8.0
高危
17 个模型检测该样本为恶意!
重新分析
更多

29b787503b14945269c9f26363df5ef94960508830ac83ebcd1946c5779bf20d

cbf66c2dc187804f5e89bd84f3b1d594.exe

分析耗时

129s

最近分析

文件大小

9.1MB
静态报毒 动态报毒 BUNDLELOADER ELDORADO FALCO FALCOBUNDLER FALCOWARE GRAYWARE INSTALLAD INSTALLCORE MBXA RELEVANTKNOWLEDGE UNSAFE VSOK 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20201103 6.0.6.653
Alibaba Downloader:Win32/BundleLoader.6b37c4c0 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:VSok-A [PUP] 20201104 20.10.5736.0
Tencent 20201104 1.0.0.1
Kingsoft 20201104 2013.8.14.323
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (8 个事件)
Time & API Arguments Status Return Repeated
1620999856.185374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620999863.404374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620999864.420374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620999864.748374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620999865.732374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620999866.123374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620999866.560374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620999880.560501
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620985513.608372
IsDebuggerPresent
failed 0 0
1620999874.998876
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620999875.357876
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section .itext
section .didata
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1620999818.060374
__exception__
stacktrace: 
itd_downloadfile-0x1da itdownload+0x2b072 @ 0x3abb072
itd_downloadfile-0xbc5 itdownload+0x2a687 @ 0x3aba687
itd_downloadfile+0x4e itd_downloadfiles-0x62 itdownload+0x2b29a @ 0x3abb29a
TMethodImplementationIntercept+0x12d726 dbkFCallWrapperAddr-0x88b46 cbf66c2dc187804f5e89bd84f3b1d594+0x1ceaf6 @ 0x5ceaf6
TMethodImplementationIntercept+0x12fa41 dbkFCallWrapperAddr-0x8682b cbf66c2dc187804f5e89bd84f3b1d594+0x1d0e11 @ 0x5d0e11
TMethodImplementationIntercept+0x1367af dbkFCallWrapperAddr-0x7fabd cbf66c2dc187804f5e89bd84f3b1d594+0x1d7b7f @ 0x5d7b7f
TMethodImplementationIntercept+0x1283fb dbkFCallWrapperAddr-0x8de71 cbf66c2dc187804f5e89bd84f3b1d594+0x1c97cb @ 0x5c97cb
TMethodImplementationIntercept+0x12716d dbkFCallWrapperAddr-0x8f0ff cbf66c2dc187804f5e89bd84f3b1d594+0x1c853d @ 0x5c853d
TMethodImplementationIntercept+0x18bc41 dbkFCallWrapperAddr-0x2a62b cbf66c2dc187804f5e89bd84f3b1d594+0x22d011 @ 0x62d011
TMethodImplementationIntercept+0x18bce4 dbkFCallWrapperAddr-0x2a588 cbf66c2dc187804f5e89bd84f3b1d594+0x22d0b4 @ 0x62d0b4
TMethodImplementationIntercept+0x19bfd7 dbkFCallWrapperAddr-0x1a295 cbf66c2dc187804f5e89bd84f3b1d594+0x23d3a7 @ 0x63d3a7
TMethodImplementationIntercept+0x1ac1f3 dbkFCallWrapperAddr-0xa079 cbf66c2dc187804f5e89bd84f3b1d594+0x24d5c3 @ 0x64d5c3
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1636816
registers.edi: 63942944
registers.eax: 1636816
registers.ebp: 1636896
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1620999844.545374
__exception__
stacktrace: 
itd_downloadfile-0x1da itdownload+0x2b072 @ 0x3abb072
itd_downloadfile-0xbc5 itdownload+0x2a687 @ 0x3aba687
itd_downloadfile+0x4e itd_downloadfiles-0x62 itdownload+0x2b29a @ 0x3abb29a
TMethodImplementationIntercept+0x12d726 dbkFCallWrapperAddr-0x88b46 cbf66c2dc187804f5e89bd84f3b1d594+0x1ceaf6 @ 0x5ceaf6
TMethodImplementationIntercept+0x12fa41 dbkFCallWrapperAddr-0x8682b cbf66c2dc187804f5e89bd84f3b1d594+0x1d0e11 @ 0x5d0e11
TMethodImplementationIntercept+0x1367af dbkFCallWrapperAddr-0x7fabd cbf66c2dc187804f5e89bd84f3b1d594+0x1d7b7f @ 0x5d7b7f
TMethodImplementationIntercept+0x1283fb dbkFCallWrapperAddr-0x8de71 cbf66c2dc187804f5e89bd84f3b1d594+0x1c97cb @ 0x5c97cb
TMethodImplementationIntercept+0x12716d dbkFCallWrapperAddr-0x8f0ff cbf66c2dc187804f5e89bd84f3b1d594+0x1c853d @ 0x5c853d
TMethodImplementationIntercept+0x18bc41 dbkFCallWrapperAddr-0x2a62b cbf66c2dc187804f5e89bd84f3b1d594+0x22d011 @ 0x62d011
TMethodImplementationIntercept+0x18bce4 dbkFCallWrapperAddr-0x2a588 cbf66c2dc187804f5e89bd84f3b1d594+0x22d0b4 @ 0x62d0b4
TMethodImplementationIntercept+0x19bfd7 dbkFCallWrapperAddr-0x1a295 cbf66c2dc187804f5e89bd84f3b1d594+0x23d3a7 @ 0x63d3a7
TMethodImplementationIntercept+0x1ac1f3 dbkFCallWrapperAddr-0xa079 cbf66c2dc187804f5e89bd84f3b1d594+0x24d5c3 @ 0x64d5c3
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1636816
registers.edi: 63942944
registers.eax: 1636816
registers.ebp: 1636896
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features HTTP version 1.0 used suspicious_request GET http://post.securestudies.com/packages/RI1034/ContentI3.exe
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1559848492&cup2hreq=e4c9ecbfa7a0b067cd805c9adf03199b9a26bbe78768f2700688dfcc44c45a9f
Performs some HTTP requests (5 个事件)
request GET http://post.securestudies.com/packages/RI1034/ContentI3.exe
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620970832&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d98bcd3530199f7c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620970832&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:1559848492&cup2hreq=e4c9ecbfa7a0b067cd805c9adf03199b9a26bbe78768f2700688dfcc44c45a9f
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1559848492&cup2hreq=e4c9ecbfa7a0b067cd805c9adf03199b9a26bbe78768f2700688dfcc44c45a9f
Allocates read-write-execute memory (usually to unpack itself) (50 out of 81 个事件)
Time & API Arguments Status Return Repeated
1620985513.249372
NtProtectVirtualMemory
process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620985513.249372
NtProtectVirtualMemory
process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 688128
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620985513.249372
NtProtectVirtualMemory
process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004b6000
success 0 0
1620985513.249372
NtProtectVirtualMemory
process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x004b8000
success 0 0
1620999786.967374
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006d0000
success 0 0
1620999860.826501
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004050000
success 0 0
1620999873.201876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00000000008f0000
success 0 0
1620999873.217876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000a80000
success 0 0
1620999874.201876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef10d1000
success 0 0
1620999874.935876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134e000
success 0 0
1620999874.935876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134e000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134f000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1350000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1350000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1350000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1350000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1350000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1351000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1351000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1351000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1351000
success 0 0
1620999875.014876
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef134e000
success 0 0
1620999876.107876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00032000
success 0 0
1620999877.279876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff10000
success 0 0
1620999877.279876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1620999877.279876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1620999877.279876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1620999877.279876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620999877.279876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000ea000
success 0 0
1620999877.279876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1620999877.529876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00033000
success 0 0
1620999877.592876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000fa000
success 0 0
1620999877.592876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00122000
success 0 0
1620999877.592876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000fd000
success 0 0
1620999877.764876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003c000
success 0 0
1620999879.389876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00034000
success 0 0
1620999879.389876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00036000
success 0 0
1620999879.389876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00037000
success 0 0
1620999879.420876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00170000
success 0 0
1620999879.514876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003a000
success 0 0
1620999879.514876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0004f000
success 0 0
1620999879.607876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00084000
success 0 0
1620999879.607876
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00053000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 个事件)
Time & API Arguments Status Return Repeated
1620999848.842374
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\Funny Puzzle\
free_bytes_available: 7018869914861568
total_number_of_free_bytes: 0
total_number_of_bytes: 44763088
failed 0 0
1620999848.842374
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\
free_bytes_available: 19414540288
total_number_of_free_bytes: 0
total_number_of_bytes: 34252779520
success 1 0
1620999883.529501
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19345592320
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620999883.654501
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19344019456
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620999883.873501
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19342315520
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620999884.154501
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19338907648
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (8 个事件)
file C:\Users\Administrator.Oskar-PC\Desktop\FalcoGo WebGL Games!.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funny Puzzle\Uninstall Funny Puzzle.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\Falco Space - Online Game!.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-PREPR.tmp\itdownload.dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funny Puzzle\Funny Puzzle on the Web.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\Free Games Downloads!.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funny Puzzle\Funny Puzzle.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\FalconLine Online Games Website.lnk
Creates a shortcut to an executable file (8 个事件)
file C:\Users\Administrator.Oskar-PC\Desktop\FalcoGo WebGL Games!.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funny Puzzle\Uninstall Funny Puzzle.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\Falco Space - Online Game!.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funny Puzzle\Funny Puzzle on the Web.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\Free Games Downloads!.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funny Puzzle\Funny Puzzle.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\FalconLine Online Games Website.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-20G3F.tmp\cbf66c2dc187804f5e89bd84f3b1d594.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-PREPR.tmp\itdownload.dll
Queries for potentially installed applications (5 个事件)
Time & API Arguments Status Return Repeated
1620999787.717374
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
options: 0
failed 2 0
1620999791.060374
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
options: 0
failed 2 0
1620999869.748374
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
options: 0
failed 2 0
1620999869.764374
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
options: 0
failed 2 0
1620999869.764374
RegOpenKeyExW
access: 0x00000101
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Funny Puzzle_is1
options: 0
failed 2 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 个事件)
Qihoo-360 Win32/Virus.Downloader.cb4
Cylance Unsafe
Alibaba Downloader:Win32/BundleLoader.6b37c4c0
Cyren W32/FalcoBundler.B.gen!Eldorado
Avast Win32:VSok-A [PUP]
Kaspersky not-a-virus:Downloader.Win32.Agent.mbxa
DrWeb Adware.Downware.19492
Emsisoft Application.InstallAd (A)
Antiy-AVL GrayWare[Adware]/Win32.Falco.a
Gridinsoft Adware.InstallCore.vl!c
ZoneAlarm not-a-virus:Downloader.Win32.Agent.mbxa
GData Win32.Application.Falco.A
VBA32 Downloader.Agent
Malwarebytes Adware.RelevantKnowledge
ESET-NOD32 a variant of MSIL/Falcoware.A potentially unwanted
Fortinet Riskware/Agent
AVG Win32:VSok-A [PUP]
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.27.142:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-10-12 19:15:57

Imports

Library kernel32.dll:
0x4b42e0 GetACP
0x4b42e4 GetExitCodeProcess
0x4b42e8 LocalFree
0x4b42ec CloseHandle
0x4b42f0 SizeofResource
0x4b42f4 VirtualProtect
0x4b42f8 VirtualFree
0x4b42fc GetFullPathNameW
0x4b4300 ExitProcess
0x4b4304 HeapAlloc
0x4b4308 GetCPInfoExW
0x4b430c RtlUnwind
0x4b4310 GetCPInfo
0x4b4314 GetStdHandle
0x4b4318 GetModuleHandleW
0x4b431c FreeLibrary
0x4b4320 HeapDestroy
0x4b4324 ReadFile
0x4b4328 CreateProcessW
0x4b432c GetLastError
0x4b4330 GetModuleFileNameW
0x4b4334 SetLastError
0x4b4338 FindResourceW
0x4b433c CreateThread
0x4b4340 CompareStringW
0x4b4344 LoadLibraryA
0x4b4348 ResetEvent
0x4b434c GetVersion
0x4b4350 RaiseException
0x4b4354 FormatMessageW
0x4b4358 SwitchToThread
0x4b435c GetExitCodeThread
0x4b4360 GetCurrentThread
0x4b4364 LoadLibraryExW
0x4b4368 LockResource
0x4b436c GetCurrentThreadId
0x4b4374 VirtualQuery
0x4b4378 VirtualQueryEx
0x4b437c Sleep
0x4b4384 SetFilePointer
0x4b4388 LoadResource
0x4b438c SuspendThread
0x4b4390 GetTickCount
0x4b4394 GetFileSize
0x4b4398 GetStartupInfoW
0x4b439c GetFileAttributesW
0x4b43a4 GetThreadPriority
0x4b43a8 SetThreadPriority
0x4b43ac GetCurrentProcess
0x4b43b0 VirtualAlloc
0x4b43b4 GetSystemInfo
0x4b43b8 GetCommandLineW
0x4b43c0 GetProcAddress
0x4b43c4 ResumeThread
0x4b43c8 GetVersionExW
0x4b43cc VerifyVersionInfoW
0x4b43d0 HeapCreate
0x4b43d8 VerSetConditionMask
0x4b43dc GetDiskFreeSpaceW
0x4b43e0 FindFirstFileW
0x4b43e8 lstrlenW
0x4b43f0 SetEndOfFile
0x4b43f4 HeapFree
0x4b43f8 WideCharToMultiByte
0x4b43fc FindClose
0x4b4400 MultiByteToWideChar
0x4b4404 LoadLibraryW
0x4b4408 SetEvent
0x4b440c CreateFileW
0x4b4410 GetLocaleInfoW
0x4b4414 GetSystemDirectoryW
0x4b4418 DeleteFileW
0x4b441c GetLocalTime
0x4b4424 WaitForSingleObject
0x4b4428 WriteFile
0x4b442c ExitThread
0x4b4434 TlsGetValue
0x4b4438 GetDateFormatW
0x4b443c SetErrorMode
0x4b4440 IsValidLocale
0x4b4444 TlsSetValue
0x4b4448 CreateDirectoryW
0x4b4450 EnumCalendarInfoW
0x4b4454 LocalAlloc
0x4b445c RemoveDirectoryW
0x4b4460 CreateEventW
0x4b4464 SetThreadLocale
0x4b4468 GetThreadLocale
Library comctl32.dll:
0x4b4470 InitCommonControls
Library version.dll:
0x4b447c VerQueryValueW
0x4b4480 GetFileVersionInfoW
Library user32.dll:
0x4b4488 CreateWindowExW
0x4b448c TranslateMessage
0x4b4490 CharLowerBuffW
0x4b4494 CallWindowProcW
0x4b4498 CharUpperW
0x4b449c PeekMessageW
0x4b44a0 GetSystemMetrics
0x4b44a4 SetWindowLongW
0x4b44a8 MessageBoxW
0x4b44ac DestroyWindow
0x4b44b0 CharNextW
0x4b44b8 LoadStringW
0x4b44bc ExitWindowsEx
0x4b44c0 DispatchMessageW
Library oleaut32.dll:
0x4b44c8 SysAllocStringLen
0x4b44cc SafeArrayPtrOfIndex
0x4b44d0 VariantCopy
0x4b44d4 SafeArrayGetLBound
0x4b44d8 SafeArrayGetUBound
0x4b44dc VariantInit
0x4b44e0 VariantClear
0x4b44e4 SysFreeString
0x4b44e8 SysReAllocStringLen
0x4b44ec VariantChangeType
0x4b44f0 SafeArrayCreate
Library netapi32.dll:
0x4b44f8 NetWkstaGetInfo
0x4b44fc NetApiBufferFree
Library advapi32.dll:
0x4b4504 RegQueryValueExW
0x4b4510 RegCloseKey
0x4b4514 OpenProcessToken
0x4b4518 RegOpenKeyExW

Exports

Ordinal Address Name
3 0x453ac0 TMethodImplementationIntercept
2 0x40d3dc __dbk_fcall_wrapper
1 0x4b063c dbkFCallWrapperAddr

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49222 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49223 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49178 165.193.78.234 post.securestudies.com 80
192.168.56.101 49182 165.193.78.234 post.securestudies.com 80
192.168.56.101 49213 203.208.40.34 update.googleapis.com 443
192.168.56.101 49221 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://post.securestudies.com/packages/RI1034/ContentI3.exe 
GET /packages/RI1034/ContentI3.exe HTTP/1.0
Host: post.securestudies.com
User-Agent: InnoTools_Downloader
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d98bcd3530199f7c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620970832&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d98bcd3530199f7c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620970832&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620970832&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620970832&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.