4.4
中危
2 个模型检测该样本为恶意!
重新分析
更多

c9e32b3d0db969f40f55b1e5165a0ba4aa15037bf58e4443285b3ed760ee0c05

bf6adb0115f66360371c9ed9b377c1a1.exe

分析耗时

84s

最近分析

文件大小

5.8MB
静态报毒 动态报毒 ELDORADO
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20200709 6.0.6.653
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20200708 18.4.3895.0
Kingsoft 20200709 2013.8.14.323
Tencent 20200709 1.0.0.1
CrowdStrike 20190702 1.0
行为判定
动态指标
Performs some HTTP requests (4 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
request GET http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
request GET http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDzHc2p4PYe%2BXbRnPTZ8TTX
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1621004329.083625
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
Cyren W32/Trojan.DOC.gen!Eldorado
Jiangmin Trojan.Encoder.jm
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1621004332.395625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 6.951015935769176 section {'size_of_data': '0x0000c800', 'virtual_address': '0x00087000', 'entropy': 6.951015935769176, 'name': '.rsrc', 'virtual_size': '0x0000c708'} description A section with a high entropy has been found
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to create or modify system certificates (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1621004334.926625
RegSetValueExA
key_handle: 0x000003b8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1621004334.926625
RegSetValueExA
key_handle: 0x000003b8
value: ð=ÓN»H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1621004334.926625
RegSetValueExA
key_handle: 0x000003b8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1621004334.926625
RegSetValueExW
key_handle: 0x000003b8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1621004334.926625
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1621004334.926625
RegSetValueExA
key_handle: 0x000003d0
value: ð=ÓN»H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1621004334.926625
RegSetValueExA
key_handle: 0x000003d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1621004334.973625
RegSetValueExW
key_handle: 0x000003b4
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1621004364.786625
RegSetValueExA
key_handle: 0x00000600
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1621004364.786625
RegSetValueExA
key_handle: 0x00000600
value: ]Ÿ`»H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1621004364.786625
RegSetValueExA
key_handle: 0x00000600
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1621004364.786625
RegSetValueExW
key_handle: 0x00000600
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1621004364.786625
RegSetValueExA
key_handle: 0x00000144
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1621004364.801625
RegSetValueExA
key_handle: 0x00000144
value: ]Ÿ`»H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1621004364.801625
RegSetValueExA
key_handle: 0x00000144
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-01-04 13:47:17

Imports

Library KERNEL32.dll:
0x4670b0 SetErrorMode
0x4670b4 MulDiv
0x4670c0 CopyFileW
0x4670c4 GetCurrentThreadId
0x4670c8 SetLastError
0x4670cc MoveFileW
0x4670d8 GetVersion
0x4670dc GetCurrentThread
0x4670e0 GlobalAlloc
0x4670e4 InterlockedExchange
0x4670e8 lstrlenA
0x4670ec WideCharToMultiByte
0x4670f0 CreateFileW
0x4670f4 GetFileSize
0x4670f8 ReadFile
0x4670fc SetFilePointer
0x467100 GetFileSizeEx
0x467104 WriteFile
0x467108 RtlUnwind
0x467110 GetStringTypeW
0x467114 GetStringTypeA
0x467118 IsValidLocale
0x46711c EnumSystemLocalesA
0x467120 GetLocaleInfoA
0x467124 GetUserDefaultLCID
0x467128 GetDateFormatA
0x46712c GetTimeFormatA
0x467130 GetModuleFileNameA
0x467134 GetStdHandle
0x467138 LCMapStringW
0x46713c IsValidCodePage
0x467140 GetOEMCP
0x467144 GetACP
0x467148 GetCPInfo
0x467154 HeapCreate
0x467158 ExitProcess
0x46715c TlsFree
0x467160 TlsSetValue
0x467164 TlsAlloc
0x467168 TlsGetValue
0x46716c IsDebuggerPresent
0x467178 TerminateProcess
0x46717c GetStartupInfoW
0x467184 CreateThread
0x467188 ExitThread
0x46718c VirtualAlloc
0x467190 VirtualFree
0x467198 LoadLibraryA
0x4671a0 GetProcessHeap
0x4671a4 HeapSize
0x4671a8 HeapReAlloc
0x4671ac HeapFree
0x4671b0 HeapAlloc
0x4671b4 HeapDestroy
0x4671b8 GetFileType
0x4671bc GetStartupInfoA
0x4671c0 GetCommandLineW
0x4671c8 GetCurrentProcessId
0x4671d0 CompareStringW
0x4671dc LCMapStringA
0x4671e0 GetConsoleCP
0x4671e4 GetConsoleMode
0x4671e8 GetLocaleInfoW
0x4671ec GetModuleHandleA
0x4671f0 SetStdHandle
0x4671f4 FlushFileBuffers
0x4671f8 WriteConsoleA
0x4671fc GetConsoleOutputCP
0x467200 WriteConsoleW
0x467204 CreateFileA
0x467208 CompareStringA
0x46720c LoadLibraryExW
0x467210 MultiByteToWideChar
0x467218 RaiseException
0x467220 lstrcmpiW
0x46722c GetTempFileNameW
0x467230 GetTempPathW
0x467234 RemoveDirectoryW
0x467238 FindClose
0x46723c SetFileAttributesW
0x467240 DeleteFileW
0x467244 FindNextFileW
0x467248 SetHandleCount
0x46724c FindFirstFileW
0x467250 GetExitCodeProcess
0x467254 CreateProcessW
0x467258 GetCurrentProcess
0x46725c GetProcAddress
0x467260 GetModuleHandleW
0x467264 GetFullPathNameW
0x467268 lstrcpyW
0x46726c GetLastError
0x467270 GetFileAttributesW
0x467274 GetModuleFileNameW
0x467278 GlobalFree
0x46727c CreateDirectoryW
0x467280 GetSystemDirectoryW
0x467284 FreeLibrary
0x467288 LoadLibraryW
0x46728c lstrlenW
0x467290 FindResourceExW
0x467294 FindResourceW
0x467298 LoadResource
0x46729c LockResource
0x4672a0 SizeofResource
0x4672a4 TerminateThread
0x4672a8 GetTickCount
0x4672ac Sleep
0x4672b0 CloseHandle
0x4672b4 GetExitCodeThread
0x4672bc WaitForSingleObject
Library USER32.dll:
0x4672f4 GetWindowTextW
0x4672fc GetFocus
0x467300 GetDlgItem
0x467304 IsWindowEnabled
0x467308 GetKeyState
0x46730c ReleaseCapture
0x467310 SetCapture
0x467314 TrackPopupMenuEx
0x467318 TrackMouseEvent
0x46731c UpdateWindow
0x467320 UnionRect
0x467324 SetWindowRgn
0x467328 SetTimer
0x46732c RegisterClassW
0x467330 GetPropW
0x467334 SetPropW
0x467338 ClientToScreen
0x46733c InflateRect
0x467340 InvalidateRect
0x467344 PtInRect
0x467348 SetRect
0x46734c GetWindowDC
0x467350 SetScrollInfo
0x467354 SetScrollRange
0x467358 ScreenToClient
0x46735c SetScrollPos
0x467360 EnableWindow
0x467364 IsWindowVisible
0x467368 EndPaint
0x46736c SubtractRect
0x467370 AdjustWindowRectEx
0x467374 BeginPaint
0x467378 DestroyWindow
0x46737c SetCursor
0x467380 SetRectEmpty
0x467384 DrawTextW
0x467388 GetSysColor
0x46738c ReleaseDC
0x467390 GetWindowPlacement
0x467394 GetDC
0x467398 IsRectEmpty
0x46739c IntersectRect
0x4673a4 SetFocus
0x4673a8 GetCursorPos
0x4673ac AppendMenuW
0x4673b0 CreatePopupMenu
0x4673b4 SendMessageTimeoutW
0x4673b8 ShowWindow
0x4673bc PostMessageW
0x4673c0 CreateWindowExW
0x4673c4 LoadCursorW
0x4673c8 GetClassInfoExW
0x4673cc RegisterClassExW
0x4673d0 MessageBoxW
0x4673d4 KillTimer
0x4673d8 GetSystemMenu
0x4673dc EnableMenuItem
0x4673e0 GetWindow
0x4673e4 MonitorFromWindow
0x4673e8 GetParent
0x4673ec GetClientRect
0x4673f0 MapWindowPoints
0x4673f4 SetWindowPos
0x4673f8 SetWindowTextW
0x4673fc LoadIconW
0x467400 PostQuitMessage
0x467404 CallWindowProcW
0x467408 DefWindowProcW
0x46740c GetWindowLongW
0x467410 SetWindowLongW
0x467418 GetMessageW
0x46741c LoadAcceleratorsW
0x467420 CharNextW
0x467424 MoveWindow
0x467428 EqualRect
0x46742c GetWindowRect
0x467430 OffsetRect
0x467434 MonitorFromPoint
0x467438 CopyRect
0x46743c GetSystemMetrics
0x467444 GetMonitorInfoW
0x467448 MonitorFromRect
0x46744c IsCharAlphaW
0x467450 SendMessageW
0x467454 FindWindowW
0x467458 IsWindow
0x46745c DispatchMessageW
0x467460 TranslateMessage
0x467464 PeekMessageW
0x467468 RemovePropW
0x46746c UnregisterClassA
Library GDI32.dll:
0x467044 MoveToEx
0x467048 LineTo
0x46704c CreateRectRgn
0x467050 ExtCreateRegion
0x467054 ExtTextOutW
0x467058 OffsetRgn
0x46705c CreateSolidBrush
0x467060 GetDeviceCaps
0x467064 SetBkColor
0x467068 ExcludeClipRect
0x46706c GetTextMetricsW
0x467070 SetBkMode
0x467074 GetStockObject
0x467078 SetWindowOrgEx
0x467080 SetTextColor
0x467084 CreateFontW
0x467088 BitBlt
0x46708c DeleteDC
0x467090 SelectObject
0x467094 CreateCompatibleDC
0x467098 CreateDIBSection
0x46709c CombineRgn
0x4670a0 DeleteObject
0x4670a4 GetObjectW
Library ADVAPI32.dll:
0x467000 EqualSid
0x467008 GetTokenInformation
0x46700c OpenProcessToken
0x467010 OpenThreadToken
0x467014 RegDeleteValueW
0x467018 RegCreateKeyExW
0x46701c RegSetValueExW
0x467020 RegEnumKeyExW
0x467024 RegQueryInfoKeyW
0x467028 RegDeleteKeyW
0x46702c RegEnumKeyW
0x467030 RegCloseKey
0x467034 RegQueryValueExW
0x467038 RegOpenKeyExW
0x46703c FreeSid
Library SHELL32.dll:
0x4672d0 SHAppBarMessage
0x4672d4 SHBrowseForFolderW
0x4672d8 ShellExecuteExW
0x4672dc SHGetFolderPathW
0x4672e0 ShellExecuteW
Library ole32.dll:
0x4674a8 CoInitialize
0x4674ac CoTaskMemAlloc
0x4674b0 CoTaskMemRealloc
0x4674b4 CoTaskMemFree
0x4674b8 CoCreateInstance
0x4674bc CoUninitialize
Library OLEAUT32.dll:
0x4672c4 VarUI4FromStr
Library SHLWAPI.dll:
0x4672e8 PathCanonicalizeW
0x4672ec PathIsDirectoryW
Library WININET.dll:
0x467474 InternetReadFile
0x46747c HttpQueryInfoW
0x467484 HttpOpenRequestA
0x467488 HttpSendRequestW
0x467490 InternetConnectA
0x467494 InternetSetOptionW
0x467498 InternetOpenW
0x46749c InternetCrackUrlA
0x4674a0 InternetCloseHandle

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49177 124.225.105.97 www.download.windowsupdate.com 80
192.168.56.101 49178 151.139.128.14 ocsp.usertrust.com 80
192.168.56.101 49180 151.139.128.14 ocsp.usertrust.com 80
192.168.56.101 49182 151.139.128.14 ocsp.usertrust.com 80
192.168.56.101 49176 52.78.169.250 ver.bandi.so 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 62144 114.114.114.114 53
192.168.56.101 64877 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49710 224.0.0.252 5355
192.168.56.101 50849 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDzHc2p4PYe%2BXbRnPTZ8TTX 
GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDzHc2p4PYe%2BXbRnPTZ8TTX HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.sectigo.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT
If-None-Match: "80f8835935d71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.