SmartHawk

4.6

中危

29 个模型检测该样本为恶意！

重新分析

下载样本

b6ef9cfbedc301707801a0393c9a0e799c56bc132e5597ddb4372193d7c3349f

c2efe2bd2a2cc1d473a5b521edfa9b2a.exe

分析耗时

91s

最近分析

文件大小

441.1KB

静态报毒动态报毒 100% AGENERIC AI SCORE=86 ARTEMIS ATTRIBUTE CONFIDENCE GENERIC PUA PF GENERICRI GRAYWARE HIGH CONFIDENCE HIGHCONFIDENCE KILLFILES NSISMOD POTENTIALRISK S14805165 SCORE SUSPICIOUS PE UNSAFE URSU UWASSON 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast		20200902	18.4.3895.0
Kingsoft		20200903	2013.8.14.323
McAfee	Artemis!C2EFE2BD2A2C	20200902	6.0.6.653
Tencent		20200903	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1620985513.368829 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620985513.743829 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620985513.759829 GetComputerNameW	computer_name: OSKAR-PC	success	1

This executable is signed

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985510.790829 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985512.696829 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00424000	success	0	0
1620995401.138769 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004030000	success	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620995333.669769 GetDiskFreeSpaceExW	root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer free_bytes_available: 19564888064 total_number_of_free_bytes: 0 total_number_of_bytes: 0	success	1	0

Foreign language identified in PE resource (1 个事件)

name

RT_VERSION

language

LANG_CHINESE

offset

0x0004b738

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

size

0x000001cc

Creates executable files on the filesystem (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\小熊日历\卸载软件.lnk
file	C:\Program Files (x86)\xxrl\xxrl.exe
file	C:\Users\Administrator.Oskar-PC\Desktop\小熊日历.lnk
file	C:\Program Files (x86)\xxrl\uninst.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\小熊日历\小熊日历.lnk

Creates a shortcut to an executable file (3 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\小熊日历\卸载软件.lnk
file	C:\Users\Administrator.Oskar-PC\Desktop\小熊日历.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\小熊日历\小熊日历.lnk

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ursu.836710
FireEye	Generic.mg.c2efe2bd2a2cc1d4
CAT-QuickHeal	Trojan.GenericRI.S14805165
Qihoo-360	Generic/Trojan.e0c
ALYac	Gen:Variant.Ursu.836710
Cylance	Unsafe
Sangfor	Malware
Arcabit	Trojan.Ursu.DCC466
Invincea	Generic PUA PF (PUA)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
BitDefender	Gen:Variant.Ursu.836710
Ad-Aware	Gen:Variant.Ursu.836710
F-Secure	PotentialRisk.PUA/NsisMod.Gen
DrWeb	Trojan.KillFiles.62557
Sophos	Generic PUA PF (PUA)
SentinelOne	DFI - Suspicious PE
Webroot	W32.Adware.Gen
Avira	PUA/NsisMod.Gen
Antiy-AVL	GrayWare[AdWare]/Win32.AGeneric
Microsoft	Program:Win32/Uwasson.A!ml
GData	Gen:Variant.Ursu.836710
Cynet	Malicious (score: 100)
McAfee	Artemis!C2EFE2BD2A2C
MAX	malware (ai score=86)
Ikarus	Trojan-Dropper.Win32.Generic
eGambit	Unsafe.AI_Score_99%
CrowdStrike	win/malicious_confidence_100% (D)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2014-03-29 17:41:59

Imports

Library KERNEL32.dll:

• 0x40805c GlobalLock

• 0x408060 GlobalAlloc

• 0x408064 CloseHandle

• 0x408068 SetFileTime

• 0x40806c CompareFileTime

• 0x408070 SearchPathA

• 0x408074 GetShortPathNameA

• 0x408078 GetFullPathNameA

• 0x40807c MoveFileA

• 0x408080 SetCurrentDirectoryA

• 0x408084 GetFileAttributesA

• 0x408088 GetLastError

• 0x40808c CreateDirectoryA

• 0x408090 SetFileAttributesA

• 0x408094 Sleep

• 0x408098 GetTickCount

• 0x40809c GetFileSize

• 0x4080a0 GetModuleFileNameA

• 0x4080a4 GetCurrentProcess

• 0x4080a8 CopyFileA

• 0x4080ac ExitProcess

• 0x4080b0 GlobalUnlock

• 0x4080b4 GetTempPathA

• 0x4080b8 GetCommandLineA

• 0x4080bc SetErrorMode

• 0x4080c0 lstrcpyA

• 0x4080c4 lstrcpynA

• 0x4080c8 lstrcatA

• 0x4080cc LoadLibraryA

• 0x4080d0 lstrlenA

• 0x4080d4 WideCharToMultiByte

• 0x4080d8 VirtualAlloc

• 0x4080dc VirtualProtect

• 0x4080e0 GetDiskFreeSpaceA

• 0x4080e4 CreateThread

• 0x4080e8 CreateProcessA

• 0x4080ec RemoveDirectoryA

• 0x4080f0 CreateFileA

• 0x4080f4 GetTempFileNameA

• 0x4080f8 GetSystemDirectoryA

• 0x4080fc GetVersion

• 0x408100 lstrcmpiA

• 0x408104 lstrcmpA

• 0x408108 ExpandEnvironmentStringsA

• 0x40810c GlobalFree

• 0x408110 WaitForSingleObject

• 0x408114 GetExitCodeProcess

• 0x408118 GetModuleHandleA

• 0x40811c LoadLibraryExA

• 0x408120 GetProcAddress

• 0x408124 FreeLibrary

• 0x408128 MulDiv

• 0x40812c MultiByteToWideChar

• 0x408130 WritePrivateProfileStringA

• 0x408134 GetPrivateProfileStringA

• 0x408138 WriteFile

• 0x40813c ReadFile

• 0x408140 SetFilePointer

• 0x408144 FindClose

• 0x408148 FindNextFileA

• 0x40814c FindFirstFileA

• 0x408150 DeleteFileA

• 0x408154 GlobalSize

• 0x408158 GetWindowsDirectoryA

Library USER32.dll:

• 0x40817c SetClassLongA

• 0x408180 IsWindowEnabled

• 0x408184 GetSysColor

• 0x408188 GetWindowLongA

• 0x40818c SetCursor

• 0x408190 LoadCursorA

• 0x408194 CheckDlgButton

• 0x408198 GetMessagePos

• 0x40819c LoadBitmapA

• 0x4081a0 CallWindowProcA

• 0x4081a4 IsWindowVisible

• 0x4081a8 CloseClipboard

• 0x4081ac SetClipboardData

• 0x4081b0 EmptyClipboard

• 0x4081b4 OpenClipboard

• 0x4081b8 TrackPopupMenu

• 0x4081bc GetSystemMenu

• 0x4081c0 CreatePopupMenu

• 0x4081c4 GetSystemMetrics

• 0x4081c8 SetDlgItemTextA

• 0x4081cc GetDlgItemTextA

• 0x4081d0 MessageBoxIndirectA

• 0x4081d4 CharPrevA

• 0x4081d8 DispatchMessageA

• 0x4081dc PeekMessageA

• 0x4081e0 RegisterClassA

• 0x4081e4 DialogBoxParamA

• 0x4081e8 CharNextA

• 0x4081ec ExitWindowsEx

• 0x4081f0 DestroyWindow

• 0x4081f4 CreateDialogParamA

• 0x4081f8 SetTimer

• 0x4081fc SetWindowTextA

• 0x408200 EnableMenuItem

• 0x408204 GetWindowRect

• 0x408208 ScreenToClient

• 0x40820c SetWindowPos

• 0x408210 EndDialog

• 0x408214 AppendMenuA

• 0x408218 GetClassInfoA

• 0x40821c PostQuitMessage

• 0x408220 SetForegroundWindow

• 0x408224 ShowWindow

• 0x408228 wsprintfA

• 0x40822c FindWindowExA

• 0x408230 IsWindow

• 0x408234 GetDlgItem

• 0x408238 SetWindowLongA

• 0x40823c GetClientRect

• 0x408240 LoadImageA

• 0x408244 GetDC

• 0x408248 EnableWindow

• 0x40824c InvalidateRect

• 0x408250 SendMessageA

• 0x408254 SendMessageTimeoutA

Library GDI32.dll:

• 0x40803c SetBkMode

• 0x408040 SetBkColor

• 0x408044 CreateBrushIndirect

• 0x408048 DeleteObject

• 0x40804c GetDeviceCaps

• 0x408050 SetTextColor

• 0x408054 CreateFontIndirectA

Library SHELL32.dll:

• 0x408160 SHGetPathFromIDListA

• 0x408164 SHBrowseForFolderA

• 0x408168 SHGetFileInfoA

• 0x40816c ShellExecuteA

• 0x408170 SHFileOperationA

• 0x408174 SHGetSpecialFolderLocation

Library ADVAPI32.dll:

• 0x408000 RegSetValueExA

• 0x408004 RegCreateKeyExA

• 0x408008 RegQueryValueExA

• 0x40800c RegEnumKeyA

• 0x408010 RegOpenKeyExA

• 0x408014 RegDeleteKeyA

• 0x408018 RegDeleteValueA

• 0x40801c RegEnumValueA

• 0x408020 RegCloseKey

Library COMCTL32.dll:

• 0x408028 ImageList_AddMasked

• 0x40802c ImageList_Destroy

• 0x408030

• 0x408034 ImageList_Create

Library ole32.dll:

• 0x40826c CLSIDFromString

• 0x408270 OleInitialize

• 0x408274 OleUninitialize

• 0x408278 CoTaskMemFree

• 0x40827c StringFromGUID2

• 0x408280 CoCreateInstance

Library VERSION.dll:

• 0x40825c GetFileVersionInfoA

• 0x408260 VerQueryValueA

• 0x408264 GetFileVersionInfoSizeA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	51963	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.