15.2
0-day
47 个模型检测该样本为恶意!
重新分析
更多

6a18ff52d179fa32975ac72f36ae60abe5f7ac754e5ad616cbd375127b2904c6

9b2b738dfd4187939a1be889d355ce47.exe

分析耗时

100s

最近分析

文件大小

901.0KB
静态报毒 动态报毒 100% 4MW@A8PYVYLG AGEN AI SCORE=85 ATTRIBUTE BLADABINDI CONFIDENCE DOWNLOADER33 ELDORADO GDSDA GENERICKD GENERICRXKA HIGH CONFIDENCE HIGHCONFIDENCE HLRBPO KCLOUD KRYPTIK MALICIOUS PE MALWARE@#2FAKWCLJFVYFC MSCRYPT OCCAMY RATX SCORE SMARTASSEMBLY STATIC AI SUSGEN TSCOPE UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:MSIL/Bladabindi.981c7060 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20201210 21.1.5827.0
Tencent 20201211 1.0.0.1
Kingsoft Win32.Hack.Undef.(kcloud) 20201211 2017.9.26.565
McAfee GenericRXKA-VW!9B2B738DFD41 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619781072.196776
IsDebuggerPresent
failed 0 0
1619781072.196776
IsDebuggerPresent
failed 0 0
Command line console output was observed (6 个事件)
Time & API Arguments Status Return Repeated
1619809526.954625
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
1619809532.0795
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619809532.0955
WriteConsoleW
buffer: timeout
console_handle: 0x00000007
success 1 0
1619809532.0955
WriteConsoleW
buffer: /t 300
console_handle: 0x00000007
success 1 0
1619809532.454375
WriteConsoleW
buffer: 等待 300
console_handle: 0x00000007
success 1 0
1619809532.454375
WriteConsoleW
buffer: 秒,按一个键继续 ...
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (22 个事件)
Time & API Arguments Status Return Repeated
1619781072.852776
CryptExportKey
crypto_handle: 0x005e0910
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781072.868776
CryptExportKey
crypto_handle: 0x005e0910
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.102776
CryptExportKey
crypto_handle: 0x005e0910
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.899776
CryptExportKey
crypto_handle: 0x005e0f10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.899776
CryptExportKey
crypto_handle: 0x005e0f10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.899776
CryptExportKey
crypto_handle: 0x005e0f10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.930776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.946776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.946776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.946776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.962776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.962776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.962776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.962776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.977776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.977776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.977776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.977776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781073.993776
CryptExportKey
crypto_handle: 0x005e1050
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781074.040776
CryptExportKey
crypto_handle: 0x005e1010
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781074.040776
CryptExportKey
crypto_handle: 0x005e1010
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619781074.055776
CryptExportKey
crypto_handle: 0x005e0d90
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619781072.243776
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 75 个事件)
Time & API Arguments Status Return Repeated
1619781071.446776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008e0000
success 0 0
1619781071.446776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a90000
success 0 0
1619781071.821776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02060000
success 0 0
1619781071.821776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x021c0000
success 0 0
1619781071.962776
NtProtectVirtualMemory
process_identifier: 3004
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619781072.196776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02260000
success 0 0
1619781072.196776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023d0000
success 0 0
1619781072.196776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040a000
success 0 0
1619781072.196776
NtProtectVirtualMemory
process_identifier: 3004
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619781072.196776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00402000
success 0 0
1619781072.634776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00412000
success 0 0
1619781072.759776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00435000
success 0 0
1619781072.759776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043b000
success 0 0
1619781072.759776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00437000
success 0 0
1619781072.868776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00413000
success 0 0
1619781072.884776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00414000
success 0 0
1619781072.899776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041c000
success 0 0
1619781072.946776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00820000
success 0 0
1619781073.087776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00415000
success 0 0
1619781073.087776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0087f000
success 0 0
1619781073.087776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00870000
success 0 0
1619781073.165776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00416000
success 0 0
1619781073.180776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00426000
success 0 0
1619781073.180776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00821000
success 0 0
1619781073.243776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619781073.243776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00427000
success 0 0
1619781073.259776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00822000
success 0 0
1619781073.259776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00823000
success 0 0
1619781073.430776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00417000
success 0 0
1619781073.493776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00418000
success 0 0
1619781073.493776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00419000
success 0 0
1619781073.524776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a0000
success 0 0
1619781073.524776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00824000
success 0 0
1619781073.540776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00825000
success 0 0
1619781073.540776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a1000
success 0 0
1619781073.571776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a2000
success 0 0
1619781073.587776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041d000
success 0 0
1619781073.587776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a3000
success 0 0
1619781073.790776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00826000
success 0 0
1619781074.055776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a4000
success 0 0
1619781074.071776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023d1000
success 0 0
1619781074.071776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023d2000
success 0 0
1619781074.087776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023d3000
success 0 0
1619781074.087776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023d4000
success 0 0
1619781074.087776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023d5000
success 0 0
1619781074.087776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x023d6000
success 0 0
1619781074.102776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00829000
success 0 0
1619781074.134776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a5000
success 0 0
1619781082.009776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0082a000
success 0 0
1619781082.165776
NtAllocateVirtualMemory
process_identifier: 3004
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a6000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task. (1 个事件)
description svhost.exe tried to sleep 139 seconds, actually delayed analysis time by 139 seconds
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.lnk
Creates hidden or system file (1 个事件)
Time & API Arguments Status Return Repeated
1619781082.930776
SetFileAttributesW
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN
success 1 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.lnk
Creates a suspicious process (4 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
cmdline cmd.exe /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
cmdline "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
cmdline cmd.exe /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\File.txt
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619781083.509776
ShellExecuteExW
parameters: /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619781087.430776
ShellExecuteExW
parameters: /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619781082.196776
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b2b738dfd4187939a1be889d355ce47.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\melt.txt
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\melt.txt
flags: 2
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b2b738dfd4187939a1be889d355ce47.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.9678867012714845 section {'size_of_data': '0x000c7400', 'virtual_address': '0x00002000', 'entropy': 7.9678867012714845, 'name': '.text', 'virtual_size': '0x000c7240'} description A section with a high entropy has been found
entropy 0.8850638534147696 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 个事件)
Time & API Arguments Status Return Repeated
1619781073.868776
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619809526.002125
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619809526.002125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619809526.018125
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (3 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
cmdline reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\FolderN\name.exe.lnk" /f
cmdline cmd.exe /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
Modifies the ZoneTransfer.ZoneID in Zone.Identifier ADS, generally to disable security warnings (2 个事件)
Time & API Arguments Status Return Repeated
1619809530.580125
NtCreateFile
create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000080
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 128 (FILE_ATTRIBUTE_NORMAL)
filepath_r: \??\C:\Users\ADMINI~1.OSK\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
success 0 0
1619809530.580125
NtWriteFile
file_handle: 0x00000080
filepath:
buffer: [zoneTransfer]ZoneID = 2
offset: 0
success 0 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 84.31.147.166
host 219.144.69.90
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619781082.430776
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 794624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000238
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619781082.430776
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 794624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000238
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load reg_value C:\Users\ADMINI~1.OSK\AppData\Local\Temp\FolderN\name.exe.lnk
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619781082.430776
WriteProcessMemory
process_identifier: 2308
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ñÏ7¤µ®Y÷µ®Y÷µ®Y÷¼ÖÝ÷´®Y÷óÿ¸÷°®Y÷¸ü†÷—®Y÷¸ü¸÷ù®Y÷¸ü¹÷T®Y÷¼ÖÚ÷°®Y÷¼ÖÊ÷”®Y÷µ®X÷þ¯Y÷¶Ö¹÷´®Y÷¶Ö¸÷™®Y÷¸ü‚÷´®Y÷µ®Î÷´®Y÷¶Ö‡÷´®Y÷Richµ®Y÷PEL…ã»Uà  ØŒ 0@ @Xk TÀ àÐ \Lˆ; @0ü.textL `.rdataW0X@@.dataˆ- ´n @À.rsrcàÀ " @@.reloc\LÐ N& @B
process_handle: 0x00000238
base_address: 0x000b0000
success 1 0
1619781082.446776
WriteProcessMemory
process_identifier: 2308
buffer: €0€ H`À ~<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> <dependency> <dependentAssembly> <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' /> </dependentAssembly> </dependency> </assembly>
process_handle: 0x00000238
base_address: 0x0016c000
success 1 0
1619781082.462776
WriteProcessMemory
process_identifier: 2308
buffer:
process_handle: 0x00000238
base_address: 0xfffde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619781082.430776
WriteProcessMemory
process_identifier: 2308
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ñÏ7¤µ®Y÷µ®Y÷µ®Y÷¼ÖÝ÷´®Y÷óÿ¸÷°®Y÷¸ü†÷—®Y÷¸ü¸÷ù®Y÷¸ü¹÷T®Y÷¼ÖÚ÷°®Y÷¼ÖÊ÷”®Y÷µ®X÷þ¯Y÷¶Ö¹÷´®Y÷¶Ö¸÷™®Y÷¸ü‚÷´®Y÷µ®Î÷´®Y÷¶Ö‡÷´®Y÷Richµ®Y÷PEL…ã»Uà  ØŒ 0@ @Xk TÀ àÐ \Lˆ; @0ü.textL `.rdataW0X@@.dataˆ- ´n @À.rsrcàÀ " @@.reloc\LÐ N& @B
process_handle: 0x00000238
base_address: 0x000b0000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619809526.096125
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x000b7464
module_address: 0x00000000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 459173 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 3004 called NtSetContextThread to modify thread in remote process 2308
Time & API Arguments Status Return Repeated
1619781082.462776
NtSetContextThread
thread_handle: 0x0000022c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4628620
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 2308
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 3004 resumed a thread in remote process 2308
Time & API Arguments Status Return Repeated
1619781082.805776
NtResumeThread
thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 2308
success 0 0
Executed a process and injected code into it, probably while unpacking (26 个事件)
Time & API Arguments Status Return Repeated
1619781072.196776
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3004
success 0 0
1619781072.212776
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 3004
success 0 0
1619781072.352776
NtResumeThread
thread_handle: 0x0000012c
suspend_count: 1
process_identifier: 3004
success 0 0
1619781076.821776
CreateProcessInternalW
thread_identifier: 376
thread_handle: 0x00000348
process_identifier: 2104
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\File.txt
filepath_r: C:\Windows\system32\NOTEPAD.EXE
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000344
inherit_handles: 0
success 1 0
1619781082.430776
CreateProcessInternalW
thread_identifier: 2288
thread_handle: 0x0000022c
process_identifier: 2308
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\svhost.exe
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\svhost.exe"
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\svhost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000238
inherit_handles: 0
success 1 0
1619781082.430776
NtGetContextThread
thread_handle: 0x0000022c
success 0 0
1619781082.430776
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 794624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000238
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619781082.430776
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 794624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000238
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619781082.430776
WriteProcessMemory
process_identifier: 2308
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ñÏ7¤µ®Y÷µ®Y÷µ®Y÷¼ÖÝ÷´®Y÷óÿ¸÷°®Y÷¸ü†÷—®Y÷¸ü¸÷ù®Y÷¸ü¹÷T®Y÷¼ÖÚ÷°®Y÷¼ÖÊ÷”®Y÷µ®X÷þ¯Y÷¶Ö¹÷´®Y÷¶Ö¸÷™®Y÷¸ü‚÷´®Y÷µ®Î÷´®Y÷¶Ö‡÷´®Y÷Richµ®Y÷PEL…ã»Uà  ØŒ 0@ @Xk TÀ àÐ \Lˆ; @0ü.textL `.rdataW0X@@.dataˆ- ´n @À.rsrcàÀ " @@.reloc\LÐ N& @B
process_handle: 0x00000238
base_address: 0x000b0000
success 1 0
1619781082.446776
WriteProcessMemory
process_identifier: 2308
buffer:
process_handle: 0x00000238
base_address: 0x000b1000
success 1 0
1619781082.446776
WriteProcessMemory
process_identifier: 2308
buffer:
process_handle: 0x00000238
base_address: 0x00133000
success 1 0
1619781082.446776
WriteProcessMemory
process_identifier: 2308
buffer:
process_handle: 0x00000238
base_address: 0x00149000
success 1 0
1619781082.446776
WriteProcessMemory
process_identifier: 2308
buffer: €0€ H`À ~<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> <dependency> <dependentAssembly> <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' /> </dependentAssembly> </dependency> </assembly>
process_handle: 0x00000238
base_address: 0x0016c000
success 1 0
1619781082.446776
WriteProcessMemory
process_identifier: 2308
buffer:
process_handle: 0x00000238
base_address: 0x0016d000
success 1 0
1619781082.462776
WriteProcessMemory
process_identifier: 2308
buffer:
process_handle: 0x00000238
base_address: 0xfffde008
success 1 0
1619781082.462776
NtSetContextThread
thread_handle: 0x0000022c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4628620
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 2308
success 0 0
1619781082.805776
NtResumeThread
thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 2308
success 0 0
1619781083.509776
CreateProcessInternalW
thread_identifier: 1932
thread_handle: 0x0000038c
process_identifier: 1916
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003c8
inherit_handles: 0
success 1 0
1619781087.430776
CreateProcessInternalW
thread_identifier: 420
thread_handle: 0x000003fc
process_identifier: 1824
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000041c
inherit_handles: 0
success 1 0
1619781088.946776
CreateProcessInternalW
thread_identifier: 2228
thread_handle: 0x00000410
process_identifier: 1712
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\FolderN\name.exe.bat
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000040c
inherit_handles: 0
success 1 0
1619809526.065125
NtResumeThread
thread_handle: 0x00000188
suspend_count: 1
process_identifier: 2308
success 0 0
1619809526.080125
NtResumeThread
thread_handle: 0x000001a0
suspend_count: 1
process_identifier: 2308
success 0 0
1619809559.752125
NtResumeThread
thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 2308
success 0 0
1619809594.002125
NtResumeThread
thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 2308
success 0 0
1619809526.75225
CreateProcessInternalW
thread_identifier: 2456
thread_handle: 0x00000080
process_identifier: 2144
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\FolderN\name.exe.lnk" /f
filepath_r: C:\Windows\system32\reg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619809532.2205
CreateProcessInternalW
thread_identifier: 2544
thread_handle: 0x00000084
process_identifier: 1056
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout /t 300
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000080
inherit_handles: 1
success 1 0
File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43309680
FireEye Generic.mg.9b2b738dfd418793
ALYac Trojan.GenericKD.43309680
Cylance Unsafe
K7AntiVirus Trojan ( 0055d2191 )
Alibaba Backdoor:MSIL/Bladabindi.981c7060
K7GW Trojan ( 0055d2191 )
Arcabit Trojan.Generic.D294DA70
Cyren W32/MSIL_Kryptik.ALZ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Backdoor.MSIL.Bladabindi.gen
BitDefender Trojan.GenericKD.43309680
NANO-Antivirus Trojan.Win32.SmartAssembly.hlrbpo
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.43309680
Emsisoft Trojan.GenericKD.43309680 (B)
Comodo Malware@#2fakwcljfvyfc
F-Secure Heuristic.HEUR/AGEN.1136253
DrWeb Trojan.DownLoader33.52446
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.SmartAssembly
Jiangmin Backdoor.MSIL.defd
Avira HEUR/AGEN.1136253
MAX malware (ai score=85)
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Trojan:Win32/Occamy.C6A
AegisLab Trojan.MSIL.Bladabindi.m!c
ZoneAlarm HEUR:Backdoor.MSIL.Bladabindi.gen
GData Trojan.GenericKD.43309680
Cynet Malicious (score: 100)
McAfee GenericRXKA-VW!9B2B738DFD41
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MSCrypt.MSIL.Generic
ESET-NOD32 a variant of MSIL/Packed.SmartAssembly.AY
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/SmartAssembly.AY!tr.ransom
BitDefenderTheta Gen:NN.ZemsilF.34670.4mW@a8PyVylG
AVG Win32:RATX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/Backdoor.633
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.160.78:443
dead_host 84.31.147.166:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-08 03:48:09

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
219.144.69.90 443 192.168.56.101 49181

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 60124 239.255.255.250 3702
192.168.56.101 62194 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.