16.6
0-day
47 个模型检测该样本为恶意!
重新分析
更多

99b2d9e790cfb597b01a934bcf113cd6675f4a5ef260da57ef2a86d68ecbc1b2

a4b9cb78deefd62d30d2f21e65fe8c7a.exe

分析耗时

119s

最近分析

文件大小

487.0KB
静态报毒 动态报毒 100% AI SCORE=82 ALI1000139 ATTRIBUTE BT77RO CONFIDENCE CRYPTERX EQ0@AS33I4K GDSDA GEN7 HAWKEYEKEYLOGGER HIGH CONFIDENCE HIGHCONFIDENCE IGENT KCLOUD KRYPTIK MALICIOUS PE MALWARE@#LUNIXUIDLX4B OCCAMY RAZY SCORE STARTER STATIC AI SUSGEN UNSAFE XPACK ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.grp 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20201210 21.1.5827.0
Alibaba Trojan:Win32/starter.ali1000139 20190527 0.3.0.5
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619812884.395124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619812887.839487
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619812893.554918
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619812893.866918
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619812845.254124
IsDebuggerPresent
failed 0 0
1619812845.254124
IsDebuggerPresent
failed 0 0
1619812893.288918
IsDebuggerPresent
failed 0 0
1619812893.288918
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619812892.011487
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\ABxVOQj"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619812845.379124
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .sdata
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain checkip.dyndns.org
Performs some HTTP requests (1 个事件)
request GET http://checkip.dyndns.org/
Allocates read-write-execute memory (usually to unpack itself) (50 out of 168 个事件)
Time & API Arguments Status Return Repeated
1619812843.738124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00900000
success 0 0
1619812843.738124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a30000
success 0 0
1619812845.035124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00520000
success 0 0
1619812845.035124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619812845.082124
NtProtectVirtualMemory
process_identifier: 1324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619812845.254124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02190000
success 0 0
1619812845.254124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c0000
success 0 0
1619812845.254124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052a000
success 0 0
1619812845.254124
NtProtectVirtualMemory
process_identifier: 1324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619812845.254124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00522000
success 0 0
1619812845.645124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619812845.738124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00555000
success 0 0
1619812845.738124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055b000
success 0 0
1619812845.738124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619812845.848124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00533000
success 0 0
1619812845.848124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053c000
success 0 0
1619812845.879124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b0000
success 0 0
1619812846.457124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00534000
success 0 0
1619812846.457124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00536000
success 0 0
1619812846.551124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00537000
success 0 0
1619812846.598124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054a000
success 0 0
1619812846.598124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619812846.770124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00546000
success 0 0
1619812846.785124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619812846.816124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b1000
success 0 0
1619812847.004124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00581000
success 0 0
1619812847.270124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b7000
success 0 0
1619812847.473124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b8000
success 0 0
1619812847.473124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007bd000
success 0 0
1619812847.473124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00538000
success 0 0
1619812847.520124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007be000
success 0 0
1619812847.566124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00539000
success 0 0
1619812847.566124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007bf000
success 0 0
1619812870.957124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02190000
success 0 0
1619812870.957124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02191000
success 0 0
1619812870.988124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02192000
success 0 0
1619812871.035124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02193000
success 0 0
1619812871.113124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02197000
success 0 0
1619812871.285124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a10000
success 0 0
1619812871.285124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a11000
success 0 0
1619812871.332124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a12000
success 0 0
1619812871.332124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a13000
success 0 0
1619812871.363124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a14000
success 0 0
1619812871.363124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02198000
success 0 0
1619812871.363124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c1000
success 0 0
1619812871.363124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c2000
success 0 0
1619812871.379124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c3000
success 0 0
1619812871.379124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c4000
success 0 0
1619812871.379124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c5000
success 0 0
1619812871.379124
NtAllocateVirtualMemory
process_identifier: 1324
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c6000
success 0 0
Steals private information from local Internet browsers (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
Looks up the external IP address (1 个事件)
domain checkip.dyndns.org
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ABxVOQj" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp577C.tmp"
cmdline schtasks.exe /Create /TN "Updates\ABxVOQj" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp577C.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619812887.957124
ShellExecuteExW
parameters: /Create /TN "Updates\ABxVOQj" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp577C.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619812895.819918
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.822361959770723 section {'size_of_data': '0x00075200', 'virtual_address': '0x00002000', 'entropy': 7.822361959770723, 'name': '.text', 'virtual_size': '0x00075094'} description A section with a high entropy has been found
entropy 0.9639917695473251 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619812893.535124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ABxVOQj" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp577C.tmp"
cmdline schtasks.exe /Create /TN "Updates\ABxVOQj" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp577C.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 113.108.239.196
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619812893.020124
NtAllocateVirtualMemory
process_identifier: 1344
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000428
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Checks the version of Bios, possibly for anti-virtualization (2 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Detects virtualization software with SCSI Disk Identifier trick(s) (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp577C.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619812893.020124
WriteProcessMemory
process_identifier: 1344
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÓE_à  –´ À@ @…À³KÀ¸à  H.text” – `.rsrc¸À˜@@.reloc àž@B
process_handle: 0x00000428
base_address: 0x00400000
success 1 0
1619812893.051124
WriteProcessMemory
process_identifier: 1344
buffer:  €P€8€€h€ À,ÌÂê,4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ŒStringFileInfoh000004b0,FileDescription 0FileVersion0.0.0.0,InternalNameq.exe(LegalCopyright 4OriginalFilenameq.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000428
base_address: 0x0046c000
success 1 0
1619812893.051124
WriteProcessMemory
process_identifier: 1344
buffer: ° 4c00bf9923d2cb6798ca354041f0e6a7f
process_handle: 0x00000428
base_address: 0x0046e000
success 1 0
1619812893.051124
WriteProcessMemory
process_identifier: 1344
buffer: @
process_handle: 0x00000428
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619812893.020124
WriteProcessMemory
process_identifier: 1344
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÓE_à  –´ À@ @…À³KÀ¸à  H.text” – `.rsrc¸À˜@@.reloc àž@B
process_handle: 0x00000428
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1324 called NtSetContextThread to modify thread in remote process 1344
Time & API Arguments Status Return Repeated
1619812893.066124
NtSetContextThread
thread_handle: 0x0000042c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4633614
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1344
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1324 resumed a thread in remote process 1344
Time & API Arguments Status Return Repeated
1619812893.238124
NtResumeThread
thread_handle: 0x0000042c
suspend_count: 1
process_identifier: 1344
success 0 0
Detects VirtualBox through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
Detects VMWare through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Detects the presence of Wine emulator (1 个事件)
Time & API Arguments Status Return Repeated
1619812884.051124
LdrGetProcedureAddress
ordinal: 0
module: KERNEL32
module_address: 0x76340000
function_address: 0x003adafc
function_name: wine_get_unix_file_name
failed 3221225785 0
Executed a process and injected code into it, probably while unpacking (23 个事件)
Time & API Arguments Status Return Repeated
1619812845.254124
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1324
success 0 0
1619812845.254124
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1324
success 0 0
1619812845.379124
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 1324
success 0 0
1619812884.066124
NtResumeThread
thread_handle: 0x0000025c
suspend_count: 1
process_identifier: 1324
success 0 0
1619812884.270124
NtResumeThread
thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 1324
success 0 0
1619812887.957124
CreateProcessInternalW
thread_identifier: 2632
thread_handle: 0x00000438
process_identifier: 2168
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ABxVOQj" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp577C.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000470
inherit_handles: 0
success 1 0
1619812893.020124
CreateProcessInternalW
thread_identifier: 3036
thread_handle: 0x0000042c
process_identifier: 1344
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000428
inherit_handles: 0
success 1 0
1619812893.020124
NtGetContextThread
thread_handle: 0x0000042c
success 0 0
1619812893.020124
NtAllocateVirtualMemory
process_identifier: 1344
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000428
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619812893.020124
WriteProcessMemory
process_identifier: 1344
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÓE_à  –´ À@ @…À³KÀ¸à  H.text” – `.rsrc¸À˜@@.reloc àž@B
process_handle: 0x00000428
base_address: 0x00400000
success 1 0
1619812893.020124
WriteProcessMemory
process_identifier: 1344
buffer:
process_handle: 0x00000428
base_address: 0x00402000
success 1 0
1619812893.051124
WriteProcessMemory
process_identifier: 1344
buffer:  €P€8€€h€ À,ÌÂê,4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ŒStringFileInfoh000004b0,FileDescription 0FileVersion0.0.0.0,InternalNameq.exe(LegalCopyright 4OriginalFilenameq.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000428
base_address: 0x0046c000
success 1 0
1619812893.051124
WriteProcessMemory
process_identifier: 1344
buffer: ° 4c00bf9923d2cb6798ca354041f0e6a7f
process_handle: 0x00000428
base_address: 0x0046e000
success 1 0
1619812893.051124
WriteProcessMemory
process_identifier: 1344
buffer: @
process_handle: 0x00000428
base_address: 0x7efde008
success 1 0
1619812893.066124
NtSetContextThread
thread_handle: 0x0000042c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4633614
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1344
success 0 0
1619812893.238124
NtResumeThread
thread_handle: 0x0000042c
suspend_count: 1
process_identifier: 1344
success 0 0
1619812893.238124
NtResumeThread
thread_handle: 0x0000044c
suspend_count: 1
process_identifier: 1324
success 0 0
1619812893.288918
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1344
success 0 0
1619812893.288918
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1344
success 0 0
1619812893.335918
NtResumeThread
thread_handle: 0x000001a0
suspend_count: 1
process_identifier: 1344
success 0 0
1619812893.601918
NtResumeThread
thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 1344
success 0 0
1619812893.773918
NtResumeThread
thread_handle: 0x0000029c
suspend_count: 1
process_identifier: 1344
success 0 0
1619812898.523918
NtResumeThread
thread_handle: 0x00000468
suspend_count: 1
process_identifier: 1344
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-21 11:26:03

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49189 131.186.161.70 checkip.dyndns.org 80
192.168.56.101 49191 131.186.161.70 checkip.dyndns.org 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://checkip.dyndns.org/ 
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.