5.8
高危
该样本未表现出任何异常!
重新分析
更多

0bb9c4f5f02f8302cec425fbaaa945f8f9160ace3e9c5c31428e2fe379557f01

9f6f1c62f887675e71cf6545408a30ca.exe

分析耗时

80s

最近分析

文件大小

159.5KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1621017118.121374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017120.277374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017159.598954
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620985519.667343
IsDebuggerPresent
failed 0 0
Command line console output was observed (50 out of 71 个事件)
Time & API Arguments Status Return Repeated
1621017117.184876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017117.184876
WriteConsoleW
buffer: systeminfo
console_handle: 0x00000007
success 1 0
1621017117.199876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\1.csv"
console_handle: 0x00000007
success 1 0
1621017137.777876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017137.777876
WriteConsoleW
buffer: ipconfig
console_handle: 0x00000007
success 1 0
1621017137.793876
WriteConsoleW
buffer: /all
console_handle: 0x00000007
success 1 0
1621017137.809876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\2.csv"
console_handle: 0x00000007
success 1 0
1621017145.559876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017145.559876
WriteConsoleW
buffer: net
console_handle: 0x00000007
success 1 0
1621017145.574876
WriteConsoleW
buffer: config workstation
console_handle: 0x00000007
success 1 0
1621017145.574876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\3.csv"
console_handle: 0x00000007
success 1 0
1621017147.590876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017147.590876
WriteConsoleW
buffer: arp
console_handle: 0x00000007
success 1 0
1621017147.621876
WriteConsoleW
buffer: -a
console_handle: 0x00000007
success 1 0
1621017147.621876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\4.csv"
console_handle: 0x00000007
success 1 0
1621017149.449876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017149.449876
WriteConsoleW
buffer: nbtstat
console_handle: 0x00000007
success 1 0
1621017149.449876
WriteConsoleW
buffer: /n
console_handle: 0x00000007
success 1 0
1621017149.449876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\5.csv"
console_handle: 0x00000007
success 1 0
1621017149.480876
WriteConsoleW
buffer: 'nbtstat' 不是内部或外部命令,也不是可运行的程序 或批处理文件。
console_handle: 0x0000000b
success 1 0
1621017149.512876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017149.512876
WriteConsoleW
buffer: net
console_handle: 0x00000007
success 1 0
1621017149.512876
WriteConsoleW
buffer: view /all
console_handle: 0x00000007
success 1 0
1621017149.512876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\6.csv"
console_handle: 0x00000007
success 1 0
1621017153.980876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017153.980876
WriteConsoleW
buffer: net
console_handle: 0x00000007
success 1 0
1621017153.980876
WriteConsoleW
buffer: view /all /domain
console_handle: 0x00000007
success 1 0
1621017153.980876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\7.csv"
console_handle: 0x00000007
success 1 0
1621017154.980876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017154.980876
WriteConsoleW
buffer: nltest
console_handle: 0x00000007
success 1 0
1621017154.980876
WriteConsoleW
buffer: /domain_trusts
console_handle: 0x00000007
success 1 0
1621017154.980876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\8.csv"
console_handle: 0x00000007
success 1 0
1621017155.043876
WriteConsoleW
buffer: 'nltest' 不是内部或外部命令,也不是可运行的程序 或批处理文件。
console_handle: 0x0000000b
success 1 0
1621017155.074876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017155.074876
WriteConsoleW
buffer: nltest
console_handle: 0x00000007
success 1 0
1621017155.074876
WriteConsoleW
buffer: /domain_trusts /all_trusts
console_handle: 0x00000007
success 1 0
1621017155.074876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\9.csv"
console_handle: 0x00000007
success 1 0
1621017155.105876
WriteConsoleW
buffer: 'nltest' 不是内部或外部命令,也不是可运行的程序 或批处理文件。
console_handle: 0x0000000b
success 1 0
1621017155.105876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017155.121876
WriteConsoleW
buffer: tasklist
console_handle: 0x00000007
success 1 0
1621017155.121876
WriteConsoleW
buffer: /v /fo "TABLE"
console_handle: 0x00000007
success 1 0
1621017155.121876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\10.csv"
console_handle: 0x00000007
success 1 0
1621017157.309876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017157.309876
WriteConsoleW
buffer: dsquery.exe
console_handle: 0x00000007
success 1 0
1621017157.309876
WriteConsoleW
buffer: * -filter "objectcategory=computer" -attr dNSHostName distinguishedName description -limit 0
console_handle: 0x00000007
success 1 0
1621017157.309876
WriteConsoleW
buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\11.csv"
console_handle: 0x00000007
success 1 0
1621017162.262876
WriteConsoleW
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP>
console_handle: 0x00000007
success 1 0
1621017162.262876
WriteConsoleW
buffer: exit
console_handle: 0x00000007
success 1 0
1621017162.277876
WriteConsoleW
buffer: /B
console_handle: 0x00000007
success 1 0
1621017118.137374
WriteConsoleW
buffer: 正在加载操作系统信息...
console_handle: 0x0000000b
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620985520.104343
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1620985520.135343
GetDiskFreeSpaceExW
root_path: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\hTypeSock_TMP
free_bytes_available: 19610005504
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\commands.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\copy.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\dsterm.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\dsquery.exe
Drops a binary and executes it (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\dsterm.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\commands.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\copy.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\dsquery.exe
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\dsquery.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\dsterm.exe
Executes one or more WMI queries (1 个事件)
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1621017116.840374
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\commands.bat
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\commands.bat
show_type: 0
success 1 0
1621017147.137374
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\copy.bat
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hTypeSock_TMP\copy.bat
show_type: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1621017178.652374
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1621017159.583954
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (6 个事件)
cmdline net view /all /domain
cmdline net config workstation
cmdline systeminfo
cmdline tasklist /v /fo "TABLE"
cmdline ipconfig /all
cmdline net view /all
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 45.147.229.155
Uses suspicious command line tools or Windows utilities (1 个事件)
cmdline dsquery.exe * -filter "objectcategory=computer" -attr dNSHostName distinguishedName description -limit 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-12-31 08:38:32

Imports

Library COMCTL32.dll:
0x417010
Library SHELL32.dll:
0x417260 ShellExecuteW
0x417264 SHGetMalloc
0x41726c SHBrowseForFolderW
0x417270 SHGetFileInfoW
0x417274 ShellExecuteExW
Library GDI32.dll:
0x417018 CreateCompatibleDC
0x41701c CreateFontIndirectW
0x417020 DeleteObject
0x417024 DeleteDC
0x417028 GetCurrentObject
0x41702c StretchBlt
0x417030 GetDeviceCaps
0x417038 SelectObject
0x41703c SetStretchBltMode
0x417040 GetObjectW
Library ADVAPI32.dll:
0x417000 FreeSid
Library USER32.dll:
0x41727c GetWindowLongW
0x417280 GetMenu
0x417284 SetWindowPos
0x417288 GetWindowDC
0x41728c ReleaseDC
0x417290 GetDlgItem
0x417294 GetParent
0x417298 GetWindowRect
0x41729c GetClassNameA
0x4172a0 CreateWindowExW
0x4172a4 SetTimer
0x4172a8 GetMessageW
0x4172ac DispatchMessageW
0x4172b0 KillTimer
0x4172b4 DestroyWindow
0x4172b8 SendMessageW
0x4172bc EndDialog
0x4172c0 wsprintfW
0x4172c4 GetWindowTextW
0x4172cc GetSysColor
0x4172d0 wsprintfA
0x4172d4 SetWindowTextW
0x4172d8 MessageBoxA
0x4172dc ScreenToClient
0x4172e0 GetClientRect
0x4172e4 SetWindowLongW
0x4172e8 UnhookWindowsHookEx
0x4172ec SetFocus
0x4172f0 GetSystemMetrics
0x4172f8 ShowWindow
0x4172fc DrawTextW
0x417300 GetDC
0x417304 ClientToScreen
0x417308 GetWindow
0x417310 DrawIconEx
0x417314 CallWindowProcW
0x417318 DefWindowProcW
0x41731c CallNextHookEx
0x417320 PtInRect
0x417324 SetWindowsHookExW
0x417328 LoadImageW
0x41732c LoadIconW
0x417330 MessageBeep
0x417334 EnableWindow
0x417338 IsWindow
0x41733c EnableMenuItem
0x417340 GetSystemMenu
0x417344 CreateWindowExA
0x417348 wvsprintfW
0x41734c CharUpperW
0x417350 GetKeyState
0x417354 CopyImage
Library ole32.dll:
0x417360 CoCreateInstance
0x417364 CoInitialize
Library OLEAUT32.dll:
0x417248 VariantClear
0x41724c SysFreeString
0x417250 OleLoadPicture
0x417254 SysAllocString
Library KERNEL32.dll:
0x417048 GetFileSize
0x41704c SetFilePointer
0x417050 ReadFile
0x417058 GetModuleHandleA
0x41705c SetFileTime
0x417060 SetEndOfFile
0x417070 FormatMessageW
0x417074 lstrcpyW
0x417078 LocalFree
0x41707c IsBadReadPtr
0x417080 GetSystemDirectoryW
0x417084 GetCurrentThreadId
0x417088 SuspendThread
0x41708c TerminateThread
0x417094 ResetEvent
0x417098 SetEvent
0x41709c CreateEventW
0x4170a0 GetVersionExW
0x4170a4 GetModuleFileNameW
0x4170a8 GetCurrentProcess
0x4170b4 GetDriveTypeW
0x4170b8 CreateFileW
0x4170bc GetCommandLineW
0x4170c0 GetStartupInfoW
0x4170c4 CreateProcessW
0x4170c8 CreateJobObjectW
0x4170cc ResumeThread
0x4170e0 GetExitCodeProcess
0x4170e4 CloseHandle
0x4170ec GetTempPathW
0x4170f4 lstrlenW
0x4170f8 CompareFileTime
0x4170fc SetThreadLocale
0x417100 FindFirstFileW
0x417104 DeleteFileW
0x417108 FindNextFileW
0x41710c FindClose
0x417110 RemoveDirectoryW
0x417118 WideCharToMultiByte
0x41711c VirtualAlloc
0x417124 lstrcmpW
0x41712c lstrcmpiW
0x417130 lstrlenA
0x417134 GetLocaleInfoW
0x417138 MultiByteToWideChar
0x417148 lstrcmpiA
0x41714c GlobalAlloc
0x417150 GlobalFree
0x417154 MulDiv
0x417158 FindResourceExA
0x41715c SizeofResource
0x417160 LoadResource
0x417164 LockResource
0x417168 LoadLibraryA
0x41716c GetProcAddress
0x417170 GetModuleHandleW
0x417174 ExitProcess
0x417178 lstrcatW
0x41717c GetDiskFreeSpaceExW
0x417180 SetFileAttributesW
0x417184 SetLastError
0x417188 Sleep
0x41718c GetExitCodeThread
0x417190 WaitForSingleObject
0x417194 CreateThread
0x417198 GetLastError
0x4171a0 GetLocalTime
0x4171a4 GetFileAttributesW
0x4171a8 CreateDirectoryW
0x4171ac WriteFile
0x4171b0 GetStdHandle
0x4171b4 VirtualFree
0x4171b8 GetStartupInfoA
Library MSVCRT.dll:
0x4171c0 ??3@YAXPAX@Z
0x4171c4 ??2@YAPAXI@Z
0x4171c8 memcmp
0x4171cc free
0x4171d0 memcpy
0x4171d4 _wtol
0x4171d8 _controlfp
0x4171dc _except_handler3
0x4171e0 __set_app_type
0x4171e4 __p__fmode
0x4171e8 __p__commode
0x4171ec _adjust_fdiv
0x4171f0 __setusermatherr
0x4171f4 _initterm
0x4171f8 __getmainargs
0x4171fc _acmdln
0x417200 exit
0x417204 _XcptFilter
0x417208 _exit
0x417210 _onexit
0x417214 __dllonexit
0x417218 _CxxThrowException
0x41721c _beginthreadex
0x417220 _EH_prolog
0x417228 memset
0x41722c _wcsnicmp
0x417230 strncmp
0x417234 wcsncmp
0x417238 malloc
0x41723c memmove
0x417240 _purecall

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49190 192.168.56.1 139
192.168.56.101 49191 192.168.56.1 139

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.