SmartHawk

4.6

中危

3 个模型检测该样本为恶意！

重新分析

下载样本

b1b12b782636287a982db460f3dea1fdff44fe419289a63f8255095fc0cfa439

ca95d43ef327568426b5fb33df9b3fb4.exe

分析耗时

99s

最近分析

文件大小

7.8MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
McAfee	20210414	6.0.6.653
Alibaba	20190527	0.3.0.5
Baidu	20190318	1.0.0.2
Avast	20210414	21.1.5827.0
Kingsoft	20210414	2017.9.26.565
Tencent	20210414	1.0.0.1
CrowdStrike	20210203	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619906195.050271 IsDebuggerPresent		failed	0	0

This executable has a PDB path (1 个事件)

pdb_path

wextract.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

AVI

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:450050655&cup2hreq=43bbe7b76f27afde442ddc428cc9e4dcf8c6dbdbc179a59ffc91644b6992eb2c

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7ab356811ecb5ec8&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:450050655&cup2hreq=43bbe7b76f27afde442ddc428cc9e4dcf8c6dbdbc179a59ffc91644b6992eb2c

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:450050655&cup2hreq=43bbe7b76f27afde442ddc428cc9e4dcf8c6dbdbc179a59ffc91644b6992eb2c

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 个事件)

Cybereason	malicious.166521
Sophos	ML/PE-A
APEX	Malicious

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.998384892681948

section

{'size_of_data': '0x007b6e00', 'virtual_address': '0x0000f000', 'entropy': 7.998384892681948, 'name': '.rsrc', 'virtual_size': '0x007b7000'}

description

A section with a high entropy has been found

entropy

0.9948992443324937

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2014-10-31 13:12:41

Imports

Library ADVAPI32.dll:

• 0x14000d000 OpenProcessToken

• 0x14000d008 GetTokenInformation

• 0x14000d010 RegSetValueExA

• 0x14000d018 EqualSid

• 0x14000d020 RegQueryValueExA

• 0x14000d028 LookupPrivilegeValueA

• 0x14000d030 RegCreateKeyExA

• 0x14000d038 RegOpenKeyExA

• 0x14000d040 RegQueryInfoKeyA

• 0x14000d048 RegDeleteValueA

• 0x14000d050 AllocateAndInitializeSid

• 0x14000d058 FreeSid

• 0x14000d060 AdjustTokenPrivileges

• 0x14000d068 RegCloseKey

Library KERNEL32.dll:

• 0x14000d0c0 GetPrivateProfileIntA

• 0x14000d0c8 GetFileAttributesA

• 0x14000d0d0 IsDBCSLeadByte

• 0x14000d0d8 GetSystemDirectoryA

• 0x14000d0e0 GlobalUnlock

• 0x14000d0e8 GetShortPathNameA

• 0x14000d0f0 CreateDirectoryA

• 0x14000d0f8 FindFirstFileA

• 0x14000d100 GetLastError

• 0x14000d108 GetProcAddress

• 0x14000d110 RemoveDirectoryA

• 0x14000d118 SetFileAttributesA

• 0x14000d120 GlobalFree

• 0x14000d128 FindClose

• 0x14000d130 GetPrivateProfileStringA

• 0x14000d138 LoadLibraryA

• 0x14000d140 LocalAlloc

• 0x14000d148 WritePrivateProfileStringA

• 0x14000d150 GetModuleFileNameA

• 0x14000d158 FindNextFileA

• 0x14000d160 CompareStringA

• 0x14000d168 _lopen

• 0x14000d170 CloseHandle

• 0x14000d178 LocalFree

• 0x14000d180 DeleteFileA

• 0x14000d188 ExitProcess

• 0x14000d190 DosDateTimeToFileTime

• 0x14000d198 CreateFileA

• 0x14000d1a0 FindResourceA

• 0x14000d1a8 SetFilePointer

• 0x14000d1b0 GlobalAlloc

• 0x14000d1b8 ExpandEnvironmentStringsA

• 0x14000d1c0 WaitForSingleObject

• 0x14000d1c8 SetEvent

• 0x14000d1d0 GetModuleHandleW

• 0x14000d1d8 FormatMessageA

• 0x14000d1e0 SetFileTime

• 0x14000d1e8 WriteFile

• 0x14000d1f0 GetDriveTypeA

• 0x14000d1f8 GetVolumeInformationA

• 0x14000d200 TerminateThread

• 0x14000d208 SizeofResource

• 0x14000d210 CreateEventA

• 0x14000d218 GetExitCodeProcess

• 0x14000d220 CreateProcessA

• 0x14000d228 ReadFile

• 0x14000d230 SetCurrentDirectoryA

• 0x14000d238 _llseek

• 0x14000d240 ResetEvent

• 0x14000d248 LockResource

• 0x14000d250 GetSystemInfo

• 0x14000d258 LoadLibraryExA

• 0x14000d260 CreateMutexA

• 0x14000d268 GetCurrentDirectoryA

• 0x14000d270 GetVersionExA

• 0x14000d278 GetVersion

• 0x14000d280 GetTempPathA

• 0x14000d288 CreateThread

• 0x14000d290 LocalFileTimeToFileTime

• 0x14000d298 Sleep

• 0x14000d2a0 FreeResource

• 0x14000d2a8 GetWindowsDirectoryA

• 0x14000d2b0 lstrcmpA

• 0x14000d2b8 _lclose

• 0x14000d2c0 GlobalLock

• 0x14000d2c8 GetCurrentProcess

• 0x14000d2d0 LoadResource

• 0x14000d2d8 FreeLibrary

• 0x14000d2e0 GetStartupInfoW

• 0x14000d2e8 RtlCaptureContext

• 0x14000d2f0 RtlLookupFunctionEntry

• 0x14000d2f8 RtlVirtualUnwind

• 0x14000d300 UnhandledExceptionFilter

• 0x14000d308 SetUnhandledExceptionFilter

• 0x14000d310 TerminateProcess

• 0x14000d318 OutputDebugStringA

• 0x14000d320 QueryPerformanceCounter

• 0x14000d328 GetCurrentProcessId

• 0x14000d330 GetCurrentThreadId

• 0x14000d338 GetSystemTimeAsFileTime

• 0x14000d340 GetTickCount

• 0x14000d348 EnumResourceLanguagesA

• 0x14000d350 MulDiv

• 0x14000d358 GetDiskFreeSpaceA

• 0x14000d360 GetTempFileNameA

Library GDI32.dll:

• 0x14000d0b0 GetDeviceCaps

Library USER32.dll:

• 0x14000d370 SetForegroundWindow

• 0x14000d378 MsgWaitForMultipleObjects

• 0x14000d380 SendDlgItemMessageA

• 0x14000d388 GetWindowLongPtrA

• 0x14000d390 GetWindowRect

• 0x14000d398 GetDC

• 0x14000d3a0 MessageBoxA

• 0x14000d3a8 PeekMessageA

• 0x14000d3b0 ReleaseDC

• 0x14000d3b8 GetDlgItem

• 0x14000d3c0 SetWindowPos

• 0x14000d3c8 ShowWindow

• 0x14000d3d0 SetWindowLongPtrA

• 0x14000d3d8 DispatchMessageA

• 0x14000d3e0 SetWindowTextA

• 0x14000d3e8 EnableWindow

• 0x14000d3f0 CallWindowProcA

• 0x14000d3f8 DialogBoxIndirectParamA

• 0x14000d400 GetDlgItemTextA

• 0x14000d408 LoadStringA

• 0x14000d410 MessageBeep

• 0x14000d418 CharUpperA

• 0x14000d420 CharNextA

• 0x14000d428 ExitWindowsEx

• 0x14000d430 CharPrevA

• 0x14000d438 EndDialog

• 0x14000d440 GetDesktopWindow

• 0x14000d448 SetDlgItemTextA

• 0x14000d450 SendMessageA

• 0x14000d458 GetSystemMetrics

Library msvcrt.dll:

• 0x14000d488 ?terminate@@YAXXZ

• 0x14000d490 _fmode

• 0x14000d498 _acmdln

• 0x14000d4a0 __C_specific_handler

• 0x14000d4a8 _initterm

• 0x14000d4b0 __setusermatherr

• 0x14000d4b8 _ismbblead

• 0x14000d4c0 _cexit

• 0x14000d4c8 memset

• 0x14000d4d0 memcpy

• 0x14000d4d8 _exit

• 0x14000d4e0 exit

• 0x14000d4e8 __set_app_type

• 0x14000d4f0 __getmainargs

• 0x14000d4f8 _amsg_exit

• 0x14000d500 _XcptFilter

• 0x14000d508 _errno

• 0x14000d510 _vsnprintf

• 0x14000d518 _commode

Library COMCTL32.dll:

• 0x14000d078

Library Cabinet.dll:

• 0x14000d088

• 0x14000d090

• 0x14000d098

• 0x14000d0a0

Library VERSION.dll:

• 0x14000d468 GetFileVersionInfoA

• 0x14000d470 GetFileVersionInfoSizeA

• 0x14000d478 VerQueryValueA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
redirector.gvt1.com	A 203.208.41.65	203.208.41.33
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.41.98	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49180	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49181	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49179	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49178	203.208.41.98 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60221	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7ab356811ecb5ec8&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7ab356811ecb5ec8&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7ab356811ecb5ec8&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7ab356811ecb5ec8&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619907615&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.