16.2
0-day
53 个模型检测该样本为恶意!
重新分析
更多

2bc8ab981b57a028207d7c3541c80dd72f2c84e36483c62b547c32d43b28ef28

b5b3d64fca9a3604c0a2b0271e9f0735.exe

分析耗时

129s

最近分析

文件大小

821.0KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=81 AUTO AVSARHER BUBVT6 CLOUD CONFIDENCE ELDORADO FAREIT GDSDA GENERICKDZ HIGH CONFIDENCE HPVVEI HWMARXSA KCLOUD KRYPT KRYPTIK MALICIOUS PE MALWARE@#2PVHDZLP040GO MALWAREX NANCRAT PACKEDNET REMCOS SAVE STATIC AI SUSGEN TSCOPE UNSAFE ZEMSILF ZM0@AAF92AM 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Alibaba Trojan:MSIL/AgentTesla.92a89733 20190527 0.3.0.5
Kingsoft Win32.Troj.Generic_a.a.(kcloud) 20210309 2017.9.26.565
McAfee Fareit-FXU!B5B3D64FCA9A 20210309 6.0.6.653
Tencent Win32.Trojan.Inject.Auto 20210309 1.0.0.1
Avast Win32:MalwareX-gen [Trj] 20210309 21.1.5827.0
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619878089.995875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619878111.292625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 72 个事件)
Time & API Arguments Status Return Repeated
1619861118.181671
IsDebuggerPresent
failed 0 0
1619861166.900671
IsDebuggerPresent
failed 0 0
1619861167.400671
IsDebuggerPresent
failed 0 0
1619861167.900671
IsDebuggerPresent
failed 0 0
1619861168.400671
IsDebuggerPresent
failed 0 0
1619861168.900671
IsDebuggerPresent
failed 0 0
1619861169.400671
IsDebuggerPresent
failed 0 0
1619861169.900671
IsDebuggerPresent
failed 0 0
1619861170.400671
IsDebuggerPresent
failed 0 0
1619861170.900671
IsDebuggerPresent
failed 0 0
1619861171.400671
IsDebuggerPresent
failed 0 0
1619861171.900671
IsDebuggerPresent
failed 0 0
1619861172.400671
IsDebuggerPresent
failed 0 0
1619861172.900671
IsDebuggerPresent
failed 0 0
1619861173.400671
IsDebuggerPresent
failed 0 0
1619861173.900671
IsDebuggerPresent
failed 0 0
1619861174.400671
IsDebuggerPresent
failed 0 0
1619861174.900671
IsDebuggerPresent
failed 0 0
1619861175.400671
IsDebuggerPresent
failed 0 0
1619861175.900671
IsDebuggerPresent
failed 0 0
1619861176.400671
IsDebuggerPresent
failed 0 0
1619861176.900671
IsDebuggerPresent
failed 0 0
1619861177.400671
IsDebuggerPresent
failed 0 0
1619861177.900671
IsDebuggerPresent
failed 0 0
1619861178.400671
IsDebuggerPresent
failed 0 0
1619861178.900671
IsDebuggerPresent
failed 0 0
1619861179.400671
IsDebuggerPresent
failed 0 0
1619861179.900671
IsDebuggerPresent
failed 0 0
1619861180.400671
IsDebuggerPresent
failed 0 0
1619861180.900671
IsDebuggerPresent
failed 0 0
1619861181.400671
IsDebuggerPresent
failed 0 0
1619861181.900671
IsDebuggerPresent
failed 0 0
1619861182.400671
IsDebuggerPresent
failed 0 0
1619861182.900671
IsDebuggerPresent
failed 0 0
1619861183.400671
IsDebuggerPresent
failed 0 0
1619861183.900671
IsDebuggerPresent
failed 0 0
1619861184.400671
IsDebuggerPresent
failed 0 0
1619861184.900671
IsDebuggerPresent
failed 0 0
1619861185.400671
IsDebuggerPresent
failed 0 0
1619861185.900671
IsDebuggerPresent
failed 0 0
1619861186.400671
IsDebuggerPresent
failed 0 0
1619861186.900671
IsDebuggerPresent
failed 0 0
1619861187.400671
IsDebuggerPresent
failed 0 0
1619861187.900671
IsDebuggerPresent
failed 0 0
1619861188.415671
IsDebuggerPresent
failed 0 0
1619861188.900671
IsDebuggerPresent
failed 0 0
1619861189.415671
IsDebuggerPresent
failed 0 0
1619861189.900671
IsDebuggerPresent
failed 0 0
1619861190.415671
IsDebuggerPresent
failed 0 0
1619861190.900671
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619878090.042875
WriteConsoleW
buffer: 错误:
console_handle: 0x0000000b
success 1 0
1619878090.042875
WriteConsoleW
buffer: 任务 XML 格式错误。
console_handle: 0x0000000b
success 1 0
1619878090.042875
WriteConsoleW
buffer: (44,80):Command:
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619861162.712671
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain dora21.duckdns.org
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619849061&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m
request GET http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m
Allocates read-write-execute memory (usually to unpack itself) (50 out of 169 个事件)
Time & API Arguments Status Return Repeated
1619861117.337671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00490000
success 0 0
1619861117.337671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f0000
success 0 0
1619861118.087671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619861118.181671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004aa000
success 0 0
1619861118.181671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619861118.181671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a2000
success 0 0
1619861118.353671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b2000
success 0 0
1619861118.415671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b3000
success 0 0
1619861118.431671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004eb000
success 0 0
1619861118.431671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e7000
success 0 0
1619861118.462671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004bc000
success 0 0
1619861118.806671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b4000
success 0 0
1619861118.806671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b5000
success 0 0
1619861118.853671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b6000
success 0 0
1619861118.853671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619861118.946671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b7000
success 0 0
1619861118.962671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ca000
success 0 0
1619861118.962671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619861118.978671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004da000
success 0 0
1619861118.993671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ab000
success 0 0
1619861119.353671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c6000
success 0 0
1619861119.368671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ba000
success 0 0
1619861119.446671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd0000
success 0 0
1619861119.665671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d2000
success 0 0
1619861119.712671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e5000
success 0 0
1619861119.868671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b8000
success 0 0
1619861119.884671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00691000
success 0 0
1619861160.900671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f1000
success 0 0
1619861160.978671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00692000
success 0 0
1619861161.087671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004dc000
success 0 0
1619861161.150671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00693000
success 0 0
1619861161.181671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b9000
success 0 0
1619861161.212671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00694000
success 0 0
1619861161.306671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd1000
success 0 0
1619861161.306671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 292864
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04ba0400
failed 3221225550 0
1619861166.321671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00695000
success 0 0
1619861166.384671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a80000
success 0 0
1619861166.415671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00696000
success 0 0
1619861166.478671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00697000
success 0 0
1619861166.587671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00698000
success 0 0
1619861166.634671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00699000
success 0 0
1619861166.728671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069a000
success 0 0
1619861166.759671
NtAllocateVirtualMemory
process_identifier: 428
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069b000
success 0 0
1619861166.759671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04ba0178
failed 3221225550 0
1619861166.759671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04ba01a0
failed 3221225550 0
1619861166.759671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04ba01c8
failed 3221225550 0
1619861166.759671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04ba01f0
failed 3221225550 0
1619861166.759671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04ba0218
failed 3221225550 0
1619861166.759671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04be84ae
failed 3221225550 0
1619861166.759671
NtProtectVirtualMemory
process_identifier: 428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04be84a2
failed 3221225550 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6160.tmp"
cmdline schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6160.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619861187.446671
ShellExecuteExW
parameters: /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6160.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.841546153250011 section {'size_of_data': '0x00071800', 'virtual_address': '0x00002000', 'entropy': 7.841546153250011, 'name': '.text', 'virtual_size': '0x000717c8'} description A section with a high entropy has been found
entropy 0.5533211456429007 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619861161.306671
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619878111.058625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6160.tmp"
cmdline schtasks.exe /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6160.tmp"
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619861199.368671
NtAllocateVirtualMemory
process_identifier: 1936
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000663c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619878111.558625
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description b5b3d64fca9a3604c0a2b0271e9f0735.exe tried to sleep 5456548 seconds, actually delayed analysis time by 5456548 seconds
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6160.tmp
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619861199.368671
WriteProcessMemory
process_identifier: 1936
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x0000663c
base_address: 0x00400000
success 1 0
1619861199.384671
WriteProcessMemory
process_identifier: 1936
buffer: à ”7
process_handle: 0x0000663c
base_address: 0x00420000
success 1 0
1619861199.384671
WriteProcessMemory
process_identifier: 1936
buffer: @
process_handle: 0x0000663c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619861199.368671
WriteProcessMemory
process_identifier: 1936
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x0000663c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 428 called NtSetContextThread to modify thread in remote process 1936
Time & API Arguments Status Return Repeated
1619861199.384671
NtSetContextThread
thread_handle: 0x000058c8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1936
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b5b3d64fca9a3604c0a2b0271e9f0735.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 428 resumed a thread in remote process 1936
Time & API Arguments Status Return Repeated
1619861201.446671
NtResumeThread
thread_handle: 0x000058c8
suspend_count: 1
process_identifier: 1936
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (25 个事件)
Time & API Arguments Status Return Repeated
1619861118.181671
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 428
success 0 0
1619861118.212671
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 428
success 0 0
1619861166.868671
NtResumeThread
thread_handle: 0x0000025c
suspend_count: 1
process_identifier: 428
success 0 0
1619861166.884671
NtResumeThread
thread_handle: 0x00000e70
suspend_count: 1
process_identifier: 428
success 0 0
1619861187.446671
CreateProcessInternalW
thread_identifier: 3060
thread_handle: 0x000084bc
process_identifier: 648
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6160.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00008b5c
inherit_handles: 0
success 1 0
1619861199.368671
CreateProcessInternalW
thread_identifier: 1900
thread_handle: 0x000058c8
process_identifier: 1936
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b5b3d64fca9a3604c0a2b0271e9f0735.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b5b3d64fca9a3604c0a2b0271e9f0735.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000663c
inherit_handles: 0
success 1 0
1619861199.368671
NtGetContextThread
thread_handle: 0x000058c8
success 0 0
1619861199.368671
NtAllocateVirtualMemory
process_identifier: 1936
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000663c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619861199.368671
WriteProcessMemory
process_identifier: 1936
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà È`’ç @ €8çW ˜]  H.text˜Ç È `.reloc Ê@B.rsrc˜] ^Ì@@
process_handle: 0x0000663c
base_address: 0x00400000
success 1 0
1619861199.368671
WriteProcessMemory
process_identifier: 1936
buffer:
process_handle: 0x0000663c
base_address: 0x00402000
success 1 0
1619861199.384671
WriteProcessMemory
process_identifier: 1936
buffer: à ”7
process_handle: 0x0000663c
base_address: 0x00420000
success 1 0
1619861199.384671
WriteProcessMemory
process_identifier: 1936
buffer:
process_handle: 0x0000663c
base_address: 0x00422000
success 1 0
1619861199.384671
WriteProcessMemory
process_identifier: 1936
buffer: @
process_handle: 0x0000663c
base_address: 0x7efde008
success 1 0
1619861199.384671
NtSetContextThread
thread_handle: 0x000058c8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1936
success 0 0
1619861201.446671
NtResumeThread
thread_handle: 0x000058c8
suspend_count: 1
process_identifier: 1936
success 0 0
1619878104.355625
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1936
success 0 0
1619878104.495625
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 1936
success 0 0
1619878110.870625
NtResumeThread
thread_handle: 0x00000200
suspend_count: 1
process_identifier: 1936
success 0 0
1619878111.011625
NtResumeThread
thread_handle: 0x00000258
suspend_count: 1
process_identifier: 1936
success 0 0
1619878111.042625
NtResumeThread
thread_handle: 0x0000027c
suspend_count: 1
process_identifier: 1936
success 0 0
1619878111.667625
NtResumeThread
thread_handle: 0x00000338
suspend_count: 1
process_identifier: 1936
success 0 0
1619878112.058625
NtResumeThread
thread_handle: 0x0000034c
suspend_count: 1
process_identifier: 1936
success 0 0
1619878113.777625
NtResumeThread
thread_handle: 0x00000364
suspend_count: 1
process_identifier: 1936
success 0 0
1619878119.058625
NtResumeThread
thread_handle: 0x00000390
suspend_count: 1
process_identifier: 1936
success 0 0
1619878129.824625
NtResumeThread
thread_handle: 0x000003a4
suspend_count: 1
process_identifier: 1936
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69156
FireEye Generic.mg.b5b3d64fca9a3604
ALYac Trojan.GenericKDZ.69156
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056ba881 )
BitDefender Trojan.GenericKDZ.69156
K7GW Trojan ( 0056ba881 )
Cybereason malicious.fca9a3
Arcabit Trojan.Generic.D10E24
BitDefenderTheta Gen:NN.ZemsilF.34608.Zm0@aaF92am
Cyren W32/MSIL_Kryptik.BGQ.gen!Eldorado
Symantec Trojan.Nancrat
ESET-NOD32 a variant of MSIL/Kryptik.XDP
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.Agent.gen
Alibaba Trojan:MSIL/AgentTesla.92a89733
NANO-Antivirus Trojan.Win32.Kryptik.hpvvei
Rising Trojan.Kryptik!8.8 (CLOUD)
Ad-Aware Trojan.GenericKDZ.69156
Emsisoft Trojan.GenericKDZ.69156 (B)
Comodo Malware@#2pvhdzlp040go
F-Secure Trojan.TR/Dropper.MSIL.N
DrWeb Trojan.PackedNET.402
TrendMicro Backdoor.MSIL.REMCOS.SM
McAfee-GW-Edition BehavesLike.Win32.Generic.cc
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Krypt
Avira TR/Dropper.MSIL.N
MAX malware (ai score=81)
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:MSIL/AgentTesla.VN!MTB
AhnLab-V3 Malware/Win32.RL_Generic.C4173783
ZoneAlarm HEUR:Trojan.MSIL.Agent.gen
GData Trojan.GenericKDZ.69156
McAfee Fareit-FXU!B5B3D64FCA9A
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
Panda Trj/GdSda.A
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Tencent Win32.Trojan.Inject.Auto
Yandex Trojan.AvsArher.bUbVT6
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Kryptik.XFP!tr
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:MalwareX-gen [Trj]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.160.110:443
dead_host 192.168.56.101:49192
dead_host 192.168.56.101:49198
dead_host 185.165.153.110:54777
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-31 09:43:38

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49188 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49187 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49184 203.208.41.98 update.googleapis.com 443
192.168.56.101 49189 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619849061&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619849061&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7433
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=38a6c91ee20e7f0d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619849061&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=7434-18045
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.