SmartHawk

10.2

0-day

50 个模型检测该样本为恶意！

重新分析

下载样本

40cf3214cd412e73955af3a64b3e61691ec44f3ee6bd8031ea37e69dce07b393

cfe01269c178fea11b28130dd457c43e.exe

分析耗时

87s

最近分析

文件大小

598.5KB

静态报毒动态报毒 100% AGENTTESLA AI SCORE=85 ALI1000139 ARTEMIS ATTRIBUTE AUTO CLOUD CONFIDENCE ENRP FEMCA GDSDA GENKRYPTIK GRACEWIRE HIGHCONFIDENCE KRYPT KRYPTIK LM0@AIWH6OL MODERATE OQYK PASSWORDSTEALER PWSX R011C0WG820 RAZY SCORE STARTER STELEGA SUSPICIOUS PE TROJANPWS TSCOPE UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!CFE01269C178	20200804	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Alibaba	Trojan:Win32/starter.ali1000139	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200804	18.4.3895.0
Tencent	Win32.Trojan.Inject.Auto	20200804	1.0.0.1
Kingsoft		20200804	2013.8.14.323

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619917274.870876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619917291.104876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619917294.495876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619917296.792876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619917297.151876 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917227.870249 IsDebuggerPresent		failed	0	0
1619917227.870249 IsDebuggerPresent		failed	0	0
1619917278.104876 IsDebuggerPresent		failed	0	0
1619917278.104876 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917275.573876 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\SvmSwTQ"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917227.885249 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917296.635876 __exception__	stacktrace: 0x22be845 0x22bdd0b DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3599852 registers.edi: 3599880 registers.eax: 0 registers.ebp: 3599896 registers.edx: 8 registers.ebx: 0 registers.esi: 38088672 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 e3 c4 26 47 e9 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x22920df	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619917296.635876
__exception__

stacktrace:

0x22be845
0x22bdd0b
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3599852
registers.edi: 3599880
registers.eax: 0
registers.ebp: 3599896
registers.edx: 8
registers.ebx: 0
registers.esi: 38088672
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 e3 c4 26 47 e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x22920df

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 131 个事件)

Time & API	Arguments	Status
1619917227.542249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x004c0000	success
1619917227.542249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00540000	success
1619917227.698249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005c0000	success
1619917227.698249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1619917227.760249 NtProtectVirtualMemory	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619917227.870249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02070000	success
1619917227.870249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02200000	success
1619917227.870249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052a000	success
1619917227.870249 NtProtectVirtualMemory	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619917227.870249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00522000	success
1619917228.089249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00532000	success
1619917228.167249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00595000	success
1619917228.167249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059b000	success
1619917228.167249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success
1619917228.245249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00533000	success
1619917228.292249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053c000	success
1619917228.354249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c0000	success
1619917228.714249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00586000	success
1619917228.714249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success
1619917228.714249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00587000	success
1619917228.745249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00534000	success
1619917228.760249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c1000	success
1619917228.932249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00535000	success
1619917262.885249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c2000	success
1619917262.901249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00536000	success
1619917262.901249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c3000	success
1619917262.917249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c4000	success
1619917262.964249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c5000	success
1619917263.260249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c9000	success
1619917263.354249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00537000	success
1619917263.385249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00538000	success
1619917263.385249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00539000	success
1619917263.401249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba0000	success
1619917263.401249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ca000	success
1619917263.401249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02201000	success
1619917263.401249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02202000	success
1619917263.417249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02203000	success
1619917263.417249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02204000	success
1619917263.432249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba1000	success
1619917263.448249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006cb000	success
1619917263.448249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02205000	success
1619917263.448249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02206000	success
1619917263.448249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02207000	success
1619917263.448249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0220b000	success
1619917263.448249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0221c000	success
1619917263.479249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0221d000	success
1619917263.479249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006cc000	success
1619917263.526249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006cd000	success
1619917263.589249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053d000	success
1619917263.589249 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ba2000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SvmSwTQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB70.tmp"
cmdline	schtasks.exe /Create /TN "Updates\SvmSwTQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB70.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917274.620249 ShellExecuteExW	parameters: /Create /TN "Updates\SvmSwTQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB70.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.515740977881724

section

{'size_of_data': '0x00091200', 'virtual_address': '0x00002000', 'entropy': 7.515740977881724, 'name': '.text', 'virtual_size': '0x000911d4'}

description

A section with a high entropy has been found

entropy

0.9707357859531772

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917290.104876 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SvmSwTQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB70.tmp"
cmdline	schtasks.exe /Create /TN "Updates\SvmSwTQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB70.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917277.495249 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000374 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

RegSvcs.exe tried to sleep 2728178 seconds, actually delayed analysis time by 2728178 seconds

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;Ô_àX~v @ À@0vK H.textV X `.rsrcZ@@.reloc `@B process_handle: 0x00000374 base_address: 0x00400000	success	1
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: P8h $ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameRNTStDdMoyLBVzdvhXVsZMk.exe(LegalCopyright `OriginalFilenameRNTStDdMoyLBVzdvhXVsZMk.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000374 base_address: 0x00448000	success	1
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: p6 process_handle: 0x00000374 base_address: 0x0044a000	success	1
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: @ process_handle: 0x00000374 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;Ô_àX~v @ À@0vK H.textV X `.rsrcZ@@.reloc `@B process_handle: 0x00000374 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2080 called NtSetContextThread to modify thread in remote process 2576
1619917277.495249 NtSetContextThread	thread_handle: 0x00000290 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486782 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2576	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2080 resumed a thread in remote process 2576
1619917277.682249 NtResumeThread	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2576	success	0	0

Executed a process and injected code into it, probably while unpacking (25 个事件)

Time & API	Arguments	Status	Return
1619917227.870249 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2080	success	0
1619917227.870249 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2080	success	0
1619917227.932249 NtResumeThread	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 2080	success	0
1619917274.120249 NtResumeThread	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2080	success	0
1619917274.620249 CreateProcessInternalW	thread_identifier: 2604 thread_handle: 0x0000035c process_identifier: 2960 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SvmSwTQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB70.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000039c inherit_handles: 0	success	1
1619917277.495249 CreateProcessInternalW	thread_identifier: 2652 thread_handle: 0x00000290 process_identifier: 2576 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000374 inherit_handles: 0	success	1
1619917277.495249 NtGetContextThread	thread_handle: 0x00000290	success	0
1619917277.495249 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000374 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;Ô_àX~v @ À@0vK H.textV X `.rsrcZ@@.reloc `@B process_handle: 0x00000374 base_address: 0x00400000	success	1
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: process_handle: 0x00000374 base_address: 0x00402000	success	1
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: P8h $ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNameRNTStDdMoyLBVzdvhXVsZMk.exe(LegalCopyright `OriginalFilenameRNTStDdMoyLBVzdvhXVsZMk.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000374 base_address: 0x00448000	success	1
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: p6 process_handle: 0x00000374 base_address: 0x0044a000	success	1
1619917277.495249 WriteProcessMemory	process_identifier: 2576 buffer: @ process_handle: 0x00000374 base_address: 0x7efde008	success	1
1619917277.495249 NtSetContextThread	thread_handle: 0x00000290 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486782 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2576	success	0
1619917277.682249 NtResumeThread	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2576	success	0
1619917277.698249 NtResumeThread	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2080	success	0
1619917277.698249 NtGetContextThread	thread_handle: 0x00000354	success	0
1619917277.698249 NtGetContextThread	thread_handle: 0x00000354	success	0
1619917277.698249 NtResumeThread	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2080	success	0
1619917278.104876 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2576	success	0
1619917278.120876 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2576	success	0
1619917278.182876 NtResumeThread	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2576	success	0
1619917294.135876 NtResumeThread	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 2576	success	0
1619917294.214876 NtResumeThread	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2576	success	0
1619917296.729876 NtResumeThread	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 2576	success	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

MicroWorld-eScan	Gen:Variant.Razy.712840
FireEye	Generic.mg.cfe01269c178fea1
CAT-QuickHeal	Trojanpws.Msil
Qihoo-360	Generic/Trojan.PSW.c9f
McAfee	Artemis!CFE01269C178
Cylance	Unsafe
Zillya	Trojan.GenKryptik.Win32.50684
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 0056a30e1 )
K7AntiVirus	Trojan ( 0056a30e1 )
Arcabit	Trojan.Razy.DAE088
TrendMicro	TROJ_GEN.R011C0WG820
Cyren	W32/Trojan.OQYK-9318
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Stelega.gen
BitDefender	Gen:Variant.Razy.712840
AegisLab	Trojan.MSIL.Stelega.i!c
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Trojan.Inject.Auto
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Kryptik.femca
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.Razy.712840 (B)
Ikarus	Trojan.MSIL.Krypt
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.femca
Microsoft	Trojan:MSIL/AgentTesla.VN!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stelega.gen
GData	Gen:Variant.Razy.712840
Cynet	Malicious (score: 85)
VBA32	TScope.Trojan.MSIL
ALYac	Gen:Variant.Razy.712840
MAX	malware (ai score=85)
Ad-Aware	Gen:Variant.Razy.712840
Malwarebytes	Spyware.PasswordStealer
ESET-NOD32	a variant of MSIL/Kryptik.WVE
TrendMicro-HouseCall	TROJ_GEN.R011C0WG820
Rising	Dropper.GraceWire!8.11325 (CLOUD)
SentinelOne	DFI - Suspicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/GenKryptik.ENRP!tr
BitDefenderTheta	Gen:NN.ZemsilF.34144.Lm0@aiwH6ol
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.ca5f0b
Panda	Trj/GdSda.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2077-12-27 18:49:43

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.