×^àZ^x @ À@xW8 H.textdX Z `.rsrc8\@@.reloc b@B process_handle: 0x0000035c base_address: 0x00400000	success	1
1619798558.822502 WriteProcessMemory	process_identifier: 952 buffer: P8h ¬Lê¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNamehSueoezsGxlkCgbaupgCUhWKyPBtDNbOv.exe(LegalCopyright t&OriginalFilenamehSueoezsGxlkCgbaupgCUhWKyPBtDNbOv.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x0000035c base_address: 0x00448000	success	1
1619798558.822502 WriteProcessMemory	process_identifier: 952 buffer: p`8 process_handle: 0x0000035c base_address: 0x0044a000	success	1
1619798558.822502 WriteProcessMemory	process_identifier: 952 buffer: @ process_handle: 0x0000035c base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619798558.791502 WriteProcessMemory	process_identifier: 952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELpB×^àZ^x @ À@xW8 H.textdX Z `.rsrc8\@@.reloc b@B process_handle: 0x0000035c base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3068 called NtSetContextThread to modify thread in remote process 952
1619798558.822502 NtSetContextThread	thread_handle: 0x00000254 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4487262 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 952	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3068 resumed a thread in remote process 952
1619798559.276502 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 952	success	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619798517.260502 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 3068	success	0
1619798517.291502 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 3068	success	0
1619798517.354502 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 3068	success	0
1619798554.916502 NtResumeThread	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 3068	success	0
1619798555.541502 CreateProcessInternalW	thread_identifier: 2604 thread_handle: 0x00000344 process_identifier: 2960 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JcdWIm" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpEF7B.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000388 inherit_handles: 0	success	1
1619798558.791502 CreateProcessInternalW	thread_identifier: 2516 thread_handle: 0x00000254 process_identifier: 952 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\96e54003e538b6b51f7d334de67480c1.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\96e54003e538b6b51f7d334de67480c1.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000035c inherit_handles: 0	success	1
1619798558.791502 NtGetContextThread	thread_handle: 0x00000254	success	0
1619798558.791502 NtAllocateVirtualMemory	process_identifier: 952 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000035c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619798558.791502 WriteProcessMemory	process_identifier: 952 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELpB×^àZ^x @ À@xW8 H.textdX Z `.rsrc8\@@.reloc b@B process_handle: 0x0000035c base_address: 0x00400000	success	1
1619798558.807502 WriteProcessMemory	process_identifier: 952 buffer: process_handle: 0x0000035c base_address: 0x00402000	success	1
1619798558.822502 WriteProcessMemory	process_identifier: 952 buffer: P8h ¬Lê¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNamehSueoezsGxlkCgbaupgCUhWKyPBtDNbOv.exe(LegalCopyright t&OriginalFilenamehSueoezsGxlkCgbaupgCUhWKyPBtDNbOv.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x0000035c base_address: 0x00448000	success	1
1619798558.822502 WriteProcessMemory	process_identifier: 952 buffer: p`8 process_handle: 0x0000035c base_address: 0x0044a000	success	1
1619798558.822502 WriteProcessMemory	process_identifier: 952 buffer: @ process_handle: 0x0000035c base_address: 0x7efde008	success	1
1619798558.822502 NtSetContextThread	thread_handle: 0x00000254 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4487262 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 952	success	0
1619798559.276502 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 952	success	0
1619798559.6665 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 952	success	0
1619798559.6825 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 952	success	0
1619798559.9635 NtResumeThread	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 952	success	0
1619798576.6975 NtResumeThread	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 952	success	0
1619798576.9165 NtResumeThread	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 952	success	0
1619798579.8695 NtResumeThread	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 952	success	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)

DrWeb	Trojan.Inject3.42847
MicroWorld-eScan	Trojan.GenericKD.34031132
CAT-QuickHeal	Trojanpws.Msil
McAfee	Fareit-FUV!96E54003E538
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Trojan.GenericKD.34031132
K7GW	Trojan ( 00568d4f1 )
K7AntiVirus	Trojan ( 00568d4f1 )
Invincea	heuristic
BitDefenderTheta	Gen:NN.ZemsilF.34130.Am0@aafbGDf
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TROJ_FRS.VSNW11F20
Paloalto	generic.ml
ClamAV	Win.Packed.Generickdz-8116957-0
GData	Trojan.GenericKD.34031132
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Alibaba	TrojanPSW:MSIL/AgentTesla.1fae8752
ViRobot	Trojan.Win32.Z.Agent.436224.LU
Avast	Win32:InjectorX-gen [Trj]
Rising	Trojan.Sonbokli!8.10198 (CLOUD)
Ad-Aware	Trojan.GenericKD.34031132
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Kryptik.ofgcc
TrendMicro	TROJ_FRS.VSNW11F20
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.96e54003e538b6b5
Emsisoft	Trojan.GenericKD.34031132 (B)
Ikarus	Trojan-Spy.LokiBot
Cyren	W32/MSIL_Agent.BKG.gen!Eldorado
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Kryptik.ofgcc
Endgame	malicious (high confidence)
Arcabit	Trojan.Generic.D207461C
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
AhnLab-V3	Trojan/Win32.Sonbokli.R340714
ALYac	Trojan.GenericKD.34031132
MAX	malware (ai score=83)
Malwarebytes	Trojan.MalPack.DFD.Generic
APEX	Malicious
ESET-NOD32	a variant of MSIL/Kryptik.WIR
Tencent	Win32.Trojan.Inject.Auto
Fortinet	MSIL/GenKryptik.EMOC!tr
AVG	Win32:InjectorX-gen [Trj]
Cybereason	malicious.b4f2ad
Panda	Trj/GdSda.A
Qihoo-360	Generic/Trojan.PSW.374

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-16 08:11:12

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51966	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62319	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.