12.4
0-day
54 个模型检测该样本为恶意!
重新分析
更多

80da89b47f8a9fbc575d7d018fa7888bab2eabf55097d9d91ef2d7885379f450

bff4cd6b5bbf350b720a87be4e3f21f3.exe

分析耗时

97s

最近分析

文件大小

515.0KB
静态报毒 动态报毒 100% AGENSLA AGENTTESLA AI SCORE=81 ATTRIBUTE AUTO CONFIDENCE ELDORADO FAREIT GDSDA GENERICKD GGAQZGK1L88 GU0@ASNMD1E HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HOSGOO KRYPTIK MALICIOUS PE MALWARE@#17TK8PZVGWBM4 PWSX R03BC0DJT20 R339940 SCORE STATIC AI SUSGEN SVGLO TROJANPSW UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanPSW:MSIL/Agensla.0325716a 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Tencent Win32.Trojan.Inject.Auto 20201211 1.0.0.1
Kingsoft 20201211 2017.9.26.565
McAfee Fareit-FUP!BFF4CD6B5BBF 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619881605.401375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 87 个事件)
Time & API Arguments Status Return Repeated
1619881563.354625
IsDebuggerPresent
failed 0 0
1619881570.057625
IsDebuggerPresent
failed 0 0
1619881570.557625
IsDebuggerPresent
failed 0 0
1619881571.057625
IsDebuggerPresent
failed 0 0
1619881571.557625
IsDebuggerPresent
failed 0 0
1619881572.057625
IsDebuggerPresent
failed 0 0
1619881572.557625
IsDebuggerPresent
failed 0 0
1619881573.057625
IsDebuggerPresent
failed 0 0
1619881573.557625
IsDebuggerPresent
failed 0 0
1619881574.057625
IsDebuggerPresent
failed 0 0
1619881574.557625
IsDebuggerPresent
failed 0 0
1619881575.057625
IsDebuggerPresent
failed 0 0
1619881575.557625
IsDebuggerPresent
failed 0 0
1619881576.057625
IsDebuggerPresent
failed 0 0
1619881576.557625
IsDebuggerPresent
failed 0 0
1619881577.057625
IsDebuggerPresent
failed 0 0
1619881577.557625
IsDebuggerPresent
failed 0 0
1619881578.057625
IsDebuggerPresent
failed 0 0
1619881578.557625
IsDebuggerPresent
failed 0 0
1619881579.057625
IsDebuggerPresent
failed 0 0
1619881579.557625
IsDebuggerPresent
failed 0 0
1619881580.057625
IsDebuggerPresent
failed 0 0
1619881580.557625
IsDebuggerPresent
failed 0 0
1619881581.057625
IsDebuggerPresent
failed 0 0
1619881581.557625
IsDebuggerPresent
failed 0 0
1619881582.057625
IsDebuggerPresent
failed 0 0
1619881582.557625
IsDebuggerPresent
failed 0 0
1619881583.057625
IsDebuggerPresent
failed 0 0
1619881583.557625
IsDebuggerPresent
failed 0 0
1619881584.057625
IsDebuggerPresent
failed 0 0
1619881584.557625
IsDebuggerPresent
failed 0 0
1619881585.057625
IsDebuggerPresent
failed 0 0
1619881585.557625
IsDebuggerPresent
failed 0 0
1619881586.057625
IsDebuggerPresent
failed 0 0
1619881586.557625
IsDebuggerPresent
failed 0 0
1619881587.057625
IsDebuggerPresent
failed 0 0
1619881587.557625
IsDebuggerPresent
failed 0 0
1619881588.057625
IsDebuggerPresent
failed 0 0
1619881588.557625
IsDebuggerPresent
failed 0 0
1619881589.057625
IsDebuggerPresent
failed 0 0
1619881589.557625
IsDebuggerPresent
failed 0 0
1619881590.057625
IsDebuggerPresent
failed 0 0
1619881590.557625
IsDebuggerPresent
failed 0 0
1619881591.057625
IsDebuggerPresent
failed 0 0
1619881591.557625
IsDebuggerPresent
failed 0 0
1619881592.057625
IsDebuggerPresent
failed 0 0
1619881592.557625
IsDebuggerPresent
failed 0 0
1619881593.057625
IsDebuggerPresent
failed 0 0
1619881593.557625
IsDebuggerPresent
failed 0 0
1619881594.057625
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619881611.213375
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\qpzQTtX"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619881565.260625
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section 5 2&\x7fr\x14_
section
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 127 个事件)
Time & API Arguments Status Return Repeated
1619881562.042625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619881562.042625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1619881563.307625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c51000
success 0 0
1619881563.354625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005aa000
success 0 0
1619881563.354625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c52000
success 0 0
1619881563.354625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a2000
success 0 0
1619881563.635625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b2000
success 0 0
1619881563.760625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b3000
success 0 0
1619881563.760625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078b000
success 0 0
1619881563.760625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00787000
success 0 0
1619881563.792625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005bc000
success 0 0
1619881563.854625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab0000
success 0 0
1619881564.057625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b4000
success 0 0
1619881564.057625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab1000
success 0 0
1619881564.073625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
1619881564.135625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 434176
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00c42000
success 0 0
1619881569.338625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab2000
success 0 0
1619881569.370625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab3000
success 0 0
1619881569.370625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab4000
success 0 0
1619881569.401625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab5000
success 0 0
1619881569.588625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b5000
success 0 0
1619881569.604625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab6000
success 0 0
1619881569.620625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab7000
success 0 0
1619881569.620625
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab9000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00c40000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00c40000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00c40000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00c40000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00c40000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
1619881569.620625
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00cac000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description bff4cd6b5bbf350b720a87be4e3f21f3.exe tried to sleep 127 seconds, actually delayed analysis time by 127 seconds
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\qpzQTtX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2735.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qpzQTtX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2735.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619881605.151625
ShellExecuteExW
parameters: /Create /TN "Updates\qpzQTtX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2735.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.9995889011726184 section {'size_of_data': '0x00069e00', 'virtual_address': '0x00002000', 'entropy': 7.9995889011726184, 'name': '5\r2&\\x7fr\\x14_', 'virtual_size': '0x00069d9c'} description A section with a high entropy has been found
entropy 0.8239299610894941 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619881564.120625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619881625.057375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619881627.995375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2344
process_handle: 0x0000021c
failed 0 0
1619881627.995375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2344
process_handle: 0x0000021c
failed 3221225738 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\qpzQTtX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2735.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qpzQTtX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2735.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619881612.385625
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000e6c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2735.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619881612.385625
WriteProcessMemory
process_identifier: 2188
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèrÝ^à dþ  @ à@…¬O À  H.textb d `.rsrc f@@.reloc Àj@B
process_handle: 0x0000e6c0
base_address: 0x00400000
success 1 0
1619881612.401625
WriteProcessMemory
process_identifier: 2188
buffer: €0€HX ¬¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNameAPQLJtxYwHkdAoRvEhZDtkstOnYfxJPJb.exe(LegalCopyright t&OriginalFilenameAPQLJtxYwHkdAoRvEhZDtkstOnYfxJPJb.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000e6c0
base_address: 0x0044a000
success 1 0
1619881612.401625
WriteProcessMemory
process_identifier: 2188
buffer: € 2
process_handle: 0x0000e6c0
base_address: 0x0044c000
success 1 0
1619881612.401625
WriteProcessMemory
process_identifier: 2188
buffer: @
process_handle: 0x0000e6c0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619881612.385625
WriteProcessMemory
process_identifier: 2188
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèrÝ^à dþ  @ à@…¬O À  H.textb d `.rsrc f@@.reloc Àj@B
process_handle: 0x0000e6c0
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2344 called NtSetContextThread to modify thread in remote process 2188
Time & API Arguments Status Return Repeated
1619881612.401625
NtSetContextThread
thread_handle: 0x00010540
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4489726
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2188
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2344 resumed a thread in remote process 2188
Time & API Arguments Status Return Repeated
1619881612.463625
NtResumeThread
thread_handle: 0x00010540
suspend_count: 1
process_identifier: 2188
success 0 0
Executed a process and injected code into it, probably while unpacking (17 个事件)
Time & API Arguments Status Return Repeated
1619881563.354625
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2344
success 0 0
1619881563.417625
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2344
success 0 0
1619881570.026625
NtResumeThread
thread_handle: 0x00001ef0
suspend_count: 1
process_identifier: 2344
success 0 0
1619881570.042625
NtResumeThread
thread_handle: 0x0000d76c
suspend_count: 1
process_identifier: 2344
success 0 0
1619881605.151625
CreateProcessInternalW
thread_identifier: 284
thread_handle: 0x00008a14
process_identifier: 192
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qpzQTtX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp2735.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00003b5c
inherit_handles: 0
success 1 0
1619881612.323625
CreateProcessInternalW
thread_identifier: 1564
thread_handle: 0x00010540
process_identifier: 2188
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bff4cd6b5bbf350b720a87be4e3f21f3.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\bff4cd6b5bbf350b720a87be4e3f21f3.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000e6c0
inherit_handles: 0
success 1 0
1619881612.385625
NtGetContextThread
thread_handle: 0x00010540
success 0 0
1619881612.385625
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000e6c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619881612.385625
WriteProcessMemory
process_identifier: 2188
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèrÝ^à dþ  @ à@…¬O À  H.textb d `.rsrc f@@.reloc Àj@B
process_handle: 0x0000e6c0
base_address: 0x00400000
success 1 0
1619881612.385625
WriteProcessMemory
process_identifier: 2188
buffer:
process_handle: 0x0000e6c0
base_address: 0x00402000
success 1 0
1619881612.401625
WriteProcessMemory
process_identifier: 2188
buffer: €0€HX ¬¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNameAPQLJtxYwHkdAoRvEhZDtkstOnYfxJPJb.exe(LegalCopyright t&OriginalFilenameAPQLJtxYwHkdAoRvEhZDtkstOnYfxJPJb.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000e6c0
base_address: 0x0044a000
success 1 0
1619881612.401625
WriteProcessMemory
process_identifier: 2188
buffer: € 2
process_handle: 0x0000e6c0
base_address: 0x0044c000
success 1 0
1619881612.401625
WriteProcessMemory
process_identifier: 2188
buffer: @
process_handle: 0x0000e6c0
base_address: 0x7efde008
success 1 0
1619881612.401625
NtSetContextThread
thread_handle: 0x00010540
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4489726
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2188
success 0 0
1619881612.463625
NtResumeThread
thread_handle: 0x00010540
suspend_count: 1
process_identifier: 2188
success 0 0
1619881612.635375
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2188
success 0 0
1619881612.635375
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2188
success 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34002055
FireEye Generic.mg.bff4cd6b5bbf350b
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKD.34002055
Cylance Unsafe
K7AntiVirus Trojan ( 0056a6951 )
Alibaba TrojanPSW:MSIL/Agensla.0325716a
K7GW Trojan ( 0056a6951 )
Cybereason malicious.2d2ebf
Arcabit Trojan.Generic.D206D487
Cyren W32/MSIL_Kryptik.AWJ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.34002055
NANO-Antivirus Trojan.Win32.Agensla.hosgoo
Paloalto generic.ml
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.34002055
Sophos Mal/Generic-S
Comodo Malware@#17tk8pzvgwbm4
F-Secure Trojan.TR/Kryptik.svglo
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03BC0DJT20
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Emsisoft Trojan.GenericKD.34002055 (B)
SentinelOne Static AI - Malicious PE
Avira TR/Kryptik.svglo
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Gridinsoft Trojan.Heur!.03013281
Microsoft Trojan:MSIL/AgentTesla.E!MTB
AegisLab Trojan.MSIL.Agensla.i!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.34002055
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R339940
Acronis suspicious
McAfee Fareit-FUP!BFF4CD6B5BBF
MAX malware (ai score=81)
VBA32 CIL.HeapOverride.Heur
Malwarebytes Trojan.Crypt
ESET-NOD32 a variant of MSIL/Kryptik.WFL
TrendMicro-HouseCall TROJ_GEN.R03BC0DJT20
Yandex Trojan.Kryptik!gGAqZgK1l88
Ikarus Trojan.MSIL.Inject
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.WFL!tr
BitDefenderTheta Gen:NN.ZemsilF.34670.Gu0@aSnmd1e
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-10 06:15:17

Imports

Library mscoree.dll:
0x486000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.