5.0
中危
该样本未表现出任何异常!
重新分析
更多

fe18e09e2705623ef969c04a0c2b1ccd47c88ed05202629b62965e1535bfe8e5

a2984831495728a6a311e4e27b630b36.exe

分析耗时

86s

最近分析

文件大小

3.5MB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20201010 6.0.6.653
CrowdStrike 20190702 1.0
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20201010 18.4.3895.0
Kingsoft 20201010 2013.8.14.323
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620999075.521751
IsDebuggerPresent
failed 0 0
This executable is signed
The executable uses a known packer (1 个事件)
packer PECompact 2.xx --> BitSum Technologies
The file contains an unknown PE resource name possibly indicative of a packer (3 个事件)
resource name AVI
resource name GIF
resource name PNG
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1620999074.990751
__exception__
stacktrace: 
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1638276
registers.edi: 0
registers.eax: 0
registers.ebp: 1638292
registers.edx: 4198400
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 04 58 02
exception.symbol: a2984831495728a6a311e4e27b630b36+0x1016
exception.instruction: mov dword ptr [eax], ecx
exception.module: a2984831495728a6a311e4e27b630b36.exe
exception.exception_code: 0xc0000005
exception.offset: 4118
exception.address: 0x401016
success 0 0
1620999117.318751
__exception__
stacktrace: 
_AddCrashHandlerLimitModule@4-0x6e756 a2984831495728a6a311e4e27b630b36+0xd5806 @ 0x4d5806
_IsNT@0+0x507b0e a2984831495728a6a311e4e27b630b36+0x64cc48 @ 0xa4cc48
_IsNT@0+0x5077a6 a2984831495728a6a311e4e27b630b36+0x64c8e0 @ 0xa4c8e0
_IsNT@0+0x50532f a2984831495728a6a311e4e27b630b36+0x64a469 @ 0xa4a469
_AddCrashHandlerLimitModule@4-0x14290c a2984831495728a6a311e4e27b630b36+0x1650 @ 0x401650
_AddCrashHandlerLimitModule@4-0x14285a a2984831495728a6a311e4e27b630b36+0x1702 @ 0x401702
_AddCrashHandlerLimitModule@4-0x1233e7 a2984831495728a6a311e4e27b630b36+0x20b75 @ 0x420b75
_AddCrashHandlerLimitModule@4-0x122ba0 a2984831495728a6a311e4e27b630b36+0x213bc @ 0x4213bc
_AddCrashHandlerLimitModule@4-0x122924 a2984831495728a6a311e4e27b630b36+0x21638 @ 0x421638
_AddCrashHandlerLimitModule@4-0x12276b a2984831495728a6a311e4e27b630b36+0x217f1 @ 0x4217f1
_AddCrashHandlerLimitModule@4-0x2dc52 a2984831495728a6a311e4e27b630b36+0x11630a @ 0x51630a
_AddCrashHandlerLimitModule@4-0x2da34 a2984831495728a6a311e4e27b630b36+0x116528 @ 0x516528
_IsNT@0+0x5217be a2984831495728a6a311e4e27b630b36+0x6668f8 @ 0xa668f8
_IsNT@0+0x52143e a2984831495728a6a311e4e27b630b36+0x666578 @ 0xa66578
_IsNT@0+0x1d3284 a2984831495728a6a311e4e27b630b36+0x3183be @ 0x7183be
_IsNT@0+0x1d3569 a2984831495728a6a311e4e27b630b36+0x3186a3 @ 0x7186a3
_AddCrashHandlerLimitModule@4-0xd8371 a2984831495728a6a311e4e27b630b36+0x6bbeb @ 0x46bbeb
_AddCrashHandlerLimitModule@4-0xd625d a2984831495728a6a311e4e27b630b36+0x6dcff @ 0x46dcff
_AddCrashHandlerLimitModule@4-0xd5ee7 a2984831495728a6a311e4e27b630b36+0x6e075 @ 0x46e075
_IsNT@0+0x246d2d a2984831495728a6a311e4e27b630b36+0x38be67 @ 0x78be67
_IsNT@0+0x246f3c a2984831495728a6a311e4e27b630b36+0x38c076 @ 0x78c076
_IsNT@0+0x24a30e a2984831495728a6a311e4e27b630b36+0x38f448 @ 0x78f448
_IsNT@0+0x2448a9 a2984831495728a6a311e4e27b630b36+0x3899e3 @ 0x7899e3
_IsNT@0+0x2453db a2984831495728a6a311e4e27b630b36+0x38a515 @ 0x78a515
_IsNT@0+0x240166 a2984831495728a6a311e4e27b630b36+0x3852a0 @ 0x7852a0
_IsNT@0+0x243927 a2984831495728a6a311e4e27b630b36+0x388a61 @ 0x788a61
_IsNT@0+0x2439b6 a2984831495728a6a311e4e27b630b36+0x388af0 @ 0x788af0
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x753a4601
GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x753a4663
GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x753a44ed
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x775b0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x775b0d4d
_IsNT@0+0x23ffd6 a2984831495728a6a311e4e27b630b36+0x385110 @ 0x785110
_IsNT@0+0x2429b5 a2984831495728a6a311e4e27b630b36+0x387aef @ 0x787aef
_IsNT@0+0x245757 a2984831495728a6a311e4e27b630b36+0x38a891 @ 0x78a891
_IsNT@0+0x240166 a2984831495728a6a311e4e27b630b36+0x3852a0 @ 0x7852a0
_IsNT@0+0x243927 a2984831495728a6a311e4e27b630b36+0x388a61 @ 0x788a61
_IsNT@0+0x2439b6 a2984831495728a6a311e4e27b630b36+0x388af0 @ 0x788af0
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
DestroyPropertySheetPage+0x69a DllGetVersion-0x1939 comctl32+0x44136 @ 0x75344136
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x775b0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x775b0d4d
_IsNT@0+0x23ffd6 a2984831495728a6a311e4e27b630b36+0x385110 @ 0x785110
_IsNT@0+0x24017d a2984831495728a6a311e4e27b630b36+0x3852b7 @ 0x7852b7
_IsNT@0+0x243927 a2984831495728a6a311e4e27b630b36+0x388a61 @ 0x788a61
_IsNT@0+0x2439b6 a2984831495728a6a311e4e27b630b36+0x388af0 @ 0x788af0
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
PeekMessageW+0x197 MsgWaitForMultipleObjectsEx-0x143 user32+0x20751 @ 0x775b0751
_IsNT@0+0x20f9a7 a2984831495728a6a311e4e27b630b36+0x354ae1 @ 0x754ae1

registers.esp: 1631184
registers.edi: 1983189260
registers.eax: 1631196
registers.ebp: 1631228
registers.edx: 1631196
registers.ebx: 0
registers.esi: 55162368
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 04 6a 00 8d 55 e0 52 c7 45 fc 00 00
exception.symbol: _AddCrashHandlerLimitModule@4-0x6e8ba a2984831495728a6a311e4e27b630b36+0xd56a2
exception.instruction: mov eax, dword ptr [ecx]
exception.module: a2984831495728a6a311e4e27b630b36.exe
exception.exception_code: 0xc0000005
exception.offset: 874146
exception.address: 0x4d56a2
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Resolves a suspicious Top Level Domain (TLD) (1 个事件)
domain bridgit.digis.ru description Russian Federation domain TLD
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620999074.990751
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00fd0000
success 0 0
1620999074.990751
NtAllocateVirtualMemory
process_identifier: 2296
region_size: 12075008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x032f0000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SMART Technologies\Bridgit\4.7.109.0\BridgitCrashReporter.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SMART Technologies\Bridgit\4.7.109.0\BridgitCrashReporter.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.999945650208477 section {'size_of_data': '0x00378600', 'virtual_address': '0x00001000', 'entropy': 7.999945650208477, 'name': '.text', 'virtual_size': '0x00ba4000'} description A section with a high entropy has been found
entropy 0.9823082239115412 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1620999077.771751
RegSetValueExA
key_handle: 0x000002ac
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-04-30 20:09:46

Imports

Library kernel32.dll:
0xfb3b70 LoadLibraryA
0xfb3b74 GetProcAddress
0xfb3b78 VirtualAlloc
0xfb3b7c VirtualFree
Library WININET.dll:
0xfb3b84 InternetReadFile
Library AVICAP32.dll:
Library SHFOLDER.dll:
0xfb3b94 SHGetFolderPathW
Library VERSION.dll:
0xfb3b9c VerQueryValueA
Library RPCRT4.dll:
0xfb3ba4 UuidCreate
Library imagehlp.dll:
0xfb3bac MapFileAndCheckSumW
Library Secur32.dll:
0xfb3bb4 GetUserNameExW
Library GDI32.dll:
0xfb3bbc SetWinMetaFileBits
Library MSIMG32.dll:
0xfb3bc4 AlphaBlend
Library COMDLG32.dll:
0xfb3bcc GetFileTitleW
Library WINSPOOL.DRV:
0xfb3bd4 OpenPrinterW
Library SHELL32.dll:
0xfb3bdc SHGetMalloc
Library COMCTL32.dll:
Library SHLWAPI.dll:
0xfb3bec PathFindFileNameW
Library ole32.dll:
0xfb3bf4 CreateFileMoniker
Library OLEAUT32.dll:
0xfb3bfc SysAllocStringLen
Library oledlg.dll:
0xfb3c04 OleUIBusyW
Library IMM32.dll:
0xfb3c0c ImmGetContext
Library WS2_32.dll:
0xfb3c14 socket

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49182 83.69.205.178 bridgit.digis.ru 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.