SmartHawk

1.6

低危

1 个模型检测该样本为恶意！

重新分析

下载样本

3b0d74878fae800ca830d5c71f7d28da9e77360a95c432bf0125fcedaba0a9a9

c3a2ca3abd463d90b88017e2a0374191.exe

分析耗时

15s

查杀引擎	查杀时间	查杀版本
Alibaba	20190527	0.3.0.5
Baidu	20190318	1.0.0.2
Kingsoft	20191122	2013.8.14.323
McAfee	20191121	6.0.6.653
Tencent	20191122	1.0.0.1
Avast	20191122	18.4.3895.0
CrowdStrike	20190702	1.0

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-10-24 03:52:40

Imports

Library fwpkclnt.sys:

• 0x40d038 FwpmTransactionCommit0

• 0x40d03c FwpmTransactionAbort0

• 0x40d040 FwpmProviderAdd0

• 0x40d044 FwpmProviderContextDeleteByKey0

• 0x40d048 FwpmSubLayerAdd0

• 0x40d04c FwpmSubLayerDeleteByKey0

• 0x40d050 FwpmSubLayerCreateEnumHandle0

• 0x40d054 FwpmSubLayerEnum0

• 0x40d058 FwpmSubLayerDestroyEnumHandle0

• 0x40d05c FwpmCalloutAdd0

• 0x40d060 FwpmFilterAdd0

• 0x40d064 FwpsFlowAbort0

• 0x40d068 FwpsInjectionHandleCreate0

• 0x40d06c FwpsInjectionHandleDestroy0

• 0x40d070 FwpsAllocateNetBufferAndNetBufferList0

• 0x40d074 FwpsFreeNetBufferList0

• 0x40d078 FwpmTransactionBegin0

• 0x40d07c FwpsInjectNetworkSendAsync0

• 0x40d080 FwpsConstructIpHeaderForTransportPacket0

• 0x40d084 FwpsInjectTransportSendAsync0

• 0x40d088 FwpsInjectTransportReceiveAsync0

• 0x40d08c FwpsInjectNetworkReceiveAsync0

• 0x40d090 FwpsStreamInjectAsync0

• 0x40d094 FwpsCopyStreamDataToBuffer0

• 0x40d098 FwpmBfeStateGet0

• 0x40d09c FwpmBfeStateSubscribeChanges0

• 0x40d0a0 FwpmBfeStateUnsubscribeChanges0

• 0x40d0a4 FwpsFlowRemoveContext0

• 0x40d0a8 FwpsCompleteClassify0

• 0x40d0ac FwpsRedirectHandleDestroy0

• 0x40d0b0 FwpsCloneStreamData0

• 0x40d0b4 FwpsDiscardClonedStreamData0

• 0x40d0b8 FwpmEngineClose0

• 0x40d0bc FwpmEngineOpen0

• 0x40d0c0 FwpmFreeMemory0

• 0x40d0c4 FwpsRedirectHandleCreate0

• 0x40d0c8 FwpsQueryPacketInjectionState0

• 0x40d0cc FwpsApplyModifiedLayerData0

• 0x40d0d0 FwpsAcquireWritableLayerDataPointer0

• 0x40d0d4 FwpsReleaseClassifyHandle0

• 0x40d0d8 FwpsFlowAssociateContext0

• 0x40d0dc FwpsAcquireClassifyHandle0

• 0x40d0e0 FwpsCalloutUnregisterByKey0

• 0x40d0e4 FwpsPendClassify0

• 0x40d0e8 FwpsCalloutRegister1

• 0x40d0ec FwpsFreeCloneNetBufferList0

Library NDIS.SYS:

• 0x40d010 NdisAllocateNetBufferListPool

• 0x40d014 NdisWaitEvent

• 0x40d018 NdisInitializeEvent

• 0x40d01c NdisFreeGenericObject

• 0x40d020 NdisAllocateGenericObject

• 0x40d024 NdisGetDataBuffer

• 0x40d028 NdisAdvanceNetBufferDataStart

• 0x40d02c NdisRetreatNetBufferDataStart

• 0x40d030 NdisFreeNetBufferListPool

Library ntoskrnl.exe:

• 0x40d0f4 memset

• 0x40d0f8 RtlInitUnicodeString

• 0x40d0fc MmGetSystemRoutineAddress

• 0x40d100 RtlAppendUnicodeToString

• 0x40d104 RtlCreateSecurityDescriptor

• 0x40d108 RtlSetDaclSecurityDescriptor

• 0x40d10c KeInitializeEvent

• 0x40d110 KeSetEvent

• 0x40d114 KeWaitForSingleObject

• 0x40d118 KeInitializeSpinLock

• 0x40d11c ExFreePoolWithTag

• 0x40d120 InterlockedPopEntrySList

• 0x40d124 InterlockedPushEntrySList

• 0x40d128 ExInitializeNPagedLookasideList

• 0x40d12c ExDeleteNPagedLookasideList

• 0x40d130 MmBuildMdlForNonPagedPool

• 0x40d134 MmMapLockedPagesSpecifyCache

• 0x40d138 MmUnmapLockedPages

• 0x40d13c MmAllocatePagesForMdl

• 0x40d140 MmFreePagesFromMdl

• 0x40d144 PsCreateSystemThread

• 0x40d148 PsTerminateSystemThread

• 0x40d14c IoAllocateMdl

• 0x40d150 IofCompleteRequest

• 0x40d154 IoCreateDevice

• 0x40d158 IoCreateSymbolicLink

• 0x40d15c IoDeleteDevice

• 0x40d160 IoDeleteSymbolicLink

• 0x40d164 IoFreeMdl

• 0x40d168 IoReleaseCancelSpinLock

• 0x40d16c ObReferenceObjectByHandle

• 0x40d170 ObfDereferenceObject

• 0x40d174 ZwClose

• 0x40d178 ZwOpenKey

• 0x40d17c ZwQueryValueKey

• 0x40d180 PsGetCurrentProcessId

• 0x40d184 ZwSetInformationThread

• 0x40d188 RtlLengthSid

• 0x40d18c RtlCreateAcl

• 0x40d190 RtlAddAccessAllowedAce

• 0x40d194 PsLookupProcessByProcessId

• 0x40d198 ObOpenObjectByPointer

• 0x40d19c ZwSetSecurityObject

• 0x40d1a0 memcmp

• 0x40d1a4 SeExports

• 0x40d1a8 RtlGetVersion

• 0x40d1ac KeQuerySystemTime

• 0x40d1b0 _allmul

• 0x40d1b4 _aulldiv

• 0x40d1b8 _aullrem

• 0x40d1bc RtlUnwind

• 0x40d1c0 memcpy

• 0x40d1c4 swprintf_s

• 0x40d1c8 ExAllocatePoolWithTag

• 0x40d1cc ExUuidCreate

Library HAL.dll:

• 0x40d000 KeReleaseInStackQueuedSpinLock

• 0x40d004 KeGetCurrentIrql

• 0x40d008 KeAcquireInStackQueuedSpinLock

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	60124	239.255.255.250	3702
192.168.56.101	63434	239.255.255.250	1900
192.168.56.101	53657	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.

host	151.139.128.14
host	172.217.24.14
host	52.218.96.60