12.4
0-day
52 个模型检测该样本为恶意!
重新分析
更多

1a4c089443f4481e78eed6c8a58764ddc13ee9a5ce93a5f00875d525219b1d88

9773d366820d76e6702c6e94492caaa6.exe

分析耗时

91s

最近分析

文件大小

608.6KB
静态报毒 动态报毒 100% 2DKGTZ5M7UK AI SCORE=100 ATTRIBUTE AVPD BASIC CONFIDENCE DOWNLOADER34 DQLQ FALSESIGN FCTG GDSDA HIGH CONFIDENCE HIGHCONFIDENCE HTVN HWAVMQ IOBIT KCLOUD KRYPTIK MALWARE@#3MWIB712PH51P MM1@A4KEATCI NANOBOT NANOCORE NOANCOOE R03BC0DI920 SCORE SUSGEN TSCOPE UNSAFE UXIVI WACATAC ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee PWS-FCTG!9773D366820D 20201228 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Backdoor:MSIL/Noancooe.aa7bb4fb 20190527 0.3.0.5
Avast Win32:Malware-gen 20201228 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft Win32.Hack.Undef.(kcloud) 20201228 2017.9.26.565
Tencent Win32.Trojan.Falsesign.Htvn 20201228 1.0.0.1
静态指标
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1620839511.59025
IsDebuggerPresent
failed 0 0
1620839511.60625
IsDebuggerPresent
failed 0 0
1620839520.636625
IsDebuggerPresent
failed 0 0
1620839520.636625
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620839511.62125
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain vreme.ddns.net
Allocates read-write-execute memory (usually to unpack itself) (50 out of 200 个事件)
Time & API Arguments Status Return Repeated
1620839511.07425
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ed1000
success 0 0
1620839511.07425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1620839511.07425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00980000
success 0 0
1620839511.41825
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73861000
success 0 0
1620839511.41825
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x737a1000
success 0 0
1620839511.43425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x009c0000
success 0 0
1620839511.43425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b20000
success 0 0
1620839511.49625
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73861000
success 0 0
1620839511.59025
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02ab0000
success 0 0
1620839511.59025
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c70000
success 0 0
1620839511.60625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041a000
success 0 0
1620839511.60625
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73862000
success 0 0
1620839511.60625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00412000
success 0 0
1620839511.84025
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00432000
success 0 0
1620839511.94925
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00455000
success 0 0
1620839511.94925
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045b000
success 0 0
1620839511.94925
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1620839512.02725
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73791000
success 0 0
1620839512.12125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00433000
success 0 0
1620839512.13725
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043c000
success 0 0
1620839512.21525
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1620839512.37125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00434000
success 0 0
1620839512.37125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00435000
success 0 0
1620839512.43425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00446000
success 0 0
1620839512.44925
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1620839512.55925
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73661000
success 0 0
1620839512.57425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044a000
success 0 0
1620839512.57425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1620839515.96525
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041c000
success 0 0
1620839518.01225
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00436000
success 0 0
1620839518.07425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00437000
success 0 0
1620839518.79325
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00438000
success 0 0
1620839518.85625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00541000
success 0 0
1620839518.93425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00542000
success 0 0
1620839518.96525
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00543000
success 0 0
1620839518.99625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00439000
success 0 0
1620839518.99625
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00544000
success 0 0
1620839519.04325
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00548000
success 0 0
1620839519.07425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1620839519.07425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00549000
success 0 0
1620839519.12125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043d000
success 0 0
1620839519.13725
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00581000
success 0 0
1620839519.15225
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054a000
success 0 0
1620839519.18425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00582000
success 0 0
1620839519.18425
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054b000
success 0 0
1620839519.52725
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00583000
success 0 0
1620839519.52725
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00584000
success 0 0
1620839519.80925
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054c000
success 0 0
1620839520.48125
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054d000
success 0 0
1620839520.51225
NtProtectVirtualMemory
process_identifier: 1804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.9735837359702355 section {'size_of_data': '0x00086200', 'virtual_address': '0x00002000', 'entropy': 7.9735837359702355, 'name': '.text', 'virtual_size': '0x00086194'} description A section with a high entropy has been found
entropy 0.8897180762852405 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1620839519.74625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620839522.683625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
One or more of the buffers contains an embedded PE file (5 个事件)
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
buffer Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 185.244.30.251
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1620839520.30925
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 466944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1620839523.105625
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegSvcs.exe tried to sleep 5456492 seconds, actually delayed analysis time by 5456492 seconds
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1620839520.30925
WriteProcessMemory
process_identifier: 1316
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èê’ç @  8çW èæ  H.text˜Ç È `.reloc Ê@B.rsrcèæ èÌ@@
process_handle: 0x00000268
base_address: 0x00400000
success 1 0
1620839520.30925
WriteProcessMemory
process_identifier: 1316
buffer: à ”7
process_handle: 0x00000268
base_address: 0x00420000
success 1 0
1620839520.34025
WriteProcessMemory
process_identifier: 1316
buffer: @
process_handle: 0x00000268
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1620839520.30925
WriteProcessMemory
process_identifier: 1316
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èê’ç @  8çW èæ  H.text˜Ç È `.reloc Ê@B.rsrcèæ èÌ@@
process_handle: 0x00000268
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1804 called NtSetContextThread to modify thread in remote process 1316
Time & API Arguments Status Return Repeated
1620839520.34025
NtSetContextThread
thread_handle: 0x00000264
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1316
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1804 resumed a thread in remote process 1316
Time & API Arguments Status Return Repeated
1620839520.43425
NtResumeThread
thread_handle: 0x00000264
suspend_count: 1
process_identifier: 1316
success 0 0
Executed a process and injected code into it, probably while unpacking (25 个事件)
Time & API Arguments Status Return Repeated
1620839511.60625
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 1804
success 0 0
1620839511.60625
NtResumeThread
thread_handle: 0x000001bc
suspend_count: 1
process_identifier: 1804
success 0 0
1620839511.62125
NtResumeThread
thread_handle: 0x00000200
suspend_count: 1
process_identifier: 1804
success 0 0
1620839520.27725
CreateProcessInternalW
thread_identifier: 1436
thread_handle: 0x00000264
process_identifier: 1316
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000268
inherit_handles: 0
success 1 0
1620839520.30925
NtGetContextThread
thread_handle: 0x00000264
success 0 0
1620839520.30925
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 466944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000268
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620839520.30925
WriteProcessMemory
process_identifier: 1316
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èê’ç @  8çW èæ  H.text˜Ç È `.reloc Ê@B.rsrcèæ èÌ@@
process_handle: 0x00000268
base_address: 0x00400000
success 1 0
1620839520.30925
WriteProcessMemory
process_identifier: 1316
buffer:
process_handle: 0x00000268
base_address: 0x00402000
success 1 0
1620839520.30925
WriteProcessMemory
process_identifier: 1316
buffer: à ”7
process_handle: 0x00000268
base_address: 0x00420000
success 1 0
1620839520.32425
WriteProcessMemory
process_identifier: 1316
buffer:
process_handle: 0x00000268
base_address: 0x00422000
success 1 0
1620839520.34025
WriteProcessMemory
process_identifier: 1316
buffer: @
process_handle: 0x00000268
base_address: 0x7efde008
success 1 0
1620839520.34025
NtSetContextThread
thread_handle: 0x00000264
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1316
success 0 0
1620839520.43425
NtResumeThread
thread_handle: 0x00000264
suspend_count: 1
process_identifier: 1316
success 0 0
1620839520.636625
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 1316
success 0 0
1620839520.636625
NtResumeThread
thread_handle: 0x000001bc
suspend_count: 1
process_identifier: 1316
success 0 0
1620839520.636625
NtResumeThread
thread_handle: 0x00000200
suspend_count: 1
process_identifier: 1316
success 0 0
1620839522.386625
NtResumeThread
thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 1316
success 0 0
1620839522.386625
NtResumeThread
thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 1316
success 0 0
1620839522.605625
NtResumeThread
thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 1316
success 0 0
1620839522.870625
NtResumeThread
thread_handle: 0x00000338
suspend_count: 1
process_identifier: 1316
success 0 0
1620839527.776625
NtResumeThread
thread_handle: 0x0000039c
suspend_count: 1
process_identifier: 1316
success 0 0
1620839528.120625
NtResumeThread
thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 1316
success 0 0
1620839531.730625
NtResumeThread
thread_handle: 0x000003c8
suspend_count: 1
process_identifier: 1316
success 0 0
1620839543.339625
NtResumeThread
thread_handle: 0x000003e0
suspend_count: 1
process_identifier: 1316
success 0 0
1620839559.136625
NtResumeThread
thread_handle: 0x00000408
suspend_count: 1
process_identifier: 1316
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader34.33071
MicroWorld-eScan Trojan.MSIL.Basic.10.Gen
FireEye Trojan.MSIL.Basic.10.Gen
McAfee PWS-FCTG!9773D366820D
Cylance Unsafe
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Backdoor:MSIL/Noancooe.aa7bb4fb
K7GW Trojan ( 0056de4d1 )
K7AntiVirus Trojan ( 0056de4d1 )
Arcabit Trojan.MSIL.Basic.10.Gen
BitDefenderTheta Gen:NN.ZemsilF.34700.Mm1@a4kEatci
Cyren W32/Trojan.AVPD-3918
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Backdoor.MSIL.NanoBot.gen
BitDefender Trojan.MSIL.Basic.10.Gen
NANO-Antivirus Trojan.Win32.NanoBot.hwavmq
Paloalto generic.ml
Ad-Aware Trojan.MSIL.Basic.10.Gen
Sophos Mal/Generic-S
Comodo Malware@#3mwib712ph51p
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03BC0DI920
McAfee-GW-Edition PWS-FCTG!9773D366820D
Emsisoft Trojan.MSIL.Basic.10.Gen (B)
Ikarus Trojan.SuspectCRC
Jiangmin Backdoor.MSIL.dqlq
MaxSecure Trojan.Malware.73691366.susgen
Avira BDS/NanoBot.uxivi
Antiy-AVL Trojan[Backdoor]/MSIL.NanoBot
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Backdoor:MSIL/Noancooe.A
AegisLab Trojan.MSIL.NanoBot.m!c
ZoneAlarm HEUR:Backdoor.MSIL.NanoBot.gen
GData MSIL.Application.iObit.B
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Wacatac.C4192915
VBA32 TScope.Trojan.MSIL
ALYac Backdoor.RAT.MSIL.NanoCore
MAX malware (ai score=100)
Malwarebytes Trojan.Crypt.MSIL
ESET-NOD32 a variant of MSIL/Kryptik.XQB
TrendMicro-HouseCall TROJ_GEN.R03BC0DI920
Tencent Win32.Trojan.Falsesign.Htvn
Yandex Trojan.Agent!2dkGtZ5M7uk
Fortinet Riskware/NanoBot
AVG Win32:Malware-gen
Cybereason malicious.6820d7
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 个事件)
dead_host 192.168.56.101:49190
dead_host 172.217.24.14:443
dead_host 185.244.30.251:1012
dead_host 192.168.56.101:49187
dead_host 172.217.160.78:443
dead_host 192.168.56.101:49184
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2070-03-10 04:01:12

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.