SmartHawk

11.4

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

a8da87f13cd07c47d1bf98a838edd704f01c2ba86a58b76a0982b6686c15626b

b409ac3b40d3d2203663c0f5f2c58ccf.exe

分析耗时

133s

最近分析

文件大小

942.0KB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=87 BUSYMA CLOUD CONFIDENCE ELDORADO FAREIT GENERICKDZ HGIASOKA HIGH CONFIDENCE HXATEF IGENT INJECT3 KCLOUD KRYPTIK MALICIOUS PE MALWARE@#16CBNOTM9NSSS PBYN PWSX QNWY R + TROJ R351135 SAVE SCORE STATIC AI TASKUN TSCOPE UNSAFE WSLUE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FZV!B409AC3B40D3	20210301	6.0.6.653
Alibaba	Trojan:MSIL/AgentTesla.445f25f1	20190527	0.3.0.5
Avast	Win32:PWSX-gen [Trj]	20210301	21.1.5827.0
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Undef.(kcloud)	20210301	2017.9.26.565
Tencent	Msil.Trojan.Taskun.Pbyn	20210301	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621009070.352601 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (37 个事件)

Time & API	Arguments	Status	Return	Repeated
1621008987.918876 IsDebuggerPresent		failed	0	0
1621008987.918876 IsDebuggerPresent		failed	0	0
1621009064.012876 IsDebuggerPresent		failed	0	0
1621009064.528876 IsDebuggerPresent		failed	0	0
1621009065.075876 IsDebuggerPresent		failed	0	0
1621009065.528876 IsDebuggerPresent		failed	0	0
1621009066.075876 IsDebuggerPresent		failed	0	0
1621009066.528876 IsDebuggerPresent		failed	0	0
1621009067.075876 IsDebuggerPresent		failed	0	0
1621009067.559876 IsDebuggerPresent		failed	0	0
1621009068.090876 IsDebuggerPresent		failed	0	0
1621009068.606876 IsDebuggerPresent		failed	0	0
1621009069.090876 IsDebuggerPresent		failed	0	0
1621009069.637876 IsDebuggerPresent		failed	0	0
1621009070.090876 IsDebuggerPresent		failed	0	0
1621009070.637876 IsDebuggerPresent		failed	0	0
1621009071.106876 IsDebuggerPresent		failed	0	0
1621009071.684876 IsDebuggerPresent		failed	0	0
1621009072.106876 IsDebuggerPresent		failed	0	0
1621009072.684876 IsDebuggerPresent		failed	0	0
1621009073.106876 IsDebuggerPresent		failed	0	0
1621009073.747876 IsDebuggerPresent		failed	0	0
1621009074.137876 IsDebuggerPresent		failed	0	0
1621009074.793876 IsDebuggerPresent		failed	0	0
1621009075.153876 IsDebuggerPresent		failed	0	0
1621009075.793876 IsDebuggerPresent		failed	0	0
1621009076.184876 IsDebuggerPresent		failed	0	0
1621009076.793876 IsDebuggerPresent		failed	0	0
1621009077.231876 IsDebuggerPresent		failed	0	0
1621009077.997876 IsDebuggerPresent		failed	0	0
1621009078.309876 IsDebuggerPresent		failed	0	0
1621009079.028876 IsDebuggerPresent		failed	0	0
1621009079.372876 IsDebuggerPresent		failed	0	0
1621009080.028876 IsDebuggerPresent		failed	0	0
1621009080.387876 IsDebuggerPresent		failed	0	0
1621009085.34169 IsDebuggerPresent		failed	0	0
1621009085.34169 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621009077.664601 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\VyWLBeZ"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621008988.012876 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 124 个事件)

Time & API	Arguments	Status	Return
1621008987.043876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x004b0000	success	0
1621008987.043876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d0000	success	0
1621008987.543876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a40000	success	0
1621008987.543876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b90000	success	0
1621008987.700876 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1621008987.903876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02130000	success	0
1621008987.918876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022a0000	success	0
1621008987.934876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057a000	success	0
1621008987.934876 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1621008987.934876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00572000	success	0
1621008988.450876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00582000	success	0
1621008988.637876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a5000	success	0
1621008988.653876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ab000	success	0
1621008988.653876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a7000	success	0
1621008988.840876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00583000	success	0
1621008988.934876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058c000	success	0
1621008990.106876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00584000	success	0
1621008990.137876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00586000	success	0
1621008990.403876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a0000	success	0
1621008990.731876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059a000	success	0
1621008990.731876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success	0
1621008992.075876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057c000	success	0
1621008992.262876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00587000	success	0
1621008993.215876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success	0
1621008994.028876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a1000	success	0
1621009027.934876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00596000	success	0
1621009027.997876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059b000	success	0
1621009028.028876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00588000	success	0
1621009028.168876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00589000	success	0
1621009028.168876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023e0000	success	0
1621009028.215876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023e1000	success	0
1621009028.309876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a2000	success	0
1621009028.309876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00573000	success	0
1621009028.340876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023e2000	success	0
1621009028.465876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023e3000	success	0
1621009028.497876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a3000	success	0
1621009028.528876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a6000	success	0
1621009028.543876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a7000	success	0
1621009028.778876 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 419840 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05830400	failed	3221225550
1621009062.684876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a8000	success	0
1621009062.700876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058d000	success	0
1621009062.700876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a9000	success	0
1621009062.715876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006aa000	success	0
1621009063.137876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ab000	success	0
1621009063.137876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ac000	success	0
1621009063.293876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023e4000	success	0
1621009063.293876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ad000	success	0
1621009063.434876 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ae000	success	0
1621009063.434876 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05830178	failed	3221225550
1621009063.450876 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x058301a0	failed	3221225550

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\VyWLBeZ.exe

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyWLBeZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp985E.tmp"
cmdline	schtasks.exe /Create /TN "Updates\VyWLBeZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp985E.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621009066.340876 ShellExecuteExW	parameters: /Create /TN "Updates\VyWLBeZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp985E.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.93113368198435

section

{'size_of_data': '0x000eac00', 'virtual_address': '0x00002000', 'entropy': 7.93113368198435, 'name': '.text', 'virtual_size': '0x000eaba4'}

description

A section with a high entropy has been found

entropy

0.997344662772172

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621009028.747876 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyWLBeZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp985E.tmp"
cmdline	schtasks.exe /Create /TN "Updates\VyWLBeZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp985E.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621009079.637876 NtAllocateVirtualMemory	process_identifier: 1872 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d704 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp985E.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1621009079.653876 WriteProcessMemory	process_identifier: 1872 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄs,_àÞ/ @@ @/S@è` H.textä `.rsrcè@@@.reloc`@B process_handle: 0x0000d704 base_address: 0x00400000	success	1
1621009079.731876 WriteProcessMemory	process_identifier: 1872 buffer: 0HX@4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameoeSgnXGrphXawDBwElKtedzF.exe(LegalCopyright dOriginalFilenameoeSgnXGrphXawDBwElKtedzF.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000d704 base_address: 0x00454000	success	1
1621009079.747876 WriteProcessMemory	process_identifier: 1872 buffer: à? process_handle: 0x0000d704 base_address: 0x00456000	success	1
1621009079.747876 WriteProcessMemory	process_identifier: 1872 buffer: @ process_handle: 0x0000d704 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621009079.653876 WriteProcessMemory	process_identifier: 1872 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄs,_àÞ/ @@ @/S@è` H.textä `.rsrcè@@@.reloc`@B process_handle: 0x0000d704 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2536 called NtSetContextThread to modify thread in remote process 1872
1621009079.762876 NtSetContextThread	thread_handle: 0x000078e0 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4534238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1872	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2536 resumed a thread in remote process 1872
1621009080.715876 NtResumeThread	thread_handle: 0x000078e0 suspend_count: 1 process_identifier: 1872	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.27.142:443

Executed a process and injected code into it, probably while unpacking (20 个事件)

Time & API	Arguments	Status	Return
1621008987.918876 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2536	success	0
1621008987.950876 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2536	success	0
1621008988.075876 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2536	success	0
1621009063.840876 NtResumeThread	thread_handle: 0x00007124 suspend_count: 1 process_identifier: 2536	success	0
1621009063.934876 NtResumeThread	thread_handle: 0x00004f98 suspend_count: 1 process_identifier: 2536	success	0
1621009066.340876 CreateProcessInternalW	thread_identifier: 2136 thread_handle: 0x000011b8 process_identifier: 580 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VyWLBeZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp985E.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000dde8 inherit_handles: 0	success	1
1621009079.622876 CreateProcessInternalW	thread_identifier: 1032 thread_handle: 0x000078e0 process_identifier: 1872 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b409ac3b40d3d2203663c0f5f2c58ccf.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b409ac3b40d3d2203663c0f5f2c58ccf.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000d704 inherit_handles: 0	success	1
1621009079.637876 NtGetContextThread	thread_handle: 0x000078e0	success	0
1621009079.637876 NtAllocateVirtualMemory	process_identifier: 1872 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000d704 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1621009079.653876 WriteProcessMemory	process_identifier: 1872 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄs,_àÞ/ @@ @/S@è` H.textä `.rsrcè@@@.reloc`@B process_handle: 0x0000d704 base_address: 0x00400000	success	1
1621009079.653876 WriteProcessMemory	process_identifier: 1872 buffer: process_handle: 0x0000d704 base_address: 0x00402000	success	1
1621009079.731876 WriteProcessMemory	process_identifier: 1872 buffer: 0HX@4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNameoeSgnXGrphXawDBwElKtedzF.exe(LegalCopyright dOriginalFilenameoeSgnXGrphXawDBwElKtedzF.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000d704 base_address: 0x00454000	success	1
1621009079.747876 WriteProcessMemory	process_identifier: 1872 buffer: à? process_handle: 0x0000d704 base_address: 0x00456000	success	1
1621009079.747876 WriteProcessMemory	process_identifier: 1872 buffer: @ process_handle: 0x0000d704 base_address: 0x7efde008	success	1
1621009079.762876 NtSetContextThread	thread_handle: 0x000078e0 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4534238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1872	success	0
1621009080.715876 NtResumeThread	thread_handle: 0x000078e0 suspend_count: 1 process_identifier: 1872	success	0
1621009080.715876 NtResumeThread	thread_handle: 0x0000e314 suspend_count: 1 process_identifier: 2536	success	0
1621009085.34169 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1872	success	0
1621009085.71669 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 1872	success	0
1621009085.95069 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 1872	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.Inject3.63280
MicroWorld-eScan	Trojan.GenericKDZ.70060
FireEye	Generic.mg.b409ac3b40d3d220
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Qihoo-360	Win32/Trojan.Kryptik.HgIASOkA
McAfee	Fareit-FZV!B409AC3B40D3
Malwarebytes	Trojan.MalPack.PNG.Generic
Zillya	Trojan.Agent.Win32.1423780
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056e41f1 )
Alibaba	Trojan:MSIL/AgentTesla.445f25f1
K7GW	Trojan ( 0056e41f1 )
Cybereason	malicious.b40d3d
Cyren	W32/MSIL_Agent.BPL.gen!Eldorado
Symantec	Trojan.Gen.MBT
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Taskun-9787795-0
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
BitDefender	Trojan.GenericKDZ.70060
NANO-Antivirus	Trojan.Win32.Taskun.hxatef
Paloalto	generic.ml
Rising	Spyware.Agent!8.C6 (CLOUD)
Ad-Aware	Trojan.GenericKDZ.70060
Emsisoft	Trojan.GenericKDZ.70060 (B)
Comodo	Malware@#16cbnotm9nsss
F-Secure	Trojan.TR/Kryptik.wslue
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Sophos	Mal/Generic-R + Troj/Kryptik-KZ
Ikarus	Trojan.MSIL.Inject
Jiangmin	Trojan.MSIL.qnwy
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.wslue
MAX	malware (ai score=87)
Antiy-AVL	Trojan/MSIL.Taskun
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:MSIL/AgentTesla.PBY!MTB
Arcabit	Trojan.Generic.D111AC
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
GData	Trojan.GenericKDZ.70060
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Kryptik.R351135
VBA32	TScope.Trojan.MSIL
ALYac	Trojan.GenericKDZ.70060
Cylance	Unsafe
ESET-NOD32	MSIL/Spy.Agent.AES
Tencent	Msil.Trojan.Taskun.Pbyn
Yandex	Trojan.Igent.bUsymA.15

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-14 15:06:20

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50537	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.