9.2
极危
57 个模型检测该样本为恶意!
重新分析
更多

ad9b31618184bb980a5e825fcb465913f3002077043fc5e3a761653473a4dce0

972121f63f2c17cc0aaf0a6b533244b2.exe

分析耗时

108s

最近分析

文件大小

757.0KB
静态报毒 动态报毒 A+DBT61VPYI AGEN AGENTTESLA AI SCORE=88 ATTRIBUTE AUTO CLOUD CONFIDENCE ELDORADO EMMD FAREIT GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HMJHDK INJECTORX KILLPROC2 KRYPTIK MALWARE@#21VLYE03QAVIH MSILKRYPT NANOBOT NANOCORE OCCAMY QVM03 SCORE THFAEBO TSCOPE UNSAFE VMW@AABIFPGI WACATAC ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVK!972121F63F2C 20200805 6.0.6.653
Alibaba Backdoor:MSIL/Occamy.c4bc740d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:InjectorX-gen [Trj] 20200805 18.4.3895.0
Tencent Win32.Trojan.Inject.Auto 20200805 1.0.0.1
Kingsoft 20200805 2013.8.14.323
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (32 个事件)
Time & API Arguments Status Return Repeated
1619813537.58325
IsDebuggerPresent
failed 0 0
1619813537.58325
IsDebuggerPresent
failed 0 0
1619813541.769875
IsDebuggerPresent
failed 0 0
1619813541.769875
IsDebuggerPresent
failed 0 0
1619813547.16125
IsDebuggerPresent
failed 0 0
1619813547.16125
IsDebuggerPresent
failed 0 0
1619813549.1285
IsDebuggerPresent
failed 0 0
1619813549.1445
IsDebuggerPresent
failed 0 0
1619813552.83275
IsDebuggerPresent
failed 0 0
1619813552.83275
IsDebuggerPresent
failed 0 0
1619813553.707626
IsDebuggerPresent
failed 0 0
1619813553.707626
IsDebuggerPresent
failed 0 0
1619813557.69225
IsDebuggerPresent
failed 0 0
1619813557.69225
IsDebuggerPresent
failed 0 0
1619813559.050875
IsDebuggerPresent
failed 0 0
1619813559.050875
IsDebuggerPresent
failed 0 0
1619813564.238875
IsDebuggerPresent
failed 0 0
1619813564.238875
IsDebuggerPresent
failed 0 0
1619813565.753626
IsDebuggerPresent
failed 0 0
1619813565.753626
IsDebuggerPresent
failed 0 0
1619813572.89525
IsDebuggerPresent
failed 0 0
1619813572.89525
IsDebuggerPresent
failed 0 0
1619813575.378375
IsDebuggerPresent
failed 0 0
1619813575.378375
IsDebuggerPresent
failed 0 0
1619813583.316875
IsDebuggerPresent
failed 0 0
1619813583.332875
IsDebuggerPresent
failed 0 0
1619813584.67625
IsDebuggerPresent
failed 0 0
1619813584.67625
IsDebuggerPresent
failed 0 0
1619813598.723
IsDebuggerPresent
failed 0 0
1619813598.739
IsDebuggerPresent
failed 0 0
1619813604.332626
IsDebuggerPresent
failed 0 0
1619813604.332626
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619813537.66125
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain mogs20.hopto.org
Allocates read-write-execute memory (usually to unpack itself) (50 out of 755 个事件)
Time & API Arguments Status Return Repeated
1619813535.72325
NtAllocateVirtualMemory
process_identifier: 472
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00260000
success 0 0
1619813535.72325
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00260000
success 0 0
1619813537.17625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619813537.17625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00630000
success 0 0
1619813537.33325
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619813537.58325
NtAllocateVirtualMemory
process_identifier: 472
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02310000
success 0 0
1619813537.58325
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02430000
success 0 0
1619813537.59825
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003aa000
success 0 0
1619813537.59825
NtProtectVirtualMemory
process_identifier: 472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619813537.59825
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003a2000
success 0 0
1619813538.06725
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b2000
success 0 0
1619813538.28625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d5000
success 0 0
1619813538.28625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003db000
success 0 0
1619813538.28625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619813538.59825
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b3000
success 0 0
1619813538.62925
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b4000
success 0 0
1619813538.67625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003bc000
success 0 0
1619813538.84825
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00760000
success 0 0
1619813538.89525
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c6000
success 0 0
1619813538.94225
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619813538.94225
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c7000
success 0 0
1619813539.11425
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00761000
success 0 0
1619813539.45825
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b5000
success 0 0
1619813539.64525
NtAllocateVirtualMemory
process_identifier: 472
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x009c0000
success 0 0
1619813540.67625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00a10000
success 0 0
1619813541.17625
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00762000
success 0 0
1619813541.20825
NtAllocateVirtualMemory
process_identifier: 472
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b6000
success 0 0
1619813541.722875
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75261000
success 0 0
1619813541.722875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x009c0000
success 0 0
1619813541.722875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a40000
success 0 0
1619813541.738875
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619813541.738875
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x751a1000
success 0 0
1619813541.738875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x009c0000
success 0 0
1619813541.738875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a00000
success 0 0
1619813541.738875
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619813541.769875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02a40000
success 0 0
1619813541.769875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02bf0000
success 0 0
1619813541.800875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064a000
success 0 0
1619813541.800875
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619813541.800875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00642000
success 0 0
1619813541.863875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00652000
success 0 0
1619813541.878875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00885000
success 0 0
1619813541.878875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088b000
success 0 0
1619813541.878875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00887000
success 0 0
1619813541.878875
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x755f1000
success 0 0
1619813541.878875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00653000
success 0 0
1619813541.878875
NtProtectVirtualMemory
process_identifier: 2996
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619813542.550875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00654000
success 0 0
1619813542.582875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00656000
success 0 0
1619813542.660875
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0065c000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.594058914366198 section {'size_of_data': '0x000ace00', 'virtual_address': '0x00002000', 'entropy': 7.594058914366198, 'name': '.text', 'virtual_size': '0x000acc94'} description A section with a high entropy has been found
entropy 0.9140779907468606 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (9 个事件)
Time & API Arguments Status Return Repeated
1619813541.30125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813547.410875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813548.78625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813553.33275
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813558.34825
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813565.394875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813574.14525
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813583.925875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619813603.645
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (14 个事件)
Time & API Arguments Status Return Repeated
1619813548.92625
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619813548.92625
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619813553.51975
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000284
failed 0 0
1619813553.51975
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000284
success 0 0
1619813558.67625
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619813558.67625
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619813565.816875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619813565.816875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619813574.53625
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619813574.53625
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619813584.519875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
failed 0 0
1619813584.519875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
success 0 0
1619813603.958
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000029c
failed 0 0
1619813603.958
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000029c
success 0 0
网络通信
One or more of the buffers contains an embedded PE file (9 个事件)
buffer Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
buffer Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 185.244.30.251
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619813547.847875
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegAsm.exe tried to sleep 5456576 seconds, actually delayed analysis time by 5456576 seconds
Manipulates memory of a non-child process indicative of process injection (6 个事件)
Process injection Process 3824 manipulating memory of non-child process 3964
Process injection Process 3824 manipulating memory of non-child process 4000
Time & API Arguments Status Return Repeated
1619813601.208
NtAllocateVirtualMemory
process_identifier: 3964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x0000023c
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619813601.223
NtAllocateVirtualMemory
process_identifier: 3964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x0000023c
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619813601.504
NtAllocateVirtualMemory
process_identifier: 4000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000250
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619813601.52
NtAllocateVirtualMemory
process_identifier: 4000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000250
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
FireEye Generic.mg.972121f63f2c17cc
CAT-QuickHeal Trojan.Multi
McAfee Fareit-FVK!972121F63F2C
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2063151
Sangfor Malware
K7AntiVirus Trojan ( 0056081c1 )
Alibaba Backdoor:MSIL/Occamy.c4bc740d
K7GW Trojan ( 0056081c1 )
Cybereason malicious.558938
TrendMicro Trojan.MSIL.WACATAC.THFAEBO
F-Prot W32/MSIL_Kryptik.XL.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
GData Trojan.GenericKD.34022555
Kaspersky HEUR:Backdoor.MSIL.NanoBot.gen
BitDefender Trojan.GenericKD.34022555
NANO-Antivirus Trojan.Win32.NanoBot.hmjhdk
MicroWorld-eScan Trojan.GenericKD.34022555
Avast Win32:InjectorX-gen [Trj]
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.34022555
Sophos Mal/Generic-S
Comodo Malware@#21vlye03qavih
F-Secure Heuristic.HEUR/AGEN.1135788
DrWeb Trojan.KillProc2.10962
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
Emsisoft Trojan.GenericKD.34022555 (B)
Ikarus Trojan.MSIL.Inject
Cyren W32/MSIL_Kryptik.XL.gen!Eldorado
Jiangmin Backdoor.MSIL.deec
Avira HEUR/AGEN.1135788
Antiy-AVL Trojan[Backdoor]/MSIL.NanoBot
Arcabit Trojan.Generic.D207249B
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Backdoor.MSIL.NanoBot.gen
Microsoft Trojan:MSIL/AgentTesla.BB!MTB
AhnLab-V3 Trojan/Win32.MSILKrypt.C4119446
BitDefenderTheta Gen:NN.ZemsilF.34152.VmW@aabIfPgi
ALYac Backdoor.RAT.MSIL.NanoCore
MAX malware (ai score=88)
VBA32 TScope.Trojan.MSIL
Malwarebytes Backdoor.NanoCore
ESET-NOD32 a variant of MSIL/Kryptik.WOX
TrendMicro-HouseCall Trojan.MSIL.WACATAC.THFAEBO
Rising Backdoor.Nanocore!8.F894 (CLOUD)
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 个事件)
dead_host 192.168.56.101:49193
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49211
dead_host 185.244.30.251:1085
dead_host 192.168.56.101:49207
dead_host 192.168.56.101:49214
dead_host 192.168.56.101:49195
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-15 05:08:10

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 51378 8.8.8.8 53
192.168.56.101 51808 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.