12.6
0-day
54 个模型检测该样本为恶意!
重新分析
更多

15ac6b1a7fdb92b545dae44b1a88d6328629944771bdce75002637cdbf299027

a2a1d155dd4b111472471f6e5e8265e9.exe

分析耗时

101s

最近分析

文件大小

993.5KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=81 ATTRIBUTE BUCZ1X CONFIDENCE ELDORADO EPNV FAREIT GDSDA GENERICKDZ GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HQKCSK IGENT INJECT3 KCLOUD KRYPTIK LMAJ M0@AM3FV9N MALICIOUS PE MALWARE@#30W21UEEZ2615 PWSX R002C0DH420 R346792 SCORE SDLQF STATIC AI SUSGEN TSCOPE UNSAFE YAKBEEXMSIL YMACCO ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Alibaba Trojan:Win32/Ymacco.455a45a1 20190527 0.3.0.5
Tencent Msil.Trojan.Crypt.Lmaj 20201211 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FXU!A2A1D155DD4B 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619814912.130499
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (30 个事件)
Time & API Arguments Status Return Repeated
1619781473.718375
IsDebuggerPresent
failed 0 0
1619781473.718375
IsDebuggerPresent
failed 0 0
1619781528.249375
IsDebuggerPresent
failed 0 0
1619781528.765375
IsDebuggerPresent
failed 0 0
1619781529.296375
IsDebuggerPresent
failed 0 0
1619781529.765375
IsDebuggerPresent
failed 0 0
1619781530.296375
IsDebuggerPresent
failed 0 0
1619781530.765375
IsDebuggerPresent
failed 0 0
1619781531.296375
IsDebuggerPresent
failed 0 0
1619781531.765375
IsDebuggerPresent
failed 0 0
1619781532.296375
IsDebuggerPresent
failed 0 0
1619781532.765375
IsDebuggerPresent
failed 0 0
1619781533.296375
IsDebuggerPresent
failed 0 0
1619781533.765375
IsDebuggerPresent
failed 0 0
1619781534.296375
IsDebuggerPresent
failed 0 0
1619781534.765375
IsDebuggerPresent
failed 0 0
1619781535.296375
IsDebuggerPresent
failed 0 0
1619781535.765375
IsDebuggerPresent
failed 0 0
1619781536.296375
IsDebuggerPresent
failed 0 0
1619781536.765375
IsDebuggerPresent
failed 0 0
1619781537.296375
IsDebuggerPresent
failed 0 0
1619781537.765375
IsDebuggerPresent
failed 0 0
1619781538.296375
IsDebuggerPresent
failed 0 0
1619781538.812375
IsDebuggerPresent
failed 0 0
1619781539.296375
IsDebuggerPresent
failed 0 0
1619781539.828375
IsDebuggerPresent
failed 0 0
1619781540.296375
IsDebuggerPresent
failed 0 0
1619781540.828375
IsDebuggerPresent
failed 0 0
1619814913.755499
IsDebuggerPresent
failed 0 0
1619814913.755499
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619814912.177499
WriteConsoleW
buffer: 错误:
console_handle: 0x0000000b
success 1 0
1619814912.193499
WriteConsoleW
buffer: 任务 XML 格式错误。
console_handle: 0x0000000b
success 1 0
1619814912.193499
WriteConsoleW
buffer: (44,80):Command:
console_handle: 0x0000000b
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619781473.734375
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 个事件)
Time & API Arguments Status Return Repeated
1619781469.937375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619781469.937375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00770000
success 0 0
1619781473.187375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01ea0000
success 0 0
1619781473.187375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd0000
success 0 0
1619781473.609375
NtProtectVirtualMemory
process_identifier: 944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619781473.718375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007b0000
success 0 0
1619781473.718375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007d0000
success 0 0
1619781473.734375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619781473.734375
NtProtectVirtualMemory
process_identifier: 944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619781473.734375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619781474.203375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00542000
success 0 0
1619781474.265375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00565000
success 0 0
1619781474.265375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056b000
success 0 0
1619781474.265375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00567000
success 0 0
1619781474.421375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00543000
success 0 0
1619781474.421375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00544000
success 0 0
1619781474.421375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054c000
success 0 0
1619781475.031375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00545000
success 0 0
1619781475.031375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00546000
success 0 0
1619781477.749375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619781478.218375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02010000
success 0 0
1619781478.953375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619781478.953375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619781479.046375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00556000
success 0 0
1619781479.078375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02011000
success 0 0
1619781479.468375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00548000
success 0 0
1619781479.468375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00549000
success 0 0
1619781479.687375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020e0000
success 0 0
1619781479.703375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020e1000
success 0 0
1619781479.718375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02012000
success 0 0
1619781479.734375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02013000
success 0 0
1619781479.734375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020e2000
success 0 0
1619781479.734375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02016000
success 0 0
1619781520.937375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd1000
success 0 0
1619781521.171375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02017000
success 0 0
1619781521.437375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053c000
success 0 0
1619781521.437375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02018000
success 0 0
1619781521.562375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020e3000
success 0 0
1619781521.562375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054d000
success 0 0
1619781521.578375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02019000
success 0 0
1619781521.703375
NtProtectVirtualMemory
process_identifier: 944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 529920
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05e20400
failed 3221225550 0
1619781527.343375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020e4000
success 0 0
1619781527.343375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0201b000
success 0 0
1619781527.390375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0201c000
success 0 0
1619781527.406375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0201d000
success 0 0
1619781527.437375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0201e000
success 0 0
1619781527.484375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0201f000
success 0 0
1619781527.984375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fb0000
success 0 0
1619781527.984375
NtAllocateVirtualMemory
process_identifier: 944
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fb1000
success 0 0
1619781527.984375
NtProtectVirtualMemory
process_identifier: 944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05e20178
failed 3221225550 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp85B0.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp85B0.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619781539.656375
ShellExecuteExW
parameters: /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp85B0.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.812775901962507 section {'size_of_data': '0x000cdc00', 'virtual_address': '0x00002000', 'entropy': 7.812775901962507, 'name': '.text', 'virtual_size': '0x000cdb34'} description A section with a high entropy has been found
entropy 0.8288016112789527 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619781521.703375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619781540.609375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2140
process_handle: 0x00004508
failed 0 0
1619781540.609375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2140
process_handle: 0x00004508
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp85B0.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp85B0.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619781540.531375
NtAllocateVirtualMemory
process_identifier: 2140
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00006844
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619781540.656375
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00001964
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp85B0.tmp
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 944 manipulating memory of non-child process 2140
Time & API Arguments Status Return Repeated
1619781540.531375
NtAllocateVirtualMemory
process_identifier: 2140
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00006844
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619781540.656375
WriteProcessMemory
process_identifier: 1912
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¨À9îà 0" ¾@ ` @   @…p@ K` 8€  H.textÄ "  `.rsrc8` $ @@.reloc € * @B
process_handle: 0x00001964
base_address: 0x00400000
success 1 0
1619781540.703375
WriteProcessMemory
process_identifier: 1912
buffer:  €8€P€h€€ ` ¬äLc êä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.0"InternalName&LegalCopyright*LegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00001964
base_address: 0x00496000
success 1 0
1619781540.703375
WriteProcessMemory
process_identifier: 1912
buffer: @ À0
process_handle: 0x00001964
base_address: 0x00498000
success 1 0
1619781540.703375
WriteProcessMemory
process_identifier: 1912
buffer: @
process_handle: 0x00001964
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619781540.656375
WriteProcessMemory
process_identifier: 1912
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¨À9îà 0" ¾@ ` @   @…p@ K` 8€  H.textÄ "  `.rsrc8` $ @@.reloc € * @B
process_handle: 0x00001964
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 944 called NtSetContextThread to modify thread in remote process 1912
Time & API Arguments Status Return Repeated
1619781540.703375
NtSetContextThread
thread_handle: 0x00004508
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4800702
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1912
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 944 resumed a thread in remote process 1912
Time & API Arguments Status Return Repeated
1619781541.203375
NtResumeThread
thread_handle: 0x00004508
suspend_count: 1
process_identifier: 1912
success 0 0
Executed a process and injected code into it, probably while unpacking (23 个事件)
Time & API Arguments Status Return Repeated
1619781473.718375
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 944
success 0 0
1619781473.734375
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 944
success 0 0
1619781473.734375
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 944
success 0 0
1619781528.187375
NtResumeThread
thread_handle: 0x0000d95c
suspend_count: 1
process_identifier: 944
success 0 0
1619781528.234375
NtResumeThread
thread_handle: 0x000017cc
suspend_count: 1
process_identifier: 944
success 0 0
1619781539.656375
CreateProcessInternalW
thread_identifier: 3028
thread_handle: 0x000103e0
process_identifier: 360
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp85B0.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00008fac
inherit_handles: 0
success 1 0
1619781540.531375
CreateProcessInternalW
thread_identifier: 2880
thread_handle: 0x0000b1c0
process_identifier: 2140
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2a1d155dd4b111472471f6e5e8265e9.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2a1d155dd4b111472471f6e5e8265e9.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00006844
inherit_handles: 0
success 1 0
1619781540.531375
NtGetContextThread
thread_handle: 0x0000b1c0
success 0 0
1619781540.531375
NtAllocateVirtualMemory
process_identifier: 2140
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00006844
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619781540.656375
CreateProcessInternalW
thread_identifier: 1932
thread_handle: 0x00004508
process_identifier: 1912
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2a1d155dd4b111472471f6e5e8265e9.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2a1d155dd4b111472471f6e5e8265e9.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00001964
inherit_handles: 0
success 1 0
1619781540.656375
NtGetContextThread
thread_handle: 0x00004508
success 0 0
1619781540.656375
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00001964
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619781540.656375
WriteProcessMemory
process_identifier: 1912
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¨À9îà 0" ¾@ ` @   @…p@ K` 8€  H.textÄ "  `.rsrc8` $ @@.reloc € * @B
process_handle: 0x00001964
base_address: 0x00400000
success 1 0
1619781540.656375
WriteProcessMemory
process_identifier: 1912
buffer:
process_handle: 0x00001964
base_address: 0x00402000
success 1 0
1619781540.703375
WriteProcessMemory
process_identifier: 1912
buffer:  €8€P€h€€ ` ¬äLc êä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.0"InternalName&LegalCopyright*LegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00001964
base_address: 0x00496000
success 1 0
1619781540.703375
WriteProcessMemory
process_identifier: 1912
buffer: @ À0
process_handle: 0x00001964
base_address: 0x00498000
success 1 0
1619781540.703375
WriteProcessMemory
process_identifier: 1912
buffer: @
process_handle: 0x00001964
base_address: 0x7efde008
success 1 0
1619781540.703375
NtSetContextThread
thread_handle: 0x00004508
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4800702
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1912
success 0 0
1619781541.203375
NtResumeThread
thread_handle: 0x00004508
suspend_count: 1
process_identifier: 1912
success 0 0
1619781541.218375
NtResumeThread
thread_handle: 0x0000dbdc
suspend_count: 1
process_identifier: 944
success 0 0
1619814913.755499
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1912
success 0 0
1619814913.755499
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1912
success 0 0
1619814913.833499
NtResumeThread
thread_handle: 0x000001b4
suspend_count: 1
process_identifier: 1912
success 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69193
FireEye Generic.mg.a2a1d155dd4b1114
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKDZ.69193
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056bdaa1 )
BitDefender Trojan.GenericKDZ.69193
K7GW Trojan ( 0056bdaa1 )
Cybereason malicious.16e064
Cyren W32/MSIL_Kryptik.BHB.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
Alibaba Trojan:Win32/Ymacco.455a45a1
NANO-Antivirus Trojan.Win32.Crypt.hqkcsk
Tencent Msil.Trojan.Crypt.Lmaj
Ad-Aware Trojan.GenericKDZ.69193
Emsisoft Trojan.GenericKDZ.69193 (B)
Comodo Malware@#30w21ueez2615
F-Secure Trojan.TR/Kryptik.sdlqf
DrWeb Trojan.Inject3.46680
TrendMicro TROJ_GEN.R002C0DH420
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Avira TR/Kryptik.sdlqf
Antiy-AVL Trojan/MSIL.Crypt
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:MSIL/AgentTesla.G!MTB
Gridinsoft Trojan.Win32.Kryptik.oa
Arcabit Trojan.Generic.D10E49
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Trojan.GenericKDZ.69193
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.AgentTesla.R346792
McAfee Fareit-FXU!A2A1D155DD4B
MAX malware (ai score=81)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
Panda Trj/GdSda.A
ESET-NOD32 a variant of MSIL/Kryptik.XEG
TrendMicro-HouseCall TROJ_GEN.R002C0DH420
Yandex Trojan.Igent.bUcz1X.2
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/GenKryptik.EPNV!tr
BitDefenderTheta Gen:NN.ZemsilF.34670.!m0@am3fV9n
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-03 08:17:33

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49196 203.208.40.66 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.