14.8
0-day
45 个模型检测该样本为恶意!
重新分析
更多

b012e1f25d3642b743bab2be52eea91dccda4b34709bde39ab802247c0212af7

b95db8c45b1cf702e06fce81d7fb8a58.exe

分析耗时

129s

最近分析

文件大小

457.0KB
静态报毒 动态报毒 100% AI SCORE=81 ATTRIBUTE AUTO AVEMARIA BASIC CONFIDENCE CQ0@AGZLSIM ELDORADO EQMV FAREIT FORMBOOK GDSDA HIGH CONFIDENCE HIGHCONFIDENCE HSMULS KRYPTIK M7QV MALWARE@#3L8JOYFR1KF57 OWSET PWSX RI6SJVEY8XM STARTER TASKUN TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVT!B95DB8C45B1C 20201024 6.0.6.653
Alibaba Trojan:MSIL/Kryptik.6754847f 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201024 18.4.3895.0
Tencent Win32.Trojan.Inject.Auto 20201024 1.0.0.1
Kingsoft 20201024 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619875583.947876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619861118.439408
IsDebuggerPresent
failed 0 0
1619861118.439408
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619875584.604876
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\pAExkegPxQJyIq"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619861118.501408
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .sdata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619875589.447249
__exception__
stacktrace: 
b95db8c45b1cf702e06fce81d7fb8a58+0x3556 @ 0x403556
b95db8c45b1cf702e06fce81d7fb8a58+0x111a0 @ 0x4111a0
b95db8c45b1cf702e06fce81d7fb8a58+0x13321 @ 0x413321
b95db8c45b1cf702e06fce81d7fb8a58+0x5abc @ 0x405abc
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3994248
registers.edi: 3994388
registers.eax: 3994272
registers.ebp: 3994288
registers.edx: 15073280
registers.ebx: 3994528
registers.esi: 3994544
registers.ecx: 0
exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x76373118
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1086623032&cup2hreq=dc3e4a7ab32a0bba81743ac98cb6a89e538f24609b65045b9bedc60f509b08c1
Performs some HTTP requests (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1086623032&cup2hreq=dc3e4a7ab32a0bba81743ac98cb6a89e538f24609b65045b9bedc60f509b08c1
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1086623032&cup2hreq=dc3e4a7ab32a0bba81743ac98cb6a89e538f24609b65045b9bedc60f509b08c1
Allocates read-write-execute memory (usually to unpack itself) (50 out of 76 个事件)
Time & API Arguments Status Return Repeated
1619861117.595408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008c0000
success 0 0
1619861117.595408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a30000
success 0 0
1619861118.033408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x023c0000
success 0 0
1619861118.033408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02570000
success 0 0
1619861118.173408
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619861118.439408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008c0000
success 0 0
1619861118.439408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f0000
success 0 0
1619861118.439408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003aa000
success 0 0
1619861118.455408
NtProtectVirtualMemory
process_identifier: 2452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619861118.455408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003a2000
success 0 0
1619861118.658408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b2000
success 0 0
1619861118.736408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d5000
success 0 0
1619861118.736408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003db000
success 0 0
1619861118.736408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619861118.830408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b3000
success 0 0
1619861118.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b4000
success 0 0
1619861118.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b5000
success 0 0
1619861118.955408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003bc000
success 0 0
1619861119.298408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b6000
success 0 0
1619861119.298408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b8000
success 0 0
1619861119.376408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00730000
success 0 0
1619861119.580408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619861119.580408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c7000
success 0 0
1619861119.689408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b9000
success 0 0
1619861119.689408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e0000
success 0 0
1619861119.783408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00731000
success 0 0
1619861119.783408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c6000
success 0 0
1619861119.845408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e1000
success 0 0
1619861119.892408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e2000
success 0 0
1619861119.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1619861119.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619861119.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619861119.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef48000
success 0 0
1619861119.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1619861119.923408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1619861119.939408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00732000
success 0 0
1619861120.142408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02571000
success 0 0
1619861120.236408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e3000
success 0 0
1619861120.251408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003bd000
success 0 0
1619861120.392408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e4000
success 0 0
1619861120.408408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00733000
success 0 0
1619861120.439408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00734000
success 0 0
1619861120.470408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e5000
success 0 0
1619861120.470408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00735000
success 0 0
1619861120.470408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ac000
success 0 0
1619861120.470408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003a3000
success 0 0
1619861120.486408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00736000
success 0 0
1619861120.501408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00739000
success 0 0
1619861120.517408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e6000
success 0 0
1619861120.533408
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0073a000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\pAExkegPxQJyIq" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2BAA.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pAExkegPxQJyIq" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2BAA.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619861173.986408
ShellExecuteExW
parameters: /Create /TN "Updates\pAExkegPxQJyIq" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2BAA.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.677352046627701 section {'size_of_data': '0x00070e00', 'virtual_address': '0x00002000', 'entropy': 7.677352046627701, 'name': '.text', 'virtual_size': '0x00070d44'} description A section with a high entropy has been found
entropy 0.9901315789473685 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619861177.220408
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\pAExkegPxQJyIq" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2BAA.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pAExkegPxQJyIq" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2BAA.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 58.63.233.69
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619861176.689408
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000038c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2BAA.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619861176.689408
WriteProcessMemory
process_identifier: 2956
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x0000038c
base_address: 0x00400000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
process_handle: 0x0000038c
base_address: 0x00419000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer: 2öԑõd·î÷a •ššs}f9ƒáJ!UÓW¯¶è ÊE÷pgå*È6…MýöÎÑìKŒZP‰4ªÎ b¨’Ô´ˆ–ÁÞùp“)â‡ýO%´ÊYɍé~ëÎᅔ F¥·rÉà51F–]9b2 ØB¾¬Øª¹o Jaєł%‰ÝTs3,Bö‚i
process_handle: 0x0000038c
base_address: 0x00553000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer: @
process_handle: 0x0000038c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619861176.689408
WriteProcessMemory
process_identifier: 2956
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x0000038c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2452 called NtSetContextThread to modify thread in remote process 2956
Time & API Arguments Status Return Repeated
1619861176.720408
NtSetContextThread
thread_handle: 0x00000338
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217405
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2956
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2452 resumed a thread in remote process 2956
Time & API Arguments Status Return Repeated
1619861177.142408
NtResumeThread
thread_handle: 0x00000338
suspend_count: 1
process_identifier: 2956
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (18 个事件)
Time & API Arguments Status Return Repeated
1619861118.439408
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2452
success 0 0
1619861118.455408
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2452
success 0 0
1619861118.533408
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 2452
success 0 0
1619861173.986408
CreateProcessInternalW
thread_identifier: 2240
thread_handle: 0x00000344
process_identifier: 2796
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pAExkegPxQJyIq" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2BAA.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000037c
inherit_handles: 0
success 1 0
1619861176.689408
CreateProcessInternalW
thread_identifier: 2188
thread_handle: 0x00000338
process_identifier: 2956
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95db8c45b1cf702e06fce81d7fb8a58.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b95db8c45b1cf702e06fce81d7fb8a58.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x0000038c
inherit_handles: 0
success 1 0
1619861176.689408
NtGetContextThread
thread_handle: 0x00000338
success 0 0
1619861176.689408
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000038c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619861176.689408
WriteProcessMemory
process_identifier: 2956
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x0000038c
base_address: 0x00400000
success 1 0
1619861176.705408
WriteProcessMemory
process_identifier: 2956
buffer:
process_handle: 0x0000038c
base_address: 0x00401000
success 1 0
1619861176.705408
WriteProcessMemory
process_identifier: 2956
buffer:
process_handle: 0x0000038c
base_address: 0x00414000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
process_handle: 0x0000038c
base_address: 0x00419000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer:
process_handle: 0x0000038c
base_address: 0x0054f000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer:
process_handle: 0x0000038c
base_address: 0x00552000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer: 2öԑõd·î÷a •ššs}f9ƒáJ!UÓW¯¶è ÊE÷pgå*È6…MýöÎÑìKŒZP‰4ªÎ b¨’Ô´ˆ–ÁÞùp“)â‡ýO%´ÊYɍé~ëÎᅔ F¥·rÉà51F–]9b2 ØB¾¬Øª¹o Jaєł%‰ÝTs3,Bö‚i
process_handle: 0x0000038c
base_address: 0x00553000
success 1 0
1619861176.720408
WriteProcessMemory
process_identifier: 2956
buffer: @
process_handle: 0x0000038c
base_address: 0x7efde008
success 1 0
1619861176.720408
NtSetContextThread
thread_handle: 0x00000338
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217405
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2956
success 0 0
1619861177.142408
NtResumeThread
thread_handle: 0x00000338
suspend_count: 1
process_identifier: 2956
success 0 0
1619861177.158408
NtResumeThread
thread_handle: 0x000003a0
suspend_count: 1
process_identifier: 2452
success 0 0
File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.MSIL.Basic.6.Gen
FireEye Generic.mg.b95db8c45b1cf702
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FVT!B95DB8C45B1C
Cylance Unsafe
K7AntiVirus Trojan ( 0056cbe11 )
Alibaba Trojan:MSIL/Kryptik.6754847f
K7GW Trojan ( 0056cbe11 )
Cybereason malicious.4b23de
Arcabit Trojan.MSIL.Basic.6.Gen
Cyren W32/MSIL_Kryptik.BKX.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.Taskun.gen
BitDefender Trojan.MSIL.Basic.6.Gen
NANO-Antivirus Trojan.Win32.Taskun.hsmuls
Avast Win32:PWSX-gen [Trj]
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.MSIL.Basic.6.Gen
Comodo Malware@#3l8joyfr1kf57
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition Fareit-FVT!B95DB8C45B1C
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Inject
Webroot W32.Malware.Gen
Avira TR/Kryptik.owset
Microsoft Trojan:MSIL/Formbook.MK!MTB
AegisLab Trojan.Win32.Generic.m7QV
ZoneAlarm HEUR:Trojan.MSIL.Taskun.gen
GData Trojan.MSIL.Basic.6.Gen
AhnLab-V3 Trojan/Win32.Starter.C4182768
BitDefenderTheta Gen:NN.ZemsilF.34590.Cq0@aGzLSIm
ALYac Trojan.PSW.AveMaria
MAX malware (ai score=81)
VBA32 TScope.Trojan.MSIL
ESET-NOD32 a variant of MSIL/Kryptik.XJL
Yandex Trojan.Kryptik!ri6sjveY8XM
Fortinet MSIL/Kryptik.EQMV!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/Trojan.477
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.27.142:443
dead_host 85.114.136.161:1050
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-18 07:21:06

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49196 203.208.41.66 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.