11.4
0-day
55 个模型检测该样本为恶意!
重新分析
更多

56839b17d875d76878a594fafa8e4ea0a8185391d43c6fcac8d500eb7baf6ebe

c16164778ab8a0260ea9f79fd09e15b1.exe

分析耗时

95s

最近分析

文件大小

851.5KB
静态报毒 动态报毒 1M0@ACUMYAD A VARIANT OF GENERIK AGENTTESLA AI SCORE=80 AVSARHER BSK66A CONFIDENCE CRYPTERX ELIHZIY ERJA FAREIT GDSDA GENERICKDZ GENKRYPTIK HIDDENTEAR HIGH CONFIDENCE HJZZ HUYMQF MALWARE@#2LUB7ZQL23UT MSILKRYPT QHSSZ QVM03 R06BC0DI220 SCORE SIGGEN2 SWAJ TASKUN TSCOPE UNSAFE WACATAC ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FZD!C16164778AB8 20200925 6.0.6.653
Alibaba Trojan:MSIL/AgentTesla.6e756370 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20200925 18.4.3895.0
Kingsoft 20200925 2013.8.14.323
Tencent Msil.Trojan.Taskun.Swaj 20200925 1.0.0.1
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619861654.152003
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (21 个事件)
Time & API Arguments Status Return Repeated
1619861594.856249
IsDebuggerPresent
failed 0 0
1619861594.856249
IsDebuggerPresent
failed 0 0
1619861638.434249
IsDebuggerPresent
failed 0 0
1619861638.950249
IsDebuggerPresent
failed 0 0
1619861639.434249
IsDebuggerPresent
failed 0 0
1619861639.950249
IsDebuggerPresent
failed 0 0
1619861640.434249
IsDebuggerPresent
failed 0 0
1619861640.950249
IsDebuggerPresent
failed 0 0
1619861641.434249
IsDebuggerPresent
failed 0 0
1619861641.950249
IsDebuggerPresent
failed 0 0
1619861642.434249
IsDebuggerPresent
failed 0 0
1619861642.950249
IsDebuggerPresent
failed 0 0
1619861643.434249
IsDebuggerPresent
failed 0 0
1619861643.950249
IsDebuggerPresent
failed 0 0
1619861644.434249
IsDebuggerPresent
failed 0 0
1619861644.950249
IsDebuggerPresent
failed 0 0
1619861645.434249
IsDebuggerPresent
failed 0 0
1619861645.950249
IsDebuggerPresent
failed 0 0
1619861646.434249
IsDebuggerPresent
failed 0 0
1619861664.793628
IsDebuggerPresent
failed 0 0
1619861664.793628
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619861659.543003
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\QtvZUgGOy"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619861594.872249
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 123 个事件)
Time & API Arguments Status Return Repeated
1619861592.997249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1619861592.997249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00910000
success 0 0
1619861594.293249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c90000
success 0 0
1619861594.293249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e00000
success 0 0
1619861594.325249
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619861594.856249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619861594.856249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619861594.856249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619861594.856249
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619861594.856249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619861595.106249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1619861595.262249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00405000
success 0 0
1619861595.278249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040b000
success 0 0
1619861595.278249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619861595.512249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e3000
success 0 0
1619861595.528249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ec000
success 0 0
1619861596.122249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e4000
success 0 0
1619861596.137249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e6000
success 0 0
1619861596.278249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619861596.309249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00620000
success 0 0
1619861596.481249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619861596.481249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f7000
success 0 0
1619861596.622249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f6000
success 0 0
1619861596.684249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00621000
success 0 0
1619861598.418249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e01000
success 0 0
1619861632.965249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00624000
success 0 0
1619861633.184249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003dc000
success 0 0
1619861633.325249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e8000
success 0 0
1619861633.418249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e9000
success 0 0
1619861633.418249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02390000
success 0 0
1619861633.418249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02391000
success 0 0
1619861633.465249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02392000
success 0 0
1619861633.465249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00625000
success 0 0
1619861633.481249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02393000
success 0 0
1619861633.481249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ed000
success 0 0
1619861633.497249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00626000
success 0 0
1619861633.497249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00629000
success 0 0
1619861633.731249
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 586240
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x061e0400
failed 3221225550 0
1619861637.981249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062a000
success 0 0
1619861637.981249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062b000
success 0 0
1619861638.012249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062c000
success 0 0
1619861638.012249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062d000
success 0 0
1619861638.059249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062e000
success 0 0
1619861638.278249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02394000
success 0 0
1619861638.278249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062f000
success 0 0
1619861638.278249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04aa0000
success 0 0
1619861638.278249
NtAllocateVirtualMemory
process_identifier: 1940
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04aa1000
success 0 0
1619861638.293249
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x061e0178
failed 3221225550 0
1619861638.293249
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x061e01a0
failed 3221225550 0
1619861638.293249
NtProtectVirtualMemory
process_identifier: 1940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x061e01c8
failed 3221225550 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\QtvZUgGOy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp33F7.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QtvZUgGOy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp33F7.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619861639.122249
ShellExecuteExW
parameters: /Create /TN "Updates\QtvZUgGOy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp33F7.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.969233574171909 section {'size_of_data': '0x000bbc00', 'virtual_address': '0x00002000', 'entropy': 7.969233574171909, 'name': '.text', 'virtual_size': '0x000bbb84'} description A section with a high entropy has been found
entropy 0.882491186839013 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619861633.715249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\QtvZUgGOy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp33F7.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QtvZUgGOy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp33F7.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 113.108.239.196
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619861646.122249
NtAllocateVirtualMemory
process_identifier: 2812
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000112a4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp33F7.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619861646.122249
WriteProcessMemory
process_identifier: 2812
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELzU5_à  "ž@ `@  @…P@K`8€  H.text¤  " `.rsrc8`$@@.reloc €*@B
process_handle: 0x000112a4
base_address: 0x00400000
success 1 0
1619861646.137249
WriteProcessMemory
process_identifier: 2812
buffer:  €P€8€€h€ `¬Lcê¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNamehVpCmsRexvHssSVShoxQAFaDqCvtSeLkm.exe(LegalCopyright t&OriginalFilenamehVpCmsRexvHssSVShoxQAFaDqCvtSeLkm.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000112a4
base_address: 0x00456000
success 1 0
1619861646.137249
WriteProcessMemory
process_identifier: 2812
buffer: @  0
process_handle: 0x000112a4
base_address: 0x00458000
success 1 0
1619861646.137249
WriteProcessMemory
process_identifier: 2812
buffer: @
process_handle: 0x000112a4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619861646.122249
WriteProcessMemory
process_identifier: 2812
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELzU5_à  "ž@ `@  @…P@K`8€  H.text¤  " `.rsrc8`$@@.reloc €*@B
process_handle: 0x000112a4
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1940 called NtSetContextThread to modify thread in remote process 2812
Time & API Arguments Status Return Repeated
1619861646.153249
NtSetContextThread
thread_handle: 0x0000d72c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4538526
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2812
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1940 resumed a thread in remote process 2812
Time & API Arguments Status Return Repeated
1619861646.278249
NtResumeThread
thread_handle: 0x0000d72c
suspend_count: 1
process_identifier: 2812
success 0 0
Executed a process and injected code into it, probably while unpacking (23 个事件)
Time & API Arguments Status Return Repeated
1619861594.856249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1940
success 0 0
1619861594.856249
NtResumeThread
thread_handle: 0x0000012c
suspend_count: 1
process_identifier: 1940
success 0 0
1619861594.887249
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 1940
success 0 0
1619861637.997249
NtGetContextThread
thread_handle: 0x0000012c
success 0 0
1619861637.997249
NtGetContextThread
thread_handle: 0x0000012c
success 0 0
1619861637.997249
NtResumeThread
thread_handle: 0x0000012c
suspend_count: 1
process_identifier: 1940
success 0 0
1619861638.418249
NtResumeThread
thread_handle: 0x00002eac
suspend_count: 1
process_identifier: 1940
success 0 0
1619861638.418249
NtResumeThread
thread_handle: 0x00008e64
suspend_count: 1
process_identifier: 1940
success 0 0
1619861639.122249
CreateProcessInternalW
thread_identifier: 2516
thread_handle: 0x00003378
process_identifier: 1244
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QtvZUgGOy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp33F7.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000fcd8
inherit_handles: 0
success 1 0
1619861646.122249
CreateProcessInternalW
thread_identifier: 2840
thread_handle: 0x0000d72c
process_identifier: 2812
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c16164778ab8a0260ea9f79fd09e15b1.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c16164778ab8a0260ea9f79fd09e15b1.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000112a4
inherit_handles: 0
success 1 0
1619861646.122249
NtGetContextThread
thread_handle: 0x0000d72c
success 0 0
1619861646.122249
NtAllocateVirtualMemory
process_identifier: 2812
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000112a4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619861646.122249
WriteProcessMemory
process_identifier: 2812
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELzU5_à  "ž@ `@  @…P@K`8€  H.text¤  " `.rsrc8`$@@.reloc €*@B
process_handle: 0x000112a4
base_address: 0x00400000
success 1 0
1619861646.122249
WriteProcessMemory
process_identifier: 2812
buffer:
process_handle: 0x000112a4
base_address: 0x00402000
success 1 0
1619861646.137249
WriteProcessMemory
process_identifier: 2812
buffer:  €P€8€€h€ `¬Lcê¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNamehVpCmsRexvHssSVShoxQAFaDqCvtSeLkm.exe(LegalCopyright t&OriginalFilenamehVpCmsRexvHssSVShoxQAFaDqCvtSeLkm.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000112a4
base_address: 0x00456000
success 1 0
1619861646.137249
WriteProcessMemory
process_identifier: 2812
buffer: @  0
process_handle: 0x000112a4
base_address: 0x00458000
success 1 0
1619861646.137249
WriteProcessMemory
process_identifier: 2812
buffer: @
process_handle: 0x000112a4
base_address: 0x7efde008
success 1 0
1619861646.153249
NtSetContextThread
thread_handle: 0x0000d72c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4538526
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2812
success 0 0
1619861646.278249
NtResumeThread
thread_handle: 0x0000d72c
suspend_count: 1
process_identifier: 2812
success 0 0
1619861646.278249
NtResumeThread
thread_handle: 0x000027f4
suspend_count: 1
process_identifier: 1940
success 0 0
1619861664.793628
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2812
success 0 0
1619861664.793628
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2812
success 0 0
1619861664.808628
NtResumeThread
thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2812
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69827
FireEye Generic.mg.c16164778ab8a026
CAT-QuickHeal Trojan.MSIL
McAfee Fareit-FZD!C16164778AB8
Malwarebytes Ransom.HiddenTear
VIPRE Trojan.Win32.Generic!BT
SUPERAntiSpyware Trojan.Agent/Gen-Injector
Sangfor Malware
K7AntiVirus Trojan ( 0056d99d1 )
Alibaba Trojan:MSIL/AgentTesla.6e756370
K7GW Trojan ( 0056d99d1 )
Cybereason malicious.7732a3
Arcabit Trojan.Generic.D110C3
Invincea Mal/Generic-S
Cyren W32/Trojan.HJZZ-4717
Symantec Packed.Generic.570
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.Taskun.gen
BitDefender Trojan.GenericKDZ.69827
NANO-Antivirus Trojan.Win32.Taskun.huymqf
ViRobot Trojan.Win32.Z.Wacatac.871936.A
Avast Win32:CrypterX-gen [Trj]
Ad-Aware Trojan.GenericKDZ.69827
Emsisoft Trojan.GenericKDZ.69827 (B)
Comodo Malware@#2lub7zql23ut
F-Secure Trojan.TR/PSW.Agent.qhssz
DrWeb Trojan.PWS.Siggen2.54143
Zillya Trojan.Taskun.Win32.451
TrendMicro TROJ_GEN.R06BC0DI220
McAfee-GW-Edition BehavesLike.Win32.Generic.cc
Sophos Mal/Generic-S
Avira TR/PSW.Agent.qhssz
Microsoft Trojan:MSIL/AgentTesla.PBM!MTB
AegisLab Trojan.MSIL.Taskun.4!c
ZoneAlarm HEUR:Trojan.MSIL.Taskun.gen
GData Trojan.GenericKDZ.69827
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MSILKrypt.C3337397
BitDefenderTheta Gen:NN.ZemsilF.34254.1m0@aCUmyad
ALYac Trojan.GenericKDZ.69827
MAX malware (ai score=80)
VBA32 TScope.Trojan.MSIL
Cylance Unsafe
ESET-NOD32 a variant of Generik.ELIHZIY
TrendMicro-HouseCall TROJ_GEN.R06BC0DI220
Tencent Msil.Trojan.Taskun.Swaj
Yandex Trojan.AvsArher.bSK66A
Ikarus Trojan.MSIL.Inject
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-31 05:33:48

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 55371 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.