10.8
0-day
52 个模型检测该样本为恶意!
重新分析
更多

360329cebd5620f3feeca76393713ac16d0c3f80d9832de6a2c9045218450f31

beaa3d073435f8cddfafde503655236d.exe

分析耗时

108s

最近分析

文件大小

447.0KB
静态报毒 动态报毒 8PV4EAWC+6C AGEN AI SCORE=82 ASHIFY ATTRIBUTE AUTO BASIC BM0@AGBRZWH CONFIDENCE DHSI DOWNLOADER33 ELDORADO FSEI GDSDA HIGH CONFIDENCE HIGHCONFIDENCE KCLOUD KRYPTIK MALICIOUS PE MALWARE@#G8NBMCV4HSBT PCRYPT R066C0PIK20 RATX REMCOS SCORE STATIC AI SUSGEN UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20201228 21.1.5827.0
Alibaba Backdoor:MSIL/Kryptik.457dee04 20190527 0.3.0.5
Tencent Win32.Trojan.Inject.Auto 20201228 1.0.0.1
Kingsoft Win32.Hack.Undef.(kcloud) 20201228 2017.9.26.565
McAfee Trojan-FSEI!BEAA3D073435 20201228 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (5 个事件)
Time & API Arguments Status Return Repeated
1619884013.450249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619884049.903876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619884051.903876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619884054.106876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619884054.293876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619883976.434249
IsDebuggerPresent
failed 0 0
1619883976.434249
IsDebuggerPresent
failed 0 0
1619884049.590876
IsDebuggerPresent
failed 0 0
1619884049.590876
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619883976.465249
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619884054.090876
__exception__
stacktrace: 
0xb800a5
0x114f1f8
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3599264
registers.edi: 386430771
registers.eax: 0
registers.ebp: 3599312
registers.edx: 8
registers.ebx: 0
registers.esi: 48584436
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 d8 b8 26 63 bd 6a e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb8382a
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 176 个事件)
Time & API Arguments Status Return Repeated
1619883975.715249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00830000
success 0 0
1619883975.715249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00930000
success 0 0
1619883976.231249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c90000
success 0 0
1619883976.231249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d90000
success 0 0
1619883976.371249
NtProtectVirtualMemory
process_identifier: 1916
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619883976.434249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619883976.434249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00600000
success 0 0
1619883976.434249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0039a000
success 0 0
1619883976.434249
NtProtectVirtualMemory
process_identifier: 1916
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619883976.434249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00392000
success 0 0
1619883976.668249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c2000
success 0 0
1619883976.762249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e5000
success 0 0
1619883976.778249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003eb000
success 0 0
1619883976.778249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619883976.918249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c3000
success 0 0
1619883976.918249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c4000
success 0 0
1619883976.918249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c5000
success 0 0
1619883976.965249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003cc000
success 0 0
1619883977.450249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c6000
success 0 0
1619883977.731249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c7000
success 0 0
1619883977.825249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00660000
success 0 0
1619883978.668249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c9000
success 0 0
1619883978.731249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00880000
success 0 0
1619883979.012249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d6000
success 0 0
1619883979.059249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619883979.059249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619883979.090249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00661000
success 0 0
1619883979.934249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00881000
success 0 0
1619883980.246249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00882000
success 0 0
1619883980.309249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00883000
success 0 0
1619883980.325249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00884000
success 0 0
1619883980.871249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00393000
success 0 0
1619883980.871249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00885000
success 0 0
1619883980.903249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00886000
success 0 0
1619883981.012249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00887000
success 0 0
1619883981.012249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00888000
success 0 0
1619883981.028249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00889000
success 0 0
1619883981.028249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088a000
success 0 0
1619883981.028249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088b000
success 0 0
1619883981.028249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088c000
success 0 0
1619884011.043249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00662000
success 0 0
1619884011.340249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088d000
success 0 0
1619884011.481249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088e000
success 0 0
1619884011.496249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00663000
success 0 0
1619884012.559249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0088f000
success 0 0
1619884012.559249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fe0000
success 0 0
1619884012.559249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fe1000
success 0 0
1619884012.559249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fe2000
success 0 0
1619884012.715249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00664000
success 0 0
1619884012.715249
NtAllocateVirtualMemory
process_identifier: 1916
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04fe3000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.871322503670209 section {'size_of_data': '0x00064e00', 'virtual_address': '0x00002000', 'entropy': 7.871322503670209, 'name': '.text', 'virtual_size': '0x00064de4'} description A section with a high entropy has been found
entropy 0.9036954087346024 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619883979.168249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619884049.731876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 78358c1a7ad79c41e5e575d26c3a8e7be9977718
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619884047.840249
NtAllocateVirtualMemory
process_identifier: 3164
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000398
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Attempts to identify installed AV products by installation directory (2 个事件)
file C:\Program Files\AVAST Software
file C:\Program Files (x86)\AVAST Software
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELø@§^à ¬~Ê à@  @…,ÊOàð  H.text„ª ¬ `.rsrcðà®@@.reloc ²@B
process_handle: 0x00000398
base_address: 0x00400000
success 1 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: €0€HXà””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameJqZjMqqPTxnaHxRrlgJSyGQoBT.exe(LegalCopyright hOriginalFilenameJqZjMqqPTxnaHxRrlgJSyGQoBT.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000398
base_address: 0x0044e000
success 1 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: À €:
process_handle: 0x00000398
base_address: 0x00450000
success 1 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: @
process_handle: 0x00000398
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELø@§^à ¬~Ê à@  @…,ÊOàð  H.text„ª ¬ `.rsrcðà®@@.reloc ²@B
process_handle: 0x00000398
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1916 called NtSetContextThread to modify thread in remote process 3164
Time & API Arguments Status Return Repeated
1619884047.840249
NtSetContextThread
thread_handle: 0x00000378
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508286
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3164
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1916 resumed a thread in remote process 3164
Time & API Arguments Status Return Repeated
1619884048.981249
NtResumeThread
thread_handle: 0x00000378
suspend_count: 1
process_identifier: 3164
success 0 0
Executed a process and injected code into it, probably while unpacking (21 个事件)
Time & API Arguments Status Return Repeated
1619883976.434249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1916
success 0 0
1619883976.434249
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 1916
success 0 0
1619883976.465249
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 1916
success 0 0
1619884013.012249
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 1916
success 0 0
1619884013.231249
NtResumeThread
thread_handle: 0x0000035c
suspend_count: 1
process_identifier: 1916
success 0 0
1619884047.840249
CreateProcessInternalW
thread_identifier: 3168
thread_handle: 0x00000378
process_identifier: 3164
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000398
inherit_handles: 0
success 1 0
1619884047.840249
NtGetContextThread
thread_handle: 0x00000378
success 0 0
1619884047.840249
NtAllocateVirtualMemory
process_identifier: 3164
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000398
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELø@§^à ¬~Ê à@  @…,ÊOàð  H.text„ª ¬ `.rsrcðà®@@.reloc ²@B
process_handle: 0x00000398
base_address: 0x00400000
success 1 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer:
process_handle: 0x00000398
base_address: 0x00402000
success 1 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: €0€HXà””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0`InternalNameJqZjMqqPTxnaHxRrlgJSyGQoBT.exe(LegalCopyright hOriginalFilenameJqZjMqqPTxnaHxRrlgJSyGQoBT.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000398
base_address: 0x0044e000
success 1 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: À €:
process_handle: 0x00000398
base_address: 0x00450000
success 1 0
1619884047.840249
WriteProcessMemory
process_identifier: 3164
buffer: @
process_handle: 0x00000398
base_address: 0x7efde008
success 1 0
1619884047.840249
NtSetContextThread
thread_handle: 0x00000378
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508286
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3164
success 0 0
1619884048.981249
NtResumeThread
thread_handle: 0x00000378
suspend_count: 1
process_identifier: 3164
success 0 0
1619884049.590876
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 3164
success 0 0
1619884049.590876
NtResumeThread
thread_handle: 0x000001b4
suspend_count: 1
process_identifier: 3164
success 0 0
1619884049.606876
NtResumeThread
thread_handle: 0x00000204
suspend_count: 1
process_identifier: 3164
success 0 0
1619884051.840876
NtResumeThread
thread_handle: 0x0000032c
suspend_count: 1
process_identifier: 3164
success 0 0
1619884051.871876
NtResumeThread
thread_handle: 0x00000360
suspend_count: 1
process_identifier: 3164
success 0 0
1619884054.106876
NtResumeThread
thread_handle: 0x000003b8
suspend_count: 1
process_identifier: 3164
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.MSIL.Basic.3.Gen
FireEye Generic.mg.beaa3d073435f8cd
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
Qihoo-360 Generic/Backdoor.23a
ALYac Trojan.MSIL.Basic.3.Gen
Malwarebytes Trojan.PCrypt.MSIL.Generic
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 005660ce1 )
BitDefender Trojan.MSIL.Basic.3.Gen
K7GW Trojan ( 005660ce1 )
Cybereason malicious.73435f
BitDefenderTheta Gen:NN.ZemsilF.34700.Bm0@aGbrZWh
Cyren W32/MSIL_Agent.BHY.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Backdoor.MSIL.Remcos.gen
Alibaba Backdoor:MSIL/Kryptik.457dee04
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.MSIL.Basic.3.Gen
Sophos Mal/Generic-S
Comodo Malware@#g8nbmcv4hsbt
F-Secure Heuristic.HEUR/AGEN.1134219
DrWeb Trojan.DownLoader33.39004
TrendMicro TROJ_GEN.R066C0PIK20
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Emsisoft Trojan.MSIL.Basic.3.Gen (B)
Ikarus Trojan.MSIL.Inject
Jiangmin Backdoor.MSIL.dhsi
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1134219
Antiy-AVL Trojan[Backdoor]/MSIL.Remcos
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Trojan:Win32/Ashify.J!ibt
Arcabit Trojan.MSIL.Basic.3.Gen
ZoneAlarm HEUR:Backdoor.MSIL.Remcos.gen
GData Trojan.MSIL.Basic.3.Gen
Cynet Malicious (score: 100)
McAfee Trojan-FSEI!BEAA3D073435
MAX malware (ai score=82)
Cylance Unsafe
Panda Trj/GdSda.A
ESET-NOD32 a variant of MSIL/Kryptik.VSQ
TrendMicro-HouseCall TROJ_GEN.R066C0PIK20
Yandex Trojan.Kryptik!8pv4EaWC+6c
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Kryptik.VSQ!tr
AVG Win32:RATX-gen [Trj]
Paloalto generic.ml
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-04 20:38:58

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.