12.6
0-day
60 个模型检测该样本为恶意!
重新分析
更多

da47deb2c07bda305c590b26d66a4a4f09087b05171acf72092628a22dea20f1

bb74fdc8f6004354ded3f33689091acf.exe

分析耗时

114s

最近分析

文件大小

548.5KB
静态报毒 动态报毒 100% A + TROJ AGENTTESLA AI SCORE=83 AUTO BUFMWQ CONFIDENCE DYSHPF ELDORADO FAREIT FORMBOOK GENERICKD GTTJKZ HIGH CONFIDENCE HRMCNQ IGENT IM0@AGDWP2F KRYPTIK KTSE MALICIOUS PE MALWARE@#140ZG4LI149SS MASSLOGGER NEGASTEAL PACKEDNET PAPYI RATX REMCOS SCORE STATIC AI SUSGEN TSCOPE TSKU UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXH!BB74FDC8F600 20210204 6.0.6.653
Alibaba Trojan:MSIL/AgentTesla.34e450bc 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20210204 21.1.5827.0
Tencent Win32.Backdoor.Remcos.Auto 20210204 1.0.0.1
Kingsoft 20210204 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619897511.646876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 196 个事件)
Time & API Arguments Status Return Repeated
1619897440.943374
IsDebuggerPresent
failed 0 0
1619897447.834374
IsDebuggerPresent
failed 0 0
1619897448.381374
IsDebuggerPresent
failed 0 0
1619897449.037374
IsDebuggerPresent
failed 0 0
1619897449.381374
IsDebuggerPresent
failed 0 0
1619897450.037374
IsDebuggerPresent
failed 0 0
1619897450.381374
IsDebuggerPresent
failed 0 0
1619897451.037374
IsDebuggerPresent
failed 0 0
1619897451.381374
IsDebuggerPresent
failed 0 0
1619897452.037374
IsDebuggerPresent
failed 0 0
1619897452.381374
IsDebuggerPresent
failed 0 0
1619897453.037374
IsDebuggerPresent
failed 0 0
1619897453.381374
IsDebuggerPresent
failed 0 0
1619897454.037374
IsDebuggerPresent
failed 0 0
1619897454.381374
IsDebuggerPresent
failed 0 0
1619897455.037374
IsDebuggerPresent
failed 0 0
1619897455.381374
IsDebuggerPresent
failed 0 0
1619897456.037374
IsDebuggerPresent
failed 0 0
1619897456.381374
IsDebuggerPresent
failed 0 0
1619897457.037374
IsDebuggerPresent
failed 0 0
1619897457.381374
IsDebuggerPresent
failed 0 0
1619897458.037374
IsDebuggerPresent
failed 0 0
1619897458.381374
IsDebuggerPresent
failed 0 0
1619897459.037374
IsDebuggerPresent
failed 0 0
1619897459.381374
IsDebuggerPresent
failed 0 0
1619897460.037374
IsDebuggerPresent
failed 0 0
1619897460.381374
IsDebuggerPresent
failed 0 0
1619897461.037374
IsDebuggerPresent
failed 0 0
1619897461.381374
IsDebuggerPresent
failed 0 0
1619897462.037374
IsDebuggerPresent
failed 0 0
1619897462.381374
IsDebuggerPresent
failed 0 0
1619897463.037374
IsDebuggerPresent
failed 0 0
1619897463.381374
IsDebuggerPresent
failed 0 0
1619897464.037374
IsDebuggerPresent
failed 0 0
1619897464.381374
IsDebuggerPresent
failed 0 0
1619897465.037374
IsDebuggerPresent
failed 0 0
1619897465.381374
IsDebuggerPresent
failed 0 0
1619897466.037374
IsDebuggerPresent
failed 0 0
1619897466.381374
IsDebuggerPresent
failed 0 0
1619897467.037374
IsDebuggerPresent
failed 0 0
1619897467.381374
IsDebuggerPresent
failed 0 0
1619897468.037374
IsDebuggerPresent
failed 0 0
1619897468.381374
IsDebuggerPresent
failed 0 0
1619897469.037374
IsDebuggerPresent
failed 0 0
1619897469.381374
IsDebuggerPresent
failed 0 0
1619897470.037374
IsDebuggerPresent
failed 0 0
1619897470.381374
IsDebuggerPresent
failed 0 0
1619897471.037374
IsDebuggerPresent
failed 0 0
1619897471.381374
IsDebuggerPresent
failed 0 0
1619897472.037374
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619897517.084876
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\ATdTdpXmXT"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619897492.396374
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3347734914&cup2hreq=3b12871a21fd405fbe353e8118caff81ad9b2b3b92d2da89157a2a386ca985d7
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a96285a65fd7cc2a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a96285a65fd7cc2a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3347734914&cup2hreq=3b12871a21fd405fbe353e8118caff81ad9b2b3b92d2da89157a2a386ca985d7
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3347734914&cup2hreq=3b12871a21fd405fbe353e8118caff81ad9b2b3b92d2da89157a2a386ca985d7
Allocates read-write-execute memory (usually to unpack itself) (50 out of 87 个事件)
Time & API Arguments Status Return Repeated
1619897440.006374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x009f0000
success 0 0
1619897440.006374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af0000
success 0 0
1619897440.881374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619897440.943374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ba000
success 0 0
1619897440.959374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619897440.959374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b2000
success 0 0
1619897441.256374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c2000
success 0 0
1619897441.318374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c3000
success 0 0
1619897441.349374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002fb000
success 0 0
1619897441.349374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f7000
success 0 0
1619897441.365374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002cc000
success 0 0
1619897442.490374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00640000
success 0 0
1619897446.818374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ca000
success 0 0
1619897446.912374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ea000
success 0 0
1619897447.006374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002e2000
success 0 0
1619897447.131374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c4000
success 0 0
1619897447.177374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f5000
success 0 0
1619897448.302374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c5000
success 0 0
1619897448.412374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002da000
success 0 0
1619897448.412374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002d7000
success 0 0
1619897448.412374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002bb000
success 0 0
1619897448.802374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002d6000
success 0 0
1619897448.912374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00641000
success 0 0
1619897449.771374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b30000
success 0 0
1619897449.849374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c7000
success 0 0
1619897449.943374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00644000
success 0 0
1619897491.021374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00af1000
success 0 0
1619897491.162374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00645000
success 0 0
1619897491.162374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00646000
success 0 0
1619897491.256374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ec000
success 0 0
1619897491.349374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00647000
success 0 0
1619897491.443374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c8000
success 0 0
1619897491.474374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00648000
success 0 0
1619897491.631374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 142336
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a30400
failed 3221225550 0
1619897493.068374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00649000
success 0 0
1619897493.068374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c9000
success 0 0
1619897493.068374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064a000
success 0 0
1619897493.146374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064b000
success 0 0
1619897493.193374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064c000
success 0 0
1619897493.193374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064d000
success 0 0
1619897493.271374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064e000
success 0 0
1619897493.318374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00460000
success 0 0
1619897493.318374
NtAllocateVirtualMemory
process_identifier: 648
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00461000
success 0 0
1619897493.318374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a30178
failed 3221225550 0
1619897493.318374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a301a0
failed 3221225550 0
1619897493.318374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a301c8
failed 3221225550 0
1619897493.318374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a301f0
failed 3221225550 0
1619897493.318374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a30218
failed 3221225550 0
1619897493.318374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a5392e
failed 3221225550 0
1619897493.318374
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04a53922
failed 3221225550 0
A process attempted to delay the analysis task. (1 个事件)
description bb74fdc8f6004354ded3f33689091acf.exe tried to sleep 245 seconds, actually delayed analysis time by 245 seconds
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ATdTdpXmXT" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8B2F.tmp"
cmdline schtasks.exe /Create /TN "Updates\ATdTdpXmXT" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8B2F.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619897511.334374
ShellExecuteExW
parameters: /Create /TN "Updates\ATdTdpXmXT" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8B2F.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.338216650890045 section {'size_of_data': '0x0005e600', 'virtual_address': '0x00002000', 'entropy': 7.338216650890045, 'name': '.text', 'virtual_size': '0x0005e424'} description A section with a high entropy has been found
entropy 0.6888686131386861 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619897446.865374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ATdTdpXmXT" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8B2F.tmp"
cmdline schtasks.exe /Create /TN "Updates\ATdTdpXmXT" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8B2F.tmp"
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 555b5cbcb1589a83b0ad93f3d595d37897beae51
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 185.165.153.199
host 203.208.40.98
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619897519.209374
NtAllocateVirtualMemory
process_identifier: 2252
region_size: 94208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000365c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619897519.209374
WriteProcessMemory
process_identifier: 2252
buffer: @
process_handle: 0x0000365c
base_address: 0x7efde008
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 648 called NtSetContextThread to modify thread in remote process 2252
Time & API Arguments Status Return Repeated
1619897519.209374
NtSetContextThread
thread_handle: 0x000108bc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4259208
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2252
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 648 resumed a thread in remote process 2252
Time & API Arguments Status Return Repeated
1619897519.240374
NtResumeThread
thread_handle: 0x000108bc
suspend_count: 1
process_identifier: 2252
success 0 0
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619897440.943374
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 648
success 0 0
1619897441.006374
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 648
success 0 0
1619897447.646374
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 648
success 0 0
1619897447.818374
NtResumeThread
thread_handle: 0x00000240
suspend_count: 1
process_identifier: 648
success 0 0
1619897493.334374
NtResumeThread
thread_handle: 0x0000c540
suspend_count: 1
process_identifier: 648
success 0 0
1619897493.443374
NtResumeThread
thread_handle: 0x00001fec
suspend_count: 1
process_identifier: 648
success 0 0
1619897511.334374
CreateProcessInternalW
thread_identifier: 2344
thread_handle: 0x000113a0
process_identifier: 3004
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ATdTdpXmXT" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8B2F.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000037f0
inherit_handles: 0
success 1 0
1619897519.209374
CreateProcessInternalW
thread_identifier: 2880
thread_handle: 0x000108bc
process_identifier: 2252
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bb74fdc8f6004354ded3f33689091acf.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bb74fdc8f6004354ded3f33689091acf.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000365c
inherit_handles: 0
success 1 0
1619897519.209374
NtGetContextThread
thread_handle: 0x000108bc
success 0 0
1619897519.209374
NtAllocateVirtualMemory
process_identifier: 2252
region_size: 94208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000365c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619897519.209374
WriteProcessMemory
process_identifier: 2252
buffer:
process_handle: 0x0000365c
base_address: 0x00400000
success 1 0
1619897519.209374
WriteProcessMemory
process_identifier: 2252
buffer:
process_handle: 0x0000365c
base_address: 0x00401000
success 1 0
1619897519.209374
WriteProcessMemory
process_identifier: 2252
buffer:
process_handle: 0x0000365c
base_address: 0x00410000
success 1 0
1619897519.209374
WriteProcessMemory
process_identifier: 2252
buffer:
process_handle: 0x0000365c
base_address: 0x00415000
success 1 0
1619897519.209374
WriteProcessMemory
process_identifier: 2252
buffer:
process_handle: 0x0000365c
base_address: 0x00416000
success 1 0
1619897519.209374
WriteProcessMemory
process_identifier: 2252
buffer: @
process_handle: 0x0000365c
base_address: 0x7efde008
success 1 0
1619897519.209374
NtSetContextThread
thread_handle: 0x000108bc
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4259208
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2252
success 0 0
1619897519.240374
NtResumeThread
thread_handle: 0x000108bc
suspend_count: 1
process_identifier: 2252
success 0 0
1619897519.240374
NtResumeThread
thread_handle: 0x000113d0
suspend_count: 1
process_identifier: 648
success 0 0
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43635694
FireEye Generic.mg.bb74fdc8f6004354
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FXH!BB74FDC8F600
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056c2781 )
Alibaba Trojan:MSIL/AgentTesla.34e450bc
K7GW Trojan ( 0056c2781 )
Cybereason malicious.8f6004
Arcabit Trojan.Generic.D299D3EE
Cyren W32/MSIL_Kryptik.BJK.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.43635694
NANO-Antivirus Trojan.Win32.Crypt.hrmcnq
Paloalto generic.ml
AegisLab Trojan.MSIL.Crypt.4!c
Tencent Win32.Backdoor.Remcos.Auto
Ad-Aware Trojan.GenericKD.43635694
Sophos ML/PE-A + Troj/Remcos-TF
Comodo Malware@#140zg4li149ss
F-Secure Trojan.TR/Kryptik.papyi
DrWeb Trojan.PackedNET.405
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.MSIL.NEGASTEAL.DYSHPF
McAfee-GW-Edition Fareit-FXH!BB74FDC8F600
Emsisoft Trojan.GenericKD.43635694 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.MSIL.tsku
eGambit Unsafe.AI_Score_99%
Avira TR/Kryptik.papyi
Antiy-AVL Trojan/MSIL.Kryptik
Gridinsoft Trojan.Win32.Packed.oa
Microsoft Trojan:MSIL/AgentTesla.VN!MTB
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Win32.Backdoor.Remcos.GTTJKZ
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Formbook.C4178861
BitDefenderTheta Gen:NN.ZemsilF.34804.Im0@aGDwp2f
ALYac Trojan.GenericKD.43635694
MAX malware (ai score=83)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.Crypt.MSIL.Generic
Zoner Trojan.Win32.100386
ESET-NOD32 Win32/Agent.RXL
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.DYSHPF
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 个事件)
dead_host 172.217.27.142:443
dead_host 172.217.24.14:443
dead_host 192.168.56.101:49199
dead_host 172.217.160.78:443
dead_host 185.165.153.199:27835
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-10 15:49:42

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49192 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49193 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49191 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49188 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53500 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a96285a65fd7cc2a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a96285a65fd7cc2a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7687
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a96285a65fd7cc2a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a96285a65fd7cc2a&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619868501&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.