SmartHawk

10.4

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

718d51708b5bd49d7f9d7f5c145e13d8d27bab6414cfe3694a9fc9269932300e

b27275080ad2ec90a0c7c124a751e416.exe

分析耗时

76s

最近分析

文件大小

468.0KB

静态报毒动态报毒 AGENSLA AI SCORE=85 CLOUD CONFIDENCE ELDORADO GDSDA GENERICKD GENERICRXKN HIGH CONFIDENCE INJECT3 KRYPTIK MALICIOUS PE MALWARE@#1PYGIWFKV12BT MSILKRYPT NANOCORE OIMMJ PASSWORDSTEALER PDVM PWSX QQPASS QQROB R336218 SCORE SUSGEN THEACBO TROJANPSW TROJANPWS TSCOPE UNSAFE WACATAC 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKN-OZ!B27275080AD2	20200524	6.0.6.653
Alibaba	TrojanPSW:MSIL/NanoCore.f61d0d33	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200525	18.4.3895.0
Kingsoft		20200525	2013.8.14.323
Tencent	Msil.Trojan-qqpass.Qqrob.Pdvm	20200525	1.0.0.1

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619872698.325875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619872702.747875 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619872702.747875 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861117.241474 IsDebuggerPresent		failed	0	0
1619872702.013374 IsDebuggerPresent		failed	0	0
1619872702.309374 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619872698.903875 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\THOIVsdcO"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861118.772474 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 62 个事件)

Time & API	Arguments	Status
1619861116.413474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00830000	success
1619861116.413474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a10000	success
1619861117.147474 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619861117.241474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005aa000	success
1619861117.241474 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619861117.241474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a2000	success
1619861117.428474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c2000	success
1619861117.507474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c3000	success
1619861117.522474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fb000	success
1619861117.522474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f7000	success
1619861117.553474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005cc000	success
1619861117.850474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c4000	success
1619861117.866474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c5000	success
1619861117.897474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c6000	success
1619861117.897474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00720000	success
1619861117.991474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005da000	success
1619861117.991474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d7000	success
1619861117.991474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ea000	success
1619861118.007474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ab000	success
1619861118.100474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d6000	success
1619861118.132474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c7000	success
1619861118.132474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x047b0000	success
1619861118.132474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04950000	success
1619861118.132474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04951000	success
1619861118.163474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04952000	success
1619861118.210474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00721000	success
1619861118.225474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04953000	success
1619861118.225474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04954000	success
1619861118.272474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04955000	success
1619861118.288474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00722000	success
1619861118.303474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c8000	success
1619861118.335474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e2000	success
1619861118.382474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f5000	success
1619861118.538474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a11000	success
1619861118.725474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00723000	success
1619861118.725474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c9000	success
1619861118.725474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04956000	success
1619861118.725474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0495a000	success
1619861118.725474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0496b000	success
1619861118.741474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0496c000	success
1619861118.741474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0496d000	success
1619861118.741474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0496e000	success
1619861118.757474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00724000	success
1619861118.757474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04971000	success
1619861118.757474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04972000	success
1619861118.757474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00725000	success
1619861118.803474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04650000	success
1619861119.069474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04651000	success
1619861119.116474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ca000	success
1619861121.835474 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00726000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\THOIVsdcO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5A7F.tmp"
cmdline	schtasks.exe /Create /TN "Updates\THOIVsdcO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5A7F.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861119.553474 ShellExecuteExW	parameters: /Create /TN "Updates\THOIVsdcO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5A7F.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.853636312443037

section

{'size_of_data': '0x00074600', 'virtual_address': '0x00002000', 'entropy': 7.853636312443037, 'name': '.text', 'virtual_size': '0x000745c4'}

description

A section with a high entropy has been found

entropy

0.9957219251336898

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861121.975474 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (6 个事件)

Time & API	Arguments	Status
1619861122.194474 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3068 process_handle: 0x0000038c	failed
1619861122.194474 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3068 process_handle: 0x0000038c	success
1619861122.475474 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2504 process_handle: 0x00000394	failed
1619861122.475474 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2504 process_handle: 0x00000394	success
1619861122.835474 NtTerminateProcess	status_code: 0xffffffff process_identifier: 196 process_handle: 0x0000039c	failed
1619861122.835474 NtTerminateProcess	status_code: 0xffffffff process_identifier: 196 process_handle: 0x0000039c	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\THOIVsdcO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5A7F.tmp"
cmdline	schtasks.exe /Create /TN "Updates\THOIVsdcO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5A7F.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (4 个事件)

Time & API	Arguments	Status	Return
1619861121.960474 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000384 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619861122.272474 NtAllocateVirtualMemory	process_identifier: 2504 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619861122.585474 NtAllocateVirtualMemory	process_identifier: 196 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619861122.913474 NtAllocateVirtualMemory	process_identifier: 3120 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000398 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0

Manipulates memory of a non-child process indicative of process injection (6 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 manipulating memory of non-child process 3068
Process injection	Process 784 manipulating memory of non-child process 2504
Process injection	Process 784 manipulating memory of non-child process 196
1619861121.960474 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000384 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619861122.272474 NtAllocateVirtualMemory	process_identifier: 2504 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619861122.585474 NtAllocateVirtualMemory	process_identifier: 196 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619861122.913474 WriteProcessMemory	process_identifier: 3120 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELP×³^à¦îÄ à@ @ÄWà H.textô¤ ¦ `.rsrc à¨@@.reloc®@B process_handle: 0x00000398 base_address: 0x00400000	success	1
1619861122.928474 WriteProcessMemory	process_identifier: 3120 buffer: P8h à4ãê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNameflDffzVmXukpketZeqbRyWkspXT.exe(LegalCopyright h OriginalFilenameflDffzVmXukpketZeqbRyWkspXT.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000398 base_address: 0x0044e000	success	1
1619861122.928474 WriteProcessMemory	process_identifier: 3120 buffer: Àð4 process_handle: 0x00000398 base_address: 0x00450000	success	1
1619861122.928474 WriteProcessMemory	process_identifier: 3120 buffer: @ process_handle: 0x00000398 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619861122.913474 WriteProcessMemory	process_identifier: 3120 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELP×³^à¦îÄ à@ @ÄWà H.textô¤ ¦ `.rsrc à¨@@.reloc®@B process_handle: 0x00000398 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 called NtSetContextThread to modify thread in remote process 3120
1619861122.928474 NtSetContextThread	thread_handle: 0x0000039c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4506862 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3120	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 resumed a thread in remote process 3120
1619861123.132474 NtResumeThread	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 3120	success	0	0

Executed a process and injected code into it, probably while unpacking (27 个事件)

Time & API	Arguments	Status	Return
1619861117.241474 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 784	success	0
1619861117.272474 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 784	success	0
1619861119.007474 NtResumeThread	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 784	success	0
1619861119.553474 CreateProcessInternalW	thread_identifier: 580 thread_handle: 0x0000033c process_identifier: 1464 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\THOIVsdcO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5A7F.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000374 inherit_handles: 0	success	1
1619861121.960474 CreateProcessInternalW	thread_identifier: 2060 thread_handle: 0x00000330 process_identifier: 3068 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000384 inherit_handles: 0	success	1
1619861121.960474 NtGetContextThread	thread_handle: 0x00000330	success	0
1619861121.960474 NtAllocateVirtualMemory	process_identifier: 3068 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000384 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619861122.272474 CreateProcessInternalW	thread_identifier: 580 thread_handle: 0x0000038c process_identifier: 2504 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000388 inherit_handles: 0	success	1
1619861122.272474 NtGetContextThread	thread_handle: 0x0000038c	success	0
1619861122.272474 NtAllocateVirtualMemory	process_identifier: 2504 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619861122.585474 CreateProcessInternalW	thread_identifier: 3056 thread_handle: 0x00000394 process_identifier: 196 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000390 inherit_handles: 0	success	1
1619861122.585474 NtGetContextThread	thread_handle: 0x00000394	success	0
1619861122.585474 NtAllocateVirtualMemory	process_identifier: 196 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619861122.913474 CreateProcessInternalW	thread_identifier: 3124 thread_handle: 0x0000039c process_identifier: 3120 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b27275080ad2ec90a0c7c124a751e416.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000398 inherit_handles: 0	success	1
1619861122.913474 NtGetContextThread	thread_handle: 0x0000039c	success	0
1619861122.913474 NtAllocateVirtualMemory	process_identifier: 3120 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000398 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619861122.913474 WriteProcessMemory	process_identifier: 3120 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELP×³^à¦îÄ à@ @ÄWà H.textô¤ ¦ `.rsrc à¨@@.reloc®@B process_handle: 0x00000398 base_address: 0x00400000	success	1
1619861122.928474 WriteProcessMemory	process_identifier: 3120 buffer: process_handle: 0x00000398 base_address: 0x00402000	success	1
1619861122.928474 WriteProcessMemory	process_identifier: 3120 buffer: P8h à4ãê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNameflDffzVmXukpketZeqbRyWkspXT.exe(LegalCopyright h OriginalFilenameflDffzVmXukpketZeqbRyWkspXT.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000398 base_address: 0x0044e000	success	1
1619861122.928474 WriteProcessMemory	process_identifier: 3120 buffer: Àð4 process_handle: 0x00000398 base_address: 0x00450000	success	1
1619861122.928474 WriteProcessMemory	process_identifier: 3120 buffer: @ process_handle: 0x00000398 base_address: 0x7efde008	success	1
1619861122.928474 NtSetContextThread	thread_handle: 0x0000039c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4506862 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3120	success	0
1619861123.132474 NtResumeThread	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 3120	success	0
1619872702.013374 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 3120	success	0
1619872702.122374 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 3120	success	0
1619872702.434374 CreateProcessInternalW	thread_identifier: 3232 thread_handle: 0x000001b0 process_identifier: 3228 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe track: 1 command_line: dw20.exe -x -s 404 filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe stack_pivoted: 0 creation_flags: 0 () process_handle: 0x000001ac inherit_handles: 1	success	1
1619872702.747875 NtResumeThread	thread_handle: 0x000000bc suspend_count: 1 process_identifier: 3228	success	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

MicroWorld-eScan	Trojan.GenericKD.33829169
FireEye	Generic.mg.b27275080ad2ec90
CAT-QuickHeal	Trojanpws.Msil
McAfee	GenericRXKN-OZ!B27275080AD2
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 005636691 )
Alibaba	TrojanPSW:MSIL/NanoCore.f61d0d33
K7GW	Trojan ( 005636691 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Generic.D2043131
TrendMicro	Trojan.MSIL.WACATAC.THEACBO
F-Prot	W32/MSIL_Agent.BIW.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.33829169
Avast	Win32:PWSX-gen [Trj]
Rising	Trojan.Kryptik!8.8 (CLOUD)
Ad-Aware	Trojan.GenericKD.33829169
Sophos	Mal/Generic-S
Comodo	Malware@#1pygiwfkv12bt
F-Secure	Trojan.TR/Kryptik.oimmj
DrWeb	Trojan.Inject3.39896
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Trapmine	suspicious.low.ml.score
Emsisoft	Trojan.GenericKD.33829169 (B)
SentinelOne	DFI - Malicious PE
Cyren	W32/MSIL_Agent.BIW.gen!Eldorado
Jiangmin	Trojan.PSW.MSIL.yud
Avira	TR/Kryptik.oimmj
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Microsoft	Trojan:MSIL/NanoCore.VN!MTB
Endgame	malicious (high confidence)
AegisLab	Trojan.MSIL.Agensla.i!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.33829169
AhnLab-V3	Trojan/Win32.MSILKrypt.R336218
ALYac	Trojan.GenericKD.33829169
MAX	malware (ai score=85)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Spyware.PasswordStealer
ESET-NOD32	a variant of MSIL/Kryptik.VFR
TrendMicro-HouseCall	Trojan.MSIL.WACATAC.THEACBO
Tencent	Msil.Trojan-qqpass.Qqrob.Pdvm
Ikarus	Trojan-Spy.Agent
MaxSecure	Trojan.Malware.74499699.susgen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-12 10:19:30

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.