SmartHawk

10.2

0-day

52 个模型检测该样本为恶意！

重新分析

下载样本

15dee864e14a92f65233de4dbb94d96fbdd2043c447159fcea5f88e5489bc302

98bd5bb185f07c9d7c52f25b2f466e25.exe

分析耗时

91s

最近分析

文件大小

514.5KB

静态报毒动态报毒 100% AGENSLA AGENTTESLA AI SCORE=82 ATTRIBUTE BTJLIE CONFIDENCE ELDORADO ELKP FAREIT GDSDA GENERICKD GENERICRXKO GENKRYPTIK HAWKEY HIGH CONFIDENCE HIGHCONFIDENCE HVTD IGENT KCLOUD KRYPTIK MALWARE@#3BRZ13DTZVMD5 PSWTROJ QQPASS QQROB R + TROJ R06EC0DIA20 R342452 REMCOS SCORE SIGGEN9 TROJANPSW TROJANX TSCOPE UNSAFE WACATAC YAKBEEXMSIL ZRUFW 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKO-QM!98BD5BB185F0	20201211	6.0.6.653
Alibaba	TrojanPSW:MSIL/AgentTesla.87d7ed42	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20201210	21.1.5827.0
Tencent	Msil.Trojan-qqpass.Qqrob.Hvtd	20201211	1.0.0.1
Kingsoft	Win32.PSWTroj.Undef.(kcloud)	20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619800541.196751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619800549.618374 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619800552.946374 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619800555.977374 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619800556.649374 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800512.478249 IsDebuggerPresent		failed	0	0
1619800512.478249 IsDebuggerPresent		failed	0	0
1619800547.039374 IsDebuggerPresent		failed	0	0
1619800547.055374 IsDebuggerPresent		failed	0	0

Command line console output was observed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800542.680751 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\oKXfeVVOyJoN"。 console_handle: 0x00000007	success	1	0
1619800563.306249 WriteConsoleW	buffer: 操作成功完成。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800512.509249 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800555.789374 __exception__	stacktrace: 0x108fed5 0x108f13a DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1438380 registers.edi: 1438408 registers.eax: 0 registers.ebp: 1438424 registers.edx: 8 registers.ebx: 0 registers.esi: 39365580 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 34 ca e5 ac e9 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbb3736	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619800555.789374
__exception__

stacktrace:

0x108fed5
0x108f13a
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1438380
registers.edi: 1438408
registers.eax: 0
registers.ebp: 1438424
registers.edx: 8
registers.ebx: 0
registers.esi: 39365580
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 34 ca e5 ac e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xbb3736

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 127 个事件)

Time & API	Arguments	Status
1619800511.619249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005f0000	success
1619800511.619249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00680000	success
1619800512.025249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x006c0000	success
1619800512.025249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00720000	success
1619800512.181249 NtProtectVirtualMemory	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619800512.478249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02170000	success
1619800512.478249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02270000	success
1619800512.478249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052a000	success
1619800512.478249 NtProtectVirtualMemory	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619800512.478249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00522000	success
1619800512.728249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00532000	success
1619800512.947249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00555000	success
1619800512.962249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0055b000	success
1619800512.962249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00557000	success
1619800513.212249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00533000	success
1619800513.369249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053c000	success
1619800514.556249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00534000	success
1619800514.587249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00536000	success
1619800515.040249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d0000	success
1619800515.525249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0054a000	success
1619800515.525249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00547000	success
1619800516.290249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00537000	success
1619800516.650249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d1000	success
1619800516.790249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00546000	success
1619800517.447249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053a000	success
1619800517.634249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d3000	success
1619800518.540249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00538000	success
1619800518.619249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00721000	success
1619800519.212249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d4000	success
1619800519.259249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00539000	success
1619800519.322249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02120000	success
1619800519.322249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02121000	success
1619800519.400249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02271000	success
1619800519.415249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02272000	success
1619800519.415249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02273000	success
1619800519.415249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02274000	success
1619800519.415249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02276000	success
1619800519.415249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02278000	success
1619800519.415249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0227c000	success
1619800519.431249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02122000	success
1619800519.447249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d5000	success
1619800519.462249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0228d000	success
1619800519.494249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0228e000	success
1619800519.525249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d6000	success
1619800519.603249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02123000	success
1619800519.634249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d7000	success
1619800539.931249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d8000	success
1619800539.947249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00523000	success
1619800546.087249 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d9000	success
1619800546.868374 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x006a0000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oKXfeVVOyJoN" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpC82D.tmp"
cmdline	schtasks.exe /Create /TN "Updates\oKXfeVVOyJoN" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpC82D.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800540.759249 ShellExecuteExW	parameters: /Create /TN "Updates\oKXfeVVOyJoN" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpC82D.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.659743601149461

section

{'size_of_data': '0x0007fe00', 'virtual_address': '0x00002000', 'entropy': 7.659743601149461, 'name': '.text', 'virtual_size': '0x0007fcd0'}

description

A section with a high entropy has been found

entropy

0.995136186770428

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800546.681249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619800548.914374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (3 个事件)

cmdline	REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oKXfeVVOyJoN" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpC82D.tmp"
cmdline	schtasks.exe /Create /TN "Updates\oKXfeVVOyJoN" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpC82D.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800546.072249 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

RegSvcs.exe tried to sleep 2728186 seconds, actually delayed analysis time by 2728186 seconds

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619800546.072249 WriteProcessMemory	process_identifier: 2060 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELI¬^à°>Ï à@ @ðÎKàH H.textD¯ ° `.rsrcHà²@@.reloc¸@B process_handle: 0x0000038c base_address: 0x00400000	success	1
1619800546.087249 WriteProcessMemory	process_identifier: 2060 buffer: P8h à¼\ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNamemzMslJleJjMeCHBuUoDzuQSsoSPEERMqezXB.exe(LegalCopyright \|)OriginalFilenamemzMslJleJjMeCHBuUoDzuQSsoSPEERMqezXB.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x0000038c base_address: 0x0044e000	success	1
1619800546.087249 WriteProcessMemory	process_identifier: 2060 buffer: À@? process_handle: 0x0000038c base_address: 0x00450000	success	1
1619800546.087249 WriteProcessMemory	process_identifier: 2060 buffer: @ process_handle: 0x0000038c base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619800546.072249 WriteProcessMemory	process_identifier: 2060 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELI¬^à°>Ï à@ @ðÎKàH H.textD¯ ° `.rsrcHà²@@.reloc¸@B process_handle: 0x0000038c base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 2060
1619800546.087249 NtSetContextThread	thread_handle: 0x00000330 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4509502 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2060	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 resumed a thread in remote process 2060
1619800546.634249 NtResumeThread	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2060	success	0	0

Executed a process and injected code into it, probably while unpacking (23 个事件)

Time & API	Arguments	Status	Return
1619800512.478249 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2316	success	0
1619800512.478249 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2316	success	0
1619800512.540249 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2316	success	0
1619800540.759249 CreateProcessInternalW	thread_identifier: 2116 thread_handle: 0x0000033c process_identifier: 2520 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oKXfeVVOyJoN" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpC82D.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000374 inherit_handles: 0	success	1
1619800546.056249 CreateProcessInternalW	thread_identifier: 2424 thread_handle: 0x00000330 process_identifier: 2060 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000038c inherit_handles: 0	success	1
1619800546.072249 NtGetContextThread	thread_handle: 0x00000330	success	0
1619800546.072249 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619800546.072249 WriteProcessMemory	process_identifier: 2060 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELI¬^à°>Ï à@ @ðÎKàH H.textD¯ ° `.rsrcHà²@@.reloc¸@B process_handle: 0x0000038c base_address: 0x00400000	success	1
1619800546.072249 WriteProcessMemory	process_identifier: 2060 buffer: process_handle: 0x0000038c base_address: 0x00402000	success	1
1619800546.087249 WriteProcessMemory	process_identifier: 2060 buffer: P8h à¼\ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNamemzMslJleJjMeCHBuUoDzuQSsoSPEERMqezXB.exe(LegalCopyright \|)OriginalFilenamemzMslJleJjMeCHBuUoDzuQSsoSPEERMqezXB.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x0000038c base_address: 0x0044e000	success	1
1619800546.087249 WriteProcessMemory	process_identifier: 2060 buffer: À@? process_handle: 0x0000038c base_address: 0x00450000	success	1
1619800546.087249 WriteProcessMemory	process_identifier: 2060 buffer: @ process_handle: 0x0000038c base_address: 0x7efde008	success	1
1619800546.087249 NtSetContextThread	thread_handle: 0x00000330 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4509502 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2060	success	0
1619800546.634249 NtResumeThread	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2060	success	0
1619800546.650249 NtResumeThread	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2316	success	0
1619800547.055374 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2060	success	0
1619800547.071374 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2060	success	0
1619800547.180374 NtResumeThread	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2060	success	0
1619800552.102374 NtResumeThread	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 2060	success	0
1619800552.477374 NtResumeThread	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2060	success	0
1619800555.883374 NtResumeThread	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2060	success	0
1619800562.664374 NtResumeThread	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 2060	success	0
1619800562.914374 CreateProcessInternalW	thread_identifier: 2576 thread_handle: 0x000003b8 process_identifier: 2856 current_directory: filepath: track: 1 command_line: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x000003bc inherit_handles: 0	success	1

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43160801
FireEye	Trojan.GenericKD.43160801
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	GenericRXKO-QM!98BD5BB185F0
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 00566b501 )
Alibaba	TrojanPSW:MSIL/AgentTesla.87d7ed42
K7GW	Trojan ( 00566b501 )
Cybereason	malicious.043028
Arcabit	Trojan.Generic.D29294E1
Cyren	W32/MSIL_Kryptik.ARY.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.43160801
Avast	Win32:TrojanX-gen [Trj]
Tencent	Msil.Trojan-qqpass.Qqrob.Hvtd
Ad-Aware	Trojan.GenericKD.43160801
Emsisoft	Trojan.GenericKD.43160801 (B)
Comodo	Malware@#3brz13dtzvmd5
F-Secure	Trojan.TR/Dropper.MSIL.zrufw
DrWeb	Trojan.Siggen9.46269
TrendMicro	TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition	BehavesLike.Win32.Fareit.hc
Sophos	Mal/Generic-R + Troj/HawkEy-JR
Webroot	W32.Trojan.Gen
Avira	TR/Dropper.MSIL.zrufw
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:MSIL/AgentTesla.PRB!MTB
AegisLab	Trojan.Multi.Generic.4!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.43160801
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.AgentTesla.R342452
ALYac	Trojan.GenericKD.43160801
MAX	malware (ai score=82)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL
ESET-NOD32	a variant of MSIL/Kryptik.WGR
TrendMicro-HouseCall	Backdoor.MSIL.REMCOS.SM
Yandex	Trojan.Igent.bTJliE.10
Ikarus	Trojan.MSIL.Inject
Fortinet	MSIL/GenKryptik.ELKP!tr
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-14 13:09:39

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	50005	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.