SmartHawk

3.8

中危

1 个模型检测该样本为恶意！

重新分析

下载样本

cb57e94de41f7ab9310ac1246db24aa7e179f21d1f659e15694c2ebff04e3637

b1a08e74f87f625223e99595d157b2f9.exe

分析耗时

25s

最近分析

文件大小

324.3KB

静态报毒动态报毒 MALICIOUS

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
McAfee	20210227	6.0.6.653
Baidu	20190318	1.0.0.2
Avast	20210227	21.1.5827.0
Alibaba	20190527	0.3.0.5
Kingsoft	20210227	2017.9.26.565
Tencent	20210227	1.0.0.1
CrowdStrike	20210203	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621001525.893501 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621001526.659501 GlobalMemoryStatusEx		success	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

AVI

Allocates read-write-execute memory (usually to unpack itself) (7 个事件)

Time & API	Arguments	Status
1621001526.565501 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003d1000	success
1621001526.596501 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74fc1000	success
1621001526.643501 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74fa1000	success
1621001526.815501 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74f81000	success
1621001526.862501 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x746a1000	success
1621001527.112501 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74681000	success
1621001527.440501 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75c41000	success

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1621001525.846501 GetDiskFreeSpaceW	root_path: \ sectors_per_cluster: 8 number_of_free_clusters: 4787148 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1	0
1621001525.846501 GetDiskFreeSpaceW	root_path: \ sectors_per_cluster: 8 number_of_free_clusters: 4787148 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1	0

Creates executable files on the filesystem (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\riched20.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\riched32.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)

APEX

Malicious

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.896411629046157

section

{'size_of_data': '0x00048200', 'virtual_address': '0x0000c000', 'entropy': 7.896411629046157, 'name': '.rsrc', 'virtual_size': '0x00049000'}

description

A section with a high entropy has been found

entropy

0.8945736434108527

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.41.66

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv

reg_value

grpconv.exe -o

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1999-03-23 10:27:26

Imports

Library ADVAPI32.dll:

• 0x1001000 RegCloseKey

• 0x1001004 EqualSid

• 0x1001008 AllocateAndInitializeSid

• 0x100100c GetTokenInformation

• 0x1001010 OpenProcessToken

• 0x1001014 AdjustTokenPrivileges

• 0x1001018 LookupPrivilegeValueA

• 0x100101c FreeSid

• 0x1001020 RegDeleteValueA

• 0x1001024 RegOpenKeyExA

• 0x1001028 RegSetValueExA

• 0x100102c RegQueryValueExA

• 0x1001030 RegCreateKeyExA

• 0x1001034 RegQueryInfoKeyA

Library KERNEL32.dll:

• 0x100104c lstrcatA

• 0x1001050 GetFileAttributesA

• 0x1001054 GetShortPathNameA

• 0x1001058 LocalAlloc

• 0x100105c GetLastError

• 0x1001060 GetCurrentProcess

• 0x1001064 GetPrivateProfileIntA

• 0x1001068 lstrcmpiA

• 0x100106c lstrcpyA

• 0x1001070 GetModuleFileNameA

• 0x1001074 FreeLibrary

• 0x1001078 GetPrivateProfileStringA

• 0x100107c lstrlenA

• 0x1001080 GetSystemDirectoryA

• 0x1001084 RemoveDirectoryA

• 0x1001088 GetProcAddress

• 0x100108c FindNextFileA

• 0x1001090 DeleteFileA

• 0x1001094 SetFileAttributesA

• 0x1001098 lstrcmpA

• 0x100109c FindFirstFileA

• 0x10010a0 _lclose

• 0x10010a4 _llseek

• 0x10010a8 _lopen

• 0x10010ac WritePrivateProfileStringA

• 0x10010b0 GetWindowsDirectoryA

• 0x10010b4 LoadLibraryA

• 0x10010b8 FindClose

• 0x10010bc GlobalFree

• 0x10010c0 GlobalUnlock

• 0x10010c4 GlobalLock

• 0x10010c8 GlobalAlloc

• 0x10010cc IsDBCSLeadByte

• 0x10010d0 ExitProcess

• 0x10010d4 CloseHandle

• 0x10010d8 GetStartupInfoA

• 0x10010dc GetCommandLineA

• 0x10010e0 LoadResource

• 0x10010e4 FindResourceA

• 0x10010e8 CreateMutexA

• 0x10010ec SetEvent

• 0x10010f0 CreateEventA

• 0x10010f4 SetCurrentDirectoryA

• 0x10010f8 CreateThread

• 0x10010fc ResetEvent

• 0x1001100 TerminateThread

• 0x1001104 LocalFree

• 0x1001108 FormatMessageA

• 0x100110c GetExitCodeProcess

• 0x1001110 WaitForSingleObject

• 0x1001114 CreateProcessA

• 0x1001118 GetTempPathA

• 0x100111c FreeResource

• 0x1001120 LockResource

• 0x1001124 SizeofResource

• 0x1001128 CreateFileA

• 0x100112c ReadFile

• 0x1001130 WriteFile

• 0x1001134 SetFilePointer

• 0x1001138 SetFileTime

• 0x100113c LocalFileTimeToFileTime

• 0x1001140 DosDateTimeToFileTime

• 0x1001144 GetTempFileNameA

• 0x1001148 GetSystemInfo

• 0x100114c GetDriveTypeA

• 0x1001150 lstrcpynA

• 0x1001154 GetVolumeInformationA

• 0x1001158 GetCurrentDirectoryA

• 0x100115c LoadLibraryExA

• 0x1001160 GetModuleHandleA

• 0x1001164 CreateDirectoryA

• 0x1001168 ExpandEnvironmentStringsA

• 0x100116c GetVersionExA

• 0x1001170 GetDiskFreeSpaceA

• 0x1001174 MulDiv

Library GDI32.dll:

• 0x1001044 GetDeviceCaps

Library USER32.dll:

• 0x100117c wsprintfA

• 0x1001180 ExitWindowsEx

• 0x1001184 CharNextA

• 0x1001188 CharUpperA

• 0x100118c EndDialog

• 0x1001190 GetDesktopWindow

• 0x1001194 CharPrevA

• 0x1001198 GetWindowLongA

• 0x100119c CallWindowProcA

• 0x10011a0 GetDlgItem

• 0x10011a4 SetForegroundWindow

• 0x10011a8 SetWindowTextA

• 0x10011ac SendDlgItemMessageA

• 0x10011b0 SetWindowLongA

• 0x10011b4 EnableWindow

• 0x10011b8 SendMessageA

• 0x10011bc LoadStringA

• 0x10011c0 MsgWaitForMultipleObjects

• 0x10011c4 PeekMessageA

• 0x10011c8 MessageBoxA

• 0x10011cc SetWindowPos

• 0x10011d0 ReleaseDC

• 0x10011d4 GetDC

• 0x10011d8 GetWindowRect

• 0x10011dc ShowWindow

• 0x10011e0 DialogBoxIndirectParamA

• 0x10011e4 SetDlgItemTextA

• 0x10011e8 MessageBeep

• 0x10011ec GetDlgItemTextA

• 0x10011f0 DispatchMessageA

Library COMCTL32.dll:

• 0x100103c

Library VERSION.dll:

• 0x10011f8 GetFileVersionInfoA

• 0x10011fc VerQueryValueA

• 0x1001200 GetFileVersionInfoSizeA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	53658	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	60124	239.255.255.250	3702
192.168.56.101	62194	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.