11.4
0-day
53 个模型检测该样本为恶意!
重新分析
更多

329b10943314d1e2013f44dcb3ad15ae390bc5d15cec294592c465075e77a5b7

bce47c24976cb8e8db5a88902f2e33d7.exe

分析耗时

91s

最近分析

文件大小

449.0KB
静态报毒 动态报毒 100% AGENSLA AGENTTESLA AI SCORE=81 CONFIDENCE CU0@AI ELDORADO GDSDA GENERICKD GENERICRXKK HIGH CONFIDENCE HIHDG KRYPTIK MALICIOUS PE MALREP MALWARE@#1YOYL5H7TOKKO MXRESICN NANOCORE PWSX QVM03 R335505 SCORE SIGGEN2 THEOIBO TROJANPSW UNSAFE WSBE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKK-WU!BCE47C24976C 20200515 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba TrojanPSW:MSIL/AgentTesla.8c576302 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20200515 18.4.3895.0
Kingsoft 20200515 2013.8.14.323
Tencent 20200515 1.0.0.1
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619887020.37675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619887022.67375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619887024.86075
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619887026.14275
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619861623.10975
IsDebuggerPresent
failed 0 0
1619861623.10975
IsDebuggerPresent
failed 0 0
1619886996.07975
IsDebuggerPresent
failed 0 0
1619886996.07975
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619861623.12575
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section DB1\x17wZ\C
section
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619887024.82975
__exception__
stacktrace: 
0x44dfcee
0x44dec46
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2813776
registers.edi: 2813804
registers.eax: 0
registers.ebp: 2813820
registers.edx: 8
registers.ebx: 0
registers.esi: 37781288
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 5a 7e 20 42 e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x234370c
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 145 个事件)
Time & API Arguments Status Return Repeated
1619861622.42175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00440000
success 0 0
1619861622.42175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00470000
success 0 0
1619861622.95375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619861622.95375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02130000
success 0 0
1619861623.00075
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619861623.10975
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006c0000
success 0 0
1619861623.10975
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006d0000
success 0 0
1619861623.10975
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005da000
success 0 0
1619861623.10975
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619861623.10975
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d2000
success 0 0
1619861623.31275
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e2000
success 0 0
1619861623.46875
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00615000
success 0 0
1619861623.46875
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0061b000
success 0 0
1619861623.46875
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00617000
success 0 0
1619861623.60975
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e3000
success 0 0
1619861623.64075
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ec000
success 0 0
1619861623.70375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00780000
success 0 0
1619861624.09375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e4000
success 0 0
1619861624.14075
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00781000
success 0 0
1619861624.21875
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 69632
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x002d2000
success 0 0
1619861624.50075
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00782000
success 0 0
1619861624.53175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e5000
success 0 0
1619861624.53175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00783000
success 0 0
1619861624.53175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00784000
success 0 0
1619861624.59375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00785000
success 0 0
1619861624.60975
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00786000
success 0 0
1619861624.82875
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e6000
success 0 0
1619861625.00075
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e8000
success 0 0
1619861625.03175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0060a000
success 0 0
1619861625.03175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00607000
success 0 0
1619861625.20375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00606000
success 0 0
1619861625.21875
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00787000
success 0 0
1619861625.51575
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00789000
success 0 0
1619861625.79675
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078a000
success 0 0
1619861625.79675
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078d000
success 0 0
1619861626.12575
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078e000
success 0 0
1619861627.76575
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e9000
success 0 0
1619861627.76575
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c0000
success 0 0
1619861633.31275
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02131000
success 0 0
1619861633.95375
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c1000
success 0 0
1619861633.98475
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c2000
success 0 0
1619861634.00075
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078f000
success 0 0
1619861634.01575
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c3000
success 0 0
1619861634.03175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04700000
success 0 0
1619861634.03175
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04701000
success 0 0
1619861634.04675
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04703000
success 0 0
1619861634.04675
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ed000
success 0 0
1619861634.06275
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006d1000
success 0 0
1619861634.07875
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006d2000
success 0 0
1619861634.07875
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006d3000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.997567367675499 section {'size_of_data': '0x00010a00', 'virtual_address': '0x00002000', 'entropy': 7.997567367675499, 'name': 'DB1\\x17wZ\\C', 'virtual_size': '0x000108e8'} description A section with a high entropy has been found
entropy 7.958319833782033 section {'size_of_data': '0x0005ec00', 'virtual_address': '0x00014000', 'entropy': 7.958319833782033, 'name': '.text', 'virtual_size': '0x0005ea08'} description A section with a high entropy has been found
entropy 0.9944196428571429 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619861624.18775
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619886996.59575
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619861634.70375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 580
process_handle: 0x00010a90
failed 0 0
1619861634.70375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 580
process_handle: 0x00010a90
success 0 0
1619887018.43875
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2984
process_handle: 0x00000230
failed 0 0
1619887018.43875
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2984
process_handle: 0x00000230
failed 3221225738 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619861634.53175
NtAllocateVirtualMemory
process_identifier: 580
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010a8c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861634.73475
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000077d0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description bce47c24976cb8e8db5a88902f2e33d7.exe tried to sleep 2728183 seconds, actually delayed analysis time by 2728183 seconds
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 2984 manipulating memory of non-child process 580
Time & API Arguments Status Return Repeated
1619861634.53175
NtAllocateVirtualMemory
process_identifier: 580
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010a8c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL†Ý¨^à  ˜.· À@ @…ضSÀHà  H.text4— ˜ `.rsrcHÀš@@.reloc à @B
process_handle: 0x000077d0
base_address: 0x00400000
success 1 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer:  €P€8€€h€ À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameuctzWEFOeByAjJqnPjRYWSmgsXwlzwuxUMwj.exe(LegalCopyright |)OriginalFilenameuctzWEFOeByAjJqnPjRYWSmgsXwlzwuxUMwj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000077d0
base_address: 0x0044c000
success 1 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer: ° 07
process_handle: 0x000077d0
base_address: 0x0044e000
success 1 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer: @
process_handle: 0x000077d0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL†Ý¨^à  ˜.· À@ @…ضSÀHà  H.text4— ˜ `.rsrcHÀš@@.reloc à @B
process_handle: 0x000077d0
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2984 called NtSetContextThread to modify thread in remote process 2956
Time & API Arguments Status Return Repeated
1619861634.73475
NtSetContextThread
thread_handle: 0x00010a90
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4503342
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2956
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2984 resumed a thread in remote process 2956
Time & API Arguments Status Return Repeated
1619861634.78175
NtResumeThread
thread_handle: 0x00010a90
suspend_count: 1
process_identifier: 2956
success 0 0
Executed a process and injected code into it, probably while unpacking (24 个事件)
Time & API Arguments Status Return Repeated
1619861623.10975
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2984
success 0 0
1619861623.10975
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2984
success 0 0
1619861623.12575
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2984
success 0 0
1619861634.53175
CreateProcessInternalW
thread_identifier: 1752
thread_handle: 0x0000e5b8
process_identifier: 580
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bce47c24976cb8e8db5a88902f2e33d7.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bce47c24976cb8e8db5a88902f2e33d7.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00010a8c
inherit_handles: 0
success 1 0
1619861634.53175
NtGetContextThread
thread_handle: 0x0000e5b8
success 0 0
1619861634.53175
NtAllocateVirtualMemory
process_identifier: 580
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010a8c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861634.73475
CreateProcessInternalW
thread_identifier: 2952
thread_handle: 0x00010a90
process_identifier: 2956
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bce47c24976cb8e8db5a88902f2e33d7.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bce47c24976cb8e8db5a88902f2e33d7.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000077d0
inherit_handles: 0
success 1 0
1619861634.73475
NtGetContextThread
thread_handle: 0x00010a90
success 0 0
1619861634.73475
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000077d0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL†Ý¨^à  ˜.· À@ @…ضSÀHà  H.text4— ˜ `.rsrcHÀš@@.reloc à @B
process_handle: 0x000077d0
base_address: 0x00400000
success 1 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer:
process_handle: 0x000077d0
base_address: 0x00402000
success 1 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer:  €P€8€€h€ À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameuctzWEFOeByAjJqnPjRYWSmgsXwlzwuxUMwj.exe(LegalCopyright |)OriginalFilenameuctzWEFOeByAjJqnPjRYWSmgsXwlzwuxUMwj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000077d0
base_address: 0x0044c000
success 1 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer: ° 07
process_handle: 0x000077d0
base_address: 0x0044e000
success 1 0
1619861634.73475
WriteProcessMemory
process_identifier: 2956
buffer: @
process_handle: 0x000077d0
base_address: 0x7efde008
success 1 0
1619861634.73475
NtSetContextThread
thread_handle: 0x00010a90
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4503342
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2956
success 0 0
1619861634.78175
NtResumeThread
thread_handle: 0x00010a90
suspend_count: 1
process_identifier: 2956
success 0 0
1619861634.78175
NtResumeThread
thread_handle: 0x000077d8
suspend_count: 1
process_identifier: 2984
success 0 0
1619886996.07975
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2956
success 0 0
1619886996.07975
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2956
success 0 0
1619886996.09575
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2956
success 0 0
1619887022.54875
NtResumeThread
thread_handle: 0x000002e0
suspend_count: 1
process_identifier: 2956
success 0 0
1619887022.56375
NtResumeThread
thread_handle: 0x00000310
suspend_count: 1
process_identifier: 2956
success 0 0
1619887024.84575
NtResumeThread
thread_handle: 0x00000368
suspend_count: 1
process_identifier: 2956
success 0 0
1619887032.14275
NtResumeThread
thread_handle: 0x000003b4
suspend_count: 1
process_identifier: 2956
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
MicroWorld-eScan Trojan.GenericKD.33789016
FireEye Generic.mg.bce47c24976cb8e8
McAfee GenericRXKK-WU!BCE47C24976C
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2014774
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:MSIL/AgentTesla.8c576302
K7GW Trojan ( 005662311 )
K7AntiVirus Trojan ( 005662311 )
Invincea heuristic
F-Prot W32/MSIL_Agent.BIC.gen!Eldorado
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33789016
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Endgame malicious (high confidence)
Emsisoft Trojan.GenericKD.33789016 (B)
Comodo Malware@#1yoyl5h7tokko
DrWeb Trojan.PWS.Siggen2.48783
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.MSIL.MALREP.THEOIBO
McAfee-GW-Edition BehavesLike.Win32.Packed.gc
MaxSecure Win.MxResIcn.Heur.Gen
Trapmine suspicious.low.ml.score
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Cyren W32/MSIL_Agent.BIC.gen!Eldorado
Webroot W32.Trojan.Gen
Avira TR/Kryptik.hihdg
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:MSIL/AgentTesla.SG!MTB
Arcabit Trojan.Generic.D2039458
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33789016
AhnLab-V3 Trojan/Win32.NanoCore.R335505
Acronis suspicious
ALYac Trojan.GenericKD.33789016
MAX malware (ai score=81)
Ad-Aware Trojan.GenericKD.33789016
Malwarebytes Spyware.Agent
ESET-NOD32 a variant of MSIL/Kryptik.VTN
TrendMicro-HouseCall Trojan.MSIL.MALREP.THEOIBO
Ikarus Trojan.MSIL.Crypt
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/Kryptik.VTN!tr
BitDefenderTheta Gen:NN.ZemsilF.34110.Cu0@ai!WSBe
AVG Win32:PWSX-gen [Trj]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-06 08:50:27

Imports

Library mscoree.dll:
0x478000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.