14.0
0-day
47 个模型检测该样本为恶意!
重新分析
更多

5c8962c65557bc5ae404143ad8d59911eb2e87fad327ae58f449b2f86cfdd63b

a38372591737f530b778c116cb6e5c0a.exe

分析耗时

112s

最近分析

文件大小

269.0KB
静态报毒 动态报毒 AEXQ AGENSLA AGENTTESLA AI SCORE=85 AVSARHER BSIDR7 CLOUD CONFIDENCE CRYPTINJECT EBEFW ELDORADO EMTZ FAREIT GDSDA GENERICKDZ GENKRYPTIK HIGH CONFIDENCE HNAMTE INJECTORX KRYPTIK LLQP MALREP MALWARE@#1GX8ET76YPGIW QQPASS QQROB R343140 SIGGEN9 THFAIBO TROJANPSW 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Alibaba TrojanPSW:Win32/CryptInject.1001e0a4 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20200715 2013.8.14.323
McAfee Fareit-FTY!A38372591737 20200714 6.0.6.653
Tencent Msil.Trojan-qqpass.Qqrob.Llqp 20200715 1.0.0.1
Avast Win32:InjectorX-gen [Trj] 20200715 18.4.3895.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619796876.807626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619796830.542126
IsDebuggerPresent
failed 0 0
1619796830.542126
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619796883.260626
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\RDKhAveTgVgGF"。
console_handle: 0x00000007
success 1 0
This executable has a PDB path (1 个事件)
pdb_path C:\Users\Administrator\Desktop\Client\Temp\csIvsUvctQ\src\obj\Debug\binOkfiaDX.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619796830.557126
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619796887.260249
__exception__
stacktrace: 
a38372591737f530b778c116cb6e5c0a+0x34c3 @ 0x4034c3
a38372591737f530b778c116cb6e5c0a+0x10016 @ 0x410016
a38372591737f530b778c116cb6e5c0a+0x121b1 @ 0x4121b1
a38372591737f530b778c116cb6e5c0a+0x5986 @ 0x405986
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2684880
registers.edi: 2685020
registers.eax: 2684904
registers.ebp: 2684920
registers.edx: 43450368
registers.ebx: 2685160
registers.esi: 43843584
registers.ecx: 0
exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x76373118
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain baby212.ddns.net
Allocates read-write-execute memory (usually to unpack itself) (50 out of 59 个事件)
Time & API Arguments Status Return Repeated
1619796829.573126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00230000
success 0 0
1619796829.573126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00250000
success 0 0
1619796830.339126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c20000
success 0 0
1619796830.339126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d80000
success 0 0
1619796830.495126
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619796830.542126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00dc0000
success 0 0
1619796830.542126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f80000
success 0 0
1619796830.542126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619796830.542126
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619796830.542126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619796830.729126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1619796830.776126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00405000
success 0 0
1619796830.776126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040b000
success 0 0
1619796830.776126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619796830.885126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e3000
success 0 0
1619796830.932126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ec000
success 0 0
1619796830.964126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a50000
success 0 0
1619796830.979126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a51000
success 0 0
1619796831.089126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e4000
success 0 0
1619796831.089126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e5000
success 0 0
1619796831.260126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e6000
success 0 0
1619796831.292126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f6000
success 0 0
1619796831.307126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619796831.307126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f7000
success 0 0
1619796831.323126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619796831.323126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a52000
success 0 0
1619796831.354126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e8000
success 0 0
1619796831.354126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a53000
success 0 0
1619796831.745126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e9000
success 0 0
1619796864.760126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a56000
success 0 0
1619796864.792126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a57000
success 0 0
1619796864.870126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e40000
success 0 0
1619796864.870126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a58000
success 0 0
1619796864.870126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a59000
success 0 0
1619796864.964126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a5a000
success 0 0
1619796865.010126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a5b000
success 0 0
1619796865.010126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a5f000
success 0 0
1619796865.026126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ed000
success 0 0
1619796865.385126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04510000
success 0 0
1619796865.401126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e41000
success 0 0
1619796865.401126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f81000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f82000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f83000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f84000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f85000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f86000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f88000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f8c000
success 0 0
1619796865.417126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f9d000
success 0 0
1619796865.464126
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04511000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RDKhAveTgVgGF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BB7.tmp"
cmdline schtasks.exe /Create /TN "Updates\RDKhAveTgVgGF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BB7.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619796876.604126
ShellExecuteExW
parameters: /Create /TN "Updates\RDKhAveTgVgGF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BB7.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.4806398577674775 section {'size_of_data': '0x00040200', 'virtual_address': '0x00002000', 'entropy': 7.4806398577674775, 'name': '.text', 'virtual_size': '0x0004001c'} description A section with a high entropy has been found
entropy 0.9553072625698324 description Overall entropy of this PE file is high
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RDKhAveTgVgGF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BB7.tmp"
cmdline schtasks.exe /Create /TN "Updates\RDKhAveTgVgGF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BB7.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 113.108.239.196
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619796884.885126
NtAllocateVirtualMemory
process_identifier: 324
region_size: 1388544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000358
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Installs itself for autorun at Windows startup (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BB7.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ 6àEkX³EkX³EkX³†d³DkX³LܳDkX³†d³GkX³b­5³DkX³b­6³FkX³@gW³DkX³LÛ³AkX³L˳ZkX³EkY³£kX³ÖQ²)kX³Ö§³DkX³ÖZ²DkX³RichEkX³PEL“2µ^à ÚY0@0@…<fàp,àÀd0`.text `.rdataÖH0J @@.dataŒP€j@À.rsrcp,à.p@@.relocàž@B.bss ®@@
process_handle: 0x00000358
base_address: 0x00400000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(PAPAU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃì[Ad
process_handle: 0x00000358
base_address: 0x00418000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: 2/n܈(}’íCÛç 62öJ®áè íÏYïñÒ tm 3¼Ï‹˟ÛÛ%!%Ώ•ÀñV¶eCbŽÇ•ciÃ4ª}1Y{™ó54#‹ŸËë;0 ÏV–Jñېý·s<¶¬éæ®±ÖôŽÞ)²Ó`•IÇ v‚ûg£FDU‰Ü½&Ø"÷Õ'
process_handle: 0x00000358
base_address: 0x00552000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: @
process_handle: 0x00000358
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ 6àEkX³EkX³EkX³†d³DkX³LܳDkX³†d³GkX³b­5³DkX³b­6³FkX³@gW³DkX³LÛ³AkX³L˳ZkX³EkY³£kX³ÖQ²)kX³Ö§³DkX³ÖZ²DkX³RichEkX³PEL“2µ^à ÚY0@0@…<fàp,àÀd0`.text `.rdataÖH0J @@.dataŒP€j@À.rsrcp,à.p@@.relocàž@B.bss ®@@
process_handle: 0x00000358
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1176 called NtSetContextThread to modify thread in remote process 324
Time & API Arguments Status Return Repeated
1619796884.885126
NtSetContextThread
thread_handle: 0x00000250
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217095
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 324
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1176 resumed a thread in remote process 324
Time & API Arguments Status Return Repeated
1619796884.932126
NtResumeThread
thread_handle: 0x00000250
suspend_count: 1
process_identifier: 324
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619796830.542126
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1176
success 0 0
1619796830.542126
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1176
success 0 0
1619796830.557126
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 1176
success 0 0
1619796875.885126
NtResumeThread
thread_handle: 0x0000024c
suspend_count: 1
process_identifier: 1176
success 0 0
1619796876.604126
CreateProcessInternalW
thread_identifier: 1244
thread_handle: 0x00000340
process_identifier: 2168
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RDKhAveTgVgGF" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3BB7.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000384
inherit_handles: 0
success 1 0
1619796884.885126
CreateProcessInternalW
thread_identifier: 2316
thread_handle: 0x00000250
process_identifier: 324
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a38372591737f530b778c116cb6e5c0a.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a38372591737f530b778c116cb6e5c0a.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000358
inherit_handles: 0
success 1 0
1619796884.885126
NtGetContextThread
thread_handle: 0x00000250
success 0 0
1619796884.885126
NtAllocateVirtualMemory
process_identifier: 324
region_size: 1388544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000358
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ 6àEkX³EkX³EkX³†d³DkX³LܳDkX³†d³GkX³b­5³DkX³b­6³FkX³@gW³DkX³LÛ³AkX³L˳ZkX³EkY³£kX³ÖQ²)kX³Ö§³DkX³ÖZ²DkX³RichEkX³PEL“2µ^à ÚY0@0@…<fàp,àÀd0`.text `.rdataÖH0J @@.dataŒP€j@À.rsrcp,à.p@@.relocàž@B.bss ®@@
process_handle: 0x00000358
base_address: 0x00400000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer:
process_handle: 0x00000358
base_address: 0x00401000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer:
process_handle: 0x00000358
base_address: 0x00413000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(PAPAU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃì[Ad
process_handle: 0x00000358
base_address: 0x00418000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer:
process_handle: 0x00000358
base_address: 0x0054e000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer:
process_handle: 0x00000358
base_address: 0x00551000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: 2/n܈(}’íCÛç 62öJ®áè íÏYïñÒ tm 3¼Ï‹˟ÛÛ%!%Ώ•ÀñV¶eCbŽÇ•ciÃ4ª}1Y{™ó54#‹ŸËë;0 ÏV–Jñېý·s<¶¬éæ®±ÖôŽÞ)²Ó`•IÇ v‚ûg£FDU‰Ü½&Ø"÷Õ'
process_handle: 0x00000358
base_address: 0x00552000
success 1 0
1619796884.885126
WriteProcessMemory
process_identifier: 324
buffer: @
process_handle: 0x00000358
base_address: 0x7efde008
success 1 0
1619796884.885126
NtSetContextThread
thread_handle: 0x00000250
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217095
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 324
success 0 0
1619796884.932126
NtResumeThread
thread_handle: 0x00000250
suspend_count: 1
process_identifier: 324
success 0 0
1619796884.932126
NtResumeThread
thread_handle: 0x00000338
suspend_count: 1
process_identifier: 1176
success 0 0
File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)
DrWeb Trojan.Siggen9.55133
MicroWorld-eScan Trojan.GenericKDZ.68026
FireEye Generic.mg.a38372591737f530
CAT-QuickHeal Trojan.Emtz
ALYac Trojan.GenericKDZ.68026
Sangfor Malware
CrowdStrike win/malicious_confidence_60% (W)
Alibaba TrojanPSW:Win32/CryptInject.1001e0a4
K7GW Trojan ( 005626dd1 )
K7AntiVirus Trojan ( 005626dd1 )
Arcabit Trojan.Generic.D109BA
Cyren W32/MSIL_Kryptik.AYD.gen!Eldorado
Symantec Backdoor.Trojan
ESET-NOD32 a variant of MSIL/Kryptik.WLJ
TrendMicro-HouseCall Trojan.MSIL.MALREP.THFAIBO
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKDZ.68026
NANO-Antivirus Trojan.Win32.Agensla.hnamte
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Ad-Aware Trojan.GenericKDZ.68026
Emsisoft Trojan.GenericKDZ.68026 (B)
Comodo Malware@#1gx8et76ypgiw
F-Secure Trojan.TR/Kryptik.ebefw
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.MSIL.MALREP.THFAIBO
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Inject
Jiangmin Trojan.PSW.MSIL.aexq
Webroot W32.Trojan.Gen
Avira TR/Kryptik.ebefw
Microsoft Trojan:Win32/CryptInject
Endgame malicious (high confidence)
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKDZ.68026
AhnLab-V3 Trojan/Win32.AgentTesla.R343140
McAfee Fareit-FTY!A38372591737
Malwarebytes Trojan.MalPack.ADC
Panda Trj/GdSda.A
APEX Malicious
Tencent Msil.Trojan-qqpass.Qqrob.Llqp
Yandex Trojan.AvsArher.bSIdr7
MAX malware (ai score=85)
Fortinet MSIL/Agensla.EMTZ!tr.pws
AVG Win32:InjectorX-gen [Trj]
Avast Win32:InjectorX-gen [Trj]
Qihoo-360 Generic/Trojan.PSW.374
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2058-11-25 13:12:12

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.