11.0
0-day
该样本未表现出任何异常!
重新分析
更多

2fc3c25b29d03e4e3167f874a453eb44212071490864e0134ca406ecf14d74a6

cf87be1e4acccb349ad95b81ce49f190.exe

分析耗时

129s

最近分析

文件大小

478.0KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619940718.450626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (12 个事件)
Time & API Arguments Status Return Repeated
1619910855.364748
IsDebuggerPresent
failed 0 0
1619910855.364748
IsDebuggerPresent
failed 0 0
1619910901.926748
IsDebuggerPresent
failed 0 0
1619910902.426748
IsDebuggerPresent
failed 0 0
1619910902.942748
IsDebuggerPresent
failed 0 0
1619910903.426748
IsDebuggerPresent
failed 0 0
1619910903.942748
IsDebuggerPresent
failed 0 0
1619910904.426748
IsDebuggerPresent
failed 0 0
1619910904.942748
IsDebuggerPresent
failed 0 0
1619910905.426748
IsDebuggerPresent
failed 0 0
1619940721.590249
IsDebuggerPresent
failed 0 0
1619940721.590249
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619940719.106626
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\gwZvuQjTekCVJy"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910855.442748
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1914076139&cup2hreq=de13ddd68d24286ada1e19b6986b5e334a0f240e789a09cc90ede1210cd96e15
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619911786&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=e7ae14c91c6dc5b7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619911693&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:1914076139&cup2hreq=de13ddd68d24286ada1e19b6986b5e334a0f240e789a09cc90ede1210cd96e15
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1914076139&cup2hreq=de13ddd68d24286ada1e19b6986b5e334a0f240e789a09cc90ede1210cd96e15
Allocates read-write-execute memory (usually to unpack itself) (50 out of 123 个事件)
Time & API Arguments Status Return Repeated
1619910854.411748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1619910854.411748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c0000
success 0 0
1619910854.880748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a00000
success 0 0
1619910854.880748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae0000
success 0 0
1619910855.114748
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619910855.364748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a00000
success 0 0
1619910855.364748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a80000
success 0 0
1619910855.364748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052a000
success 0 0
1619910855.380748
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619910855.380748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00522000
success 0 0
1619910855.786748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619910855.942748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00565000
success 0 0
1619910855.942748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056b000
success 0 0
1619910855.942748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00567000
success 0 0
1619910856.036748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00533000
success 0 0
1619910856.067748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053c000
success 0 0
1619910856.489748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00534000
success 0 0
1619910856.505748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00536000
success 0 0
1619910856.630748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a40000
success 0 0
1619910856.739748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619910856.739748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619910856.864748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00556000
success 0 0
1619910856.942748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a41000
success 0 0
1619910857.255748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00537000
success 0 0
1619910857.270748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619910857.489748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00538000
success 0 0
1619910857.567748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00539000
success 0 0
1619910857.645748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c40000
success 0 0
1619910857.661748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a42000
success 0 0
1619910857.692748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c41000
success 0 0
1619910857.708748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a43000
success 0 0
1619910895.755748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ae1000
success 0 0
1619910895.942748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052c000
success 0 0
1619910895.942748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a46000
success 0 0
1619910896.005748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c42000
success 0 0
1619910896.020748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a47000
success 0 0
1619910896.098748
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 314880
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05280400
failed 3221225550 0
1619910901.223748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a48000
success 0 0
1619910901.239748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053d000
success 0 0
1619910901.239748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c43000
success 0 0
1619910901.239748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a49000
success 0 0
1619910901.317748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a4a000
success 0 0
1619910901.489748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a4b000
success 0 0
1619910901.505748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a4c000
success 0 0
1619910901.645748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a4d000
success 0 0
1619910901.692748
NtAllocateVirtualMemory
process_identifier: 376
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a4e000
success 0 0
1619910901.708748
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05280178
failed 3221225550 0
1619910901.708748
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x052801a0
failed 3221225550 0
1619910901.708748
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x052801c8
failed 3221225550 0
1619910901.708748
NtProtectVirtualMemory
process_identifier: 376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x052801f0
failed 3221225550 0
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gwZvuQjTekCVJy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD35.tmp"
cmdline schtasks.exe /Create /TN "Updates\gwZvuQjTekCVJy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD35.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619910902.630748
ShellExecuteExW
parameters: /Create /TN "Updates\gwZvuQjTekCVJy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD35.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.851867808884633 section {'size_of_data': '0x00076c00', 'virtual_address': '0x00002000', 'entropy': 7.851867808884633, 'name': '.text', 'virtual_size': '0x00076b3c'} description A section with a high entropy has been found
entropy 0.9947643979057592 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619910896.098748
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619940733.715249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gwZvuQjTekCVJy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD35.tmp"
cmdline schtasks.exe /Create /TN "Updates\gwZvuQjTekCVJy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD35.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619910905.301748
NtAllocateVirtualMemory
process_identifier: 952
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00006384
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD35.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619910905.301748
WriteProcessMemory
process_identifier: 952
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELdŽ_à N¾m €@ À@…pmK€à   H.textÄM N `.rsrcà€P@@.reloc  T@B
process_handle: 0x00006384
base_address: 0x00400000
success 1 0
1619910905.317748
WriteProcessMemory
process_identifier: 952
buffer: €0€HX€„„4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameRMJClIuaRNPakjfzrvWLtn.exe(LegalCopyright `OriginalFilenameRMJClIuaRNPakjfzrvWLtn.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00006384
base_address: 0x00448000
success 1 0
1619910905.317748
WriteProcessMemory
process_identifier: 952
buffer: ` À=
process_handle: 0x00006384
base_address: 0x0044a000
success 1 0
1619910905.317748
WriteProcessMemory
process_identifier: 952
buffer: @
process_handle: 0x00006384
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910905.301748
WriteProcessMemory
process_identifier: 952
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELdŽ_à N¾m €@ À@…pmK€à   H.textÄM N `.rsrcà€P@@.reloc  T@B
process_handle: 0x00006384
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 376 called NtSetContextThread to modify thread in remote process 952
Time & API Arguments Status Return Repeated
1619910905.317748
NtSetContextThread
thread_handle: 0x0000b0d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4484542
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 952
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 376 resumed a thread in remote process 952
Time & API Arguments Status Return Repeated
1619910905.583748
NtResumeThread
thread_handle: 0x0000b0d8
suspend_count: 1
process_identifier: 952
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.27.142:443
Executed a process and injected code into it, probably while unpacking (20 个事件)
Time & API Arguments Status Return Repeated
1619910855.364748
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 376
success 0 0
1619910855.395748
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 376
success 0 0
1619910855.473748
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 376
success 0 0
1619910901.895748
NtResumeThread
thread_handle: 0x00003b00
suspend_count: 1
process_identifier: 376
success 0 0
1619910901.911748
NtResumeThread
thread_handle: 0x0000cf04
suspend_count: 1
process_identifier: 376
success 0 0
1619910902.630748
CreateProcessInternalW
thread_identifier: 2960
thread_handle: 0x00006c84
process_identifier: 2948
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gwZvuQjTekCVJy" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD35.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000081c8
inherit_handles: 0
success 1 0
1619910905.301748
CreateProcessInternalW
thread_identifier: 1244
thread_handle: 0x0000b0d8
process_identifier: 952
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cf87be1e4acccb349ad95b81ce49f190.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\cf87be1e4acccb349ad95b81ce49f190.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00006384
inherit_handles: 0
success 1 0
1619910905.301748
NtGetContextThread
thread_handle: 0x0000b0d8
success 0 0
1619910905.301748
NtAllocateVirtualMemory
process_identifier: 952
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00006384
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619910905.301748
WriteProcessMemory
process_identifier: 952
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELdŽ_à N¾m €@ À@…pmK€à   H.textÄM N `.rsrcà€P@@.reloc  T@B
process_handle: 0x00006384
base_address: 0x00400000
success 1 0
1619910905.317748
WriteProcessMemory
process_identifier: 952
buffer:
process_handle: 0x00006384
base_address: 0x00402000
success 1 0
1619910905.317748
WriteProcessMemory
process_identifier: 952
buffer: €0€HX€„„4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameRMJClIuaRNPakjfzrvWLtn.exe(LegalCopyright `OriginalFilenameRMJClIuaRNPakjfzrvWLtn.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00006384
base_address: 0x00448000
success 1 0
1619910905.317748
WriteProcessMemory
process_identifier: 952
buffer: ` À=
process_handle: 0x00006384
base_address: 0x0044a000
success 1 0
1619910905.317748
WriteProcessMemory
process_identifier: 952
buffer: @
process_handle: 0x00006384
base_address: 0x7efde008
success 1 0
1619910905.317748
NtSetContextThread
thread_handle: 0x0000b0d8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4484542
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 952
success 0 0
1619910905.583748
NtResumeThread
thread_handle: 0x0000b0d8
suspend_count: 1
process_identifier: 952
success 0 0
1619910905.583748
NtResumeThread
thread_handle: 0x0001001c
suspend_count: 1
process_identifier: 376
success 0 0
1619940721.590249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 952
success 0 0
1619940721.590249
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 952
success 0 0
1619940721.637249
NtResumeThread
thread_handle: 0x00000168
suspend_count: 1
process_identifier: 952
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-26 22:10:18

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49193 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49189 203.208.40.34 update.googleapis.com 443
192.168.56.101 49192 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49195 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619911786&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619911786&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=e7ae14c91c6dc5b7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619911693&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=e7ae14c91c6dc5b7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619911693&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.