10.8
0-day
55 个模型检测该样本为恶意!
重新分析
更多

0444729289d8a3c480eb3f29e936f29d048f69c71a691b20489e50890fa22983

cf0c599dca5b3adb02a92b94f6927f5b.exe

分析耗时

89s

最近分析

文件大小

926.0KB
静态报毒 动态报毒 100% 5M0@AAAJDPE AGEN AGENTTESLA AI SCORE=80 ATTRIBUTE AVSARHER BUBVUR CONFIDENCE ELDORADO FAREIT FORMBOOK GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HTERXK INJECT3 KRYPTIK MALICIOUS PE MALWARE@#2YTTH7VQTYMFY PWSX R03FC0WH520 R346819 S + TROJ SCORE STATIC AI SZBO UNSAFE WACATAC YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FXO!CF0C599DCA5B 20201211 6.0.6.653
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Alibaba Trojan:MSIL/AgentTesla.927a2a6f 20190527 0.3.0.5
Kingsoft 20201211 2017.9.26.565
Tencent Msil.Trojan.Crypt.Szbo 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619929687.112125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619929708.79875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 115 个事件)
Time & API Arguments Status Return Repeated
1619910851.456081
IsDebuggerPresent
failed 0 0
1619910851.456081
IsDebuggerPresent
failed 0 0
1619910852.596081
IsDebuggerPresent
failed 0 0
1619910853.112081
IsDebuggerPresent
failed 0 0
1619910853.612081
IsDebuggerPresent
failed 0 0
1619910854.112081
IsDebuggerPresent
failed 0 0
1619910854.612081
IsDebuggerPresent
failed 0 0
1619910855.112081
IsDebuggerPresent
failed 0 0
1619910855.612081
IsDebuggerPresent
failed 0 0
1619910856.112081
IsDebuggerPresent
failed 0 0
1619910856.612081
IsDebuggerPresent
failed 0 0
1619910857.112081
IsDebuggerPresent
failed 0 0
1619910857.612081
IsDebuggerPresent
failed 0 0
1619910858.112081
IsDebuggerPresent
failed 0 0
1619910858.612081
IsDebuggerPresent
failed 0 0
1619910859.112081
IsDebuggerPresent
failed 0 0
1619910859.612081
IsDebuggerPresent
failed 0 0
1619910860.112081
IsDebuggerPresent
failed 0 0
1619910860.612081
IsDebuggerPresent
failed 0 0
1619910861.112081
IsDebuggerPresent
failed 0 0
1619910861.612081
IsDebuggerPresent
failed 0 0
1619910862.112081
IsDebuggerPresent
failed 0 0
1619910862.612081
IsDebuggerPresent
failed 0 0
1619910863.112081
IsDebuggerPresent
failed 0 0
1619910863.612081
IsDebuggerPresent
failed 0 0
1619910864.112081
IsDebuggerPresent
failed 0 0
1619910864.612081
IsDebuggerPresent
failed 0 0
1619910865.112081
IsDebuggerPresent
failed 0 0
1619910865.612081
IsDebuggerPresent
failed 0 0
1619910866.112081
IsDebuggerPresent
failed 0 0
1619910866.612081
IsDebuggerPresent
failed 0 0
1619910867.112081
IsDebuggerPresent
failed 0 0
1619910867.612081
IsDebuggerPresent
failed 0 0
1619910868.112081
IsDebuggerPresent
failed 0 0
1619910868.612081
IsDebuggerPresent
failed 0 0
1619910869.112081
IsDebuggerPresent
failed 0 0
1619910869.612081
IsDebuggerPresent
failed 0 0
1619910870.112081
IsDebuggerPresent
failed 0 0
1619910870.612081
IsDebuggerPresent
failed 0 0
1619910871.112081
IsDebuggerPresent
failed 0 0
1619910871.612081
IsDebuggerPresent
failed 0 0
1619910872.112081
IsDebuggerPresent
failed 0 0
1619910872.612081
IsDebuggerPresent
failed 0 0
1619910873.112081
IsDebuggerPresent
failed 0 0
1619910873.612081
IsDebuggerPresent
failed 0 0
1619910874.112081
IsDebuggerPresent
failed 0 0
1619910874.612081
IsDebuggerPresent
failed 0 0
1619910875.112081
IsDebuggerPresent
failed 0 0
1619910875.612081
IsDebuggerPresent
failed 0 0
1619910876.112081
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619929687.706125
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\pDJzCcZ"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910851.471081
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 146 个事件)
Time & API Arguments Status Return Repeated
1619910850.690081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b20000
success 0 0
1619910850.690081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cd0000
success 0 0
1619910851.049081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00450000
success 0 0
1619910851.049081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00470000
success 0 0
1619910851.237081
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619910851.456081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00600000
success 0 0
1619910851.456081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00660000
success 0 0
1619910851.471081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032a000
success 0 0
1619910851.471081
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619910851.471081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00322000
success 0 0
1619910851.690081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00332000
success 0 0
1619910851.799081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00465000
success 0 0
1619910851.815081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0046b000
success 0 0
1619910851.815081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00467000
success 0 0
1619910851.893081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00333000
success 0 0
1619910851.940081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033c000
success 0 0
1619910852.002081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f0000
success 0 0
1619910852.002081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00334000
success 0 0
1619910852.018081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f1000
success 0 0
1619910852.018081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f2000
success 0 0
1619910852.018081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f3000
success 0 0
1619910852.049081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f4000
success 0 0
1619910852.049081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f5000
success 0 0
1619910852.221081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00335000
success 0 0
1619910852.377081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f6000
success 0 0
1619910852.784081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00336000
success 0 0
1619910852.831081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00338000
success 0 0
1619910852.862081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f7000
success 0 0
1619910852.893081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00323000
success 0 0
1619910852.893081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032c000
success 0 0
1619910852.893081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f8000
success 0 0
1619910852.940081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00339000
success 0 0
1619910852.956081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00800000
success 0 0
1619910853.018081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00801000
success 0 0
1619910853.049081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00456000
success 0 0
1619910853.096081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f9000
success 0 0
1619910853.096081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045a000
success 0 0
1619910853.096081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1619910853.112081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00802000
success 0 0
1619910853.143081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033d000
success 0 0
1619910853.159081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fa000
success 0 0
1619910853.174081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fd000
success 0 0
1619910853.174081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00803000
success 0 0
1619910894.174081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007fe000
success 0 0
1619910894.377081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007ff000
success 0 0
1619910894.581081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04de0000
success 0 0
1619910894.581081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00804000
success 0 0
1619910894.581081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04de1000
success 0 0
1619910894.659081
NtProtectVirtualMemory
process_identifier: 2504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 313856
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05130400
failed 3221225550 0
1619910899.862081
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04de2000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description cf0c599dca5b3adb02a92b94f6927f5b.exe tried to sleep 149 seconds, actually delayed analysis time by 149 seconds
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pDJzCcZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp12F1.tmp"
cmdline schtasks.exe /Create /TN "Updates\pDJzCcZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp12F1.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619910901.268081
ShellExecuteExW
parameters: /Create /TN "Updates\pDJzCcZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp12F1.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.502196091871766 section {'size_of_data': '0x000e6e00', 'virtual_address': '0x00002000', 'entropy': 7.502196091871766, 'name': '.text', 'virtual_size': '0x000e6d44'} description A section with a high entropy has been found
entropy 0.9978390059427337 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619910852.362081
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619929691.04875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619929707.93975
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2504
process_handle: 0x00000234
failed 0 0
1619929707.93975
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2504
process_handle: 0x00000234
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pDJzCcZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp12F1.tmp"
cmdline schtasks.exe /Create /TN "Updates\pDJzCcZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp12F1.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619910903.831081
NtAllocateVirtualMemory
process_identifier: 1344
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000248
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp12F1.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619910903.831081
WriteProcessMemory
process_identifier: 1344
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELß9Æ^à  ª.É à@  @…ØÈSà  H.text4© ª `.rsrcà¬@@.reloc ²@B
process_handle: 0x00000248
base_address: 0x00400000
success 1 0
1619910903.846081
WriteProcessMemory
process_identifier: 1344
buffer:  €P€8€€h€ à„$ãê„4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameyxGXJhwnmjYzxFxbFKVdblW.exe(LegalCopyright `OriginalFilenameyxGXJhwnmjYzxFxbFKVdblW.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000248
base_address: 0x0044e000
success 1 0
1619910903.846081
WriteProcessMemory
process_identifier: 1344
buffer: À 09
process_handle: 0x00000248
base_address: 0x00450000
success 1 0
1619910903.846081
WriteProcessMemory
process_identifier: 1344
buffer: @
process_handle: 0x00000248
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910903.831081
WriteProcessMemory
process_identifier: 1344
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELß9Æ^à  ª.É à@  @…ØÈSà  H.text4© ª `.rsrcà¬@@.reloc ²@B
process_handle: 0x00000248
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2504 called NtSetContextThread to modify thread in remote process 1344
Time & API Arguments Status Return Repeated
1619910903.846081
NtSetContextThread
thread_handle: 0x00009054
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4507950
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1344
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2504 resumed a thread in remote process 1344
Time & API Arguments Status Return Repeated
1619910904.112081
NtResumeThread
thread_handle: 0x00009054
suspend_count: 1
process_identifier: 1344
success 0 0
Executed a process and injected code into it, probably while unpacking (22 个事件)
Time & API Arguments Status Return Repeated
1619910851.456081
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2504
success 0 0
1619910851.471081
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2504
success 0 0
1619910851.518081
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2504
success 0 0
1619910852.549081
NtResumeThread
thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2504
success 0 0
1619910852.581081
NtResumeThread
thread_handle: 0x00000224
suspend_count: 1
process_identifier: 2504
success 0 0
1619910900.393081
NtResumeThread
thread_handle: 0x0000aa3c
suspend_count: 1
process_identifier: 2504
success 0 0
1619910900.409081
NtResumeThread
thread_handle: 0x00009774
suspend_count: 1
process_identifier: 2504
success 0 0
1619910901.268081
CreateProcessInternalW
thread_identifier: 2960
thread_handle: 0x00005768
process_identifier: 2948
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pDJzCcZ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp12F1.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000e214
inherit_handles: 0
success 1 0
1619910903.831081
CreateProcessInternalW
thread_identifier: 2576
thread_handle: 0x00009054
process_identifier: 1344
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cf0c599dca5b3adb02a92b94f6927f5b.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cf0c599dca5b3adb02a92b94f6927f5b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000248
inherit_handles: 0
success 1 0
1619910903.831081
NtGetContextThread
thread_handle: 0x00009054
success 0 0
1619910903.831081
NtAllocateVirtualMemory
process_identifier: 1344
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000248
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619910903.831081
WriteProcessMemory
process_identifier: 1344
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELß9Æ^à  ª.É à@  @…ØÈSà  H.text4© ª `.rsrcà¬@@.reloc ²@B
process_handle: 0x00000248
base_address: 0x00400000
success 1 0
1619910903.831081
WriteProcessMemory
process_identifier: 1344
buffer:
process_handle: 0x00000248
base_address: 0x00402000
success 1 0
1619910903.846081
WriteProcessMemory
process_identifier: 1344
buffer:  €P€8€€h€ à„$ãê„4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameyxGXJhwnmjYzxFxbFKVdblW.exe(LegalCopyright `OriginalFilenameyxGXJhwnmjYzxFxbFKVdblW.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000248
base_address: 0x0044e000
success 1 0
1619910903.846081
WriteProcessMemory
process_identifier: 1344
buffer: À 09
process_handle: 0x00000248
base_address: 0x00450000
success 1 0
1619910903.846081
WriteProcessMemory
process_identifier: 1344
buffer: @
process_handle: 0x00000248
base_address: 0x7efde008
success 1 0
1619910903.846081
NtSetContextThread
thread_handle: 0x00009054
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4507950
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1344
success 0 0
1619910904.112081
NtResumeThread
thread_handle: 0x00009054
suspend_count: 1
process_identifier: 1344
success 0 0
1619910904.127081
NtResumeThread
thread_handle: 0x00008e24
suspend_count: 1
process_identifier: 2504
success 0 0
1619929689.92375
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1344
success 0 0
1619929689.93975
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 1344
success 0 0
1619929690.11175
NtResumeThread
thread_handle: 0x000001a8
suspend_count: 1
process_identifier: 1344
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43593419
FireEye Trojan.GenericKD.43593419
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
Qihoo-360 Generic/Trojan.21a
McAfee Fareit-FXO!CF0C599DCA5B
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2334981
Sangfor Malware
K7AntiVirus Trojan ( 0056bec11 )
BitDefender Trojan.GenericKD.43593419
K7GW Trojan ( 0056bec11 )
Cybereason malicious.8c8f41
Cyren W32/MSIL_Kryptik.BHF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Formbook-9228643-0
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
Alibaba Trojan:MSIL/AgentTesla.927a2a6f
NANO-Antivirus Trojan.Win32.Crypt.hterxk
AegisLab Trojan.Win32.Malicious.4!c
Ad-Aware Trojan.GenericKD.43593419
Emsisoft Trojan.GenericKD.43593419 (B)
Comodo Malware@#2ytth7vqtymfy
F-Secure Heuristic.HEUR/AGEN.1137997
DrWeb Trojan.Inject3.51285
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03FC0WH520
McAfee-GW-Edition Fareit-FXO!CF0C599DCA5B
Sophos Mal/Generic-S + Troj/MSIL-PRB
SentinelOne Static AI - Malicious PE
GData Trojan.GenericKD.43593419
Avira HEUR/AGEN.1137997
Antiy-AVL Trojan/MSIL.Kryptik
Gridinsoft Ransom.Win32.Wacatac.oa
Arcabit Trojan.Generic.D2992ECB
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
Microsoft Trojan:MSIL/AgentTesla.N!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R346819
BitDefenderTheta Gen:NN.ZemsilF.34670.5m0@aaaJdpe
ALYac Trojan.GenericKD.43593419
MAX malware (ai score=80)
Malwarebytes Trojan.MalPack
Panda Trj/GdSda.A
ESET-NOD32 a variant of MSIL/Kryptik.XFB
TrendMicro-HouseCall TROJ_GEN.R03FC0WH520
Tencent Msil.Trojan.Crypt.Szbo
Yandex Trojan.AvsArher.bUbVUr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-04 10:50:35

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.