14.2
0-day
48 个模型检测该样本为恶意!
重新分析
更多

00eefa6efa1815770b9bcd826b985d67668194c98329e0c339060b9d22e6483d

d102d5c8bf9fa5a0034fcfdc759d5f01.exe

分析耗时

73s

最近分析

文件大小

325.0KB
静态报毒 动态报毒 100% A VARIANT OF GENERIK AGENTTESLA AI SCORE=100 AQNE ARTEMIS ATTRIBUTE AVEMARIA BASIC BXBLI CLOUD CONFIDENCE GDSDA GJUIYTJ HIGH CONFIDENCE HIGHCONFIDENCE KCLOUD MALWARE@#1UKMZAZK22XC9 MORTYSTEALER QVM03 SCORE SIGGEN2 SUSGEN TSCOPE UM0@AWWQDO UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!D102D5C8BF9F 20210226 6.0.6.653
Alibaba TrojanSpy:MSIL/AveMaria.a29b6526 20190527 0.3.0.5
Avast Win32:Malware-gen 20210226 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Generic_a.a.(kcloud) 20210226 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619910859.268241
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619910861.690241
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619910861.690241
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619910862.034241
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619910850.799241
IsDebuggerPresent
failed 0 0
1619910850.799241
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910850.846241
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619923028.93152
__exception__
stacktrace: 
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69
0xffffffffe77a7c69

registers.r14: 0
registers.r9: 0
registers.rcx: 2332
registers.rsi: 1
registers.r10: 0
registers.rbx: 3
registers.rdi: 73575104
registers.r11: 73573056
registers.r8: 0
registers.rdx: 0
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 73572872
registers.rax: 73574480
registers.r13: 2332
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xffffffffe77a7c69
success 0 0
1619923458.287
__exception__
stacktrace: 
d102d5c8bf9fa5a0034fcfdc759d5f01+0x3584 @ 0x403584
d102d5c8bf9fa5a0034fcfdc759d5f01+0x10ee2 @ 0x410ee2
d102d5c8bf9fa5a0034fcfdc759d5f01+0x13895 @ 0x413895
d102d5c8bf9fa5a0034fcfdc759d5f01+0x5b92 @ 0x405b92
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3994632
registers.edi: 3994744
registers.eax: 3994656
registers.ebp: 3994672
registers.edx: 47448064
registers.ebx: 3994864
registers.esi: 3994880
registers.ecx: 0
exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x76373118
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 115 个事件)
Time & API Arguments Status Return Repeated
1619910849.815241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619910849.815241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f0000
success 0 0
1619910850.268241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007f0000
success 0 0
1619910850.268241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a0000
success 0 0
1619910850.440241
NtProtectVirtualMemory
process_identifier: 1632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619910850.799241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x021f0000
success 0 0
1619910850.799241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02310000
success 0 0
1619910850.815241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ba000
success 0 0
1619910850.815241
NtProtectVirtualMemory
process_identifier: 1632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619910850.815241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b2000
success 0 0
1619910851.002241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c2000
success 0 0
1619910851.096241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e5000
success 0 0
1619910851.096241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003eb000
success 0 0
1619910851.096241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619910851.174241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c3000
success 0 0
1619910851.206241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003cc000
success 0 0
1619910851.268241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619910851.612241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c4000
success 0 0
1619910851.612241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c6000
success 0 0
1619910851.706241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c7000
success 0 0
1619910851.862241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d6000
success 0 0
1619910851.940241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619910851.940241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619910852.440241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00581000
success 0 0
1619910852.456241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c8000
success 0 0
1619910852.534241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619910852.549241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c9000
success 0 0
1619910852.596241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00680000
success 0 0
1619910852.596241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006bf000
success 0 0
1619910852.596241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006b0000
success 0 0
1619910852.737241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00681000
success 0 0
1619910852.752241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b3000
success 0 0
1619910852.752241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00682000
success 0 0
1619910852.799241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003bc000
success 0 0
1619910852.846241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003db000
success 0 0
1619910853.002241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00683000
success 0 0
1619910853.049241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00684000
success 0 0
1619910853.065241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00685000
success 0 0
1619910853.159241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00686000
success 0 0
1619910853.159241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00687000
success 0 0
1619910853.174241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00582000
success 0 0
1619910853.206241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00688000
success 0 0
1619910853.268241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003cd000
success 0 0
1619910853.284241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1619910853.284241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619910853.284241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619910853.284241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef48000
success 0 0
1619910853.284241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1619910853.284241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1619910853.565241
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a1000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$wz$ck.lnk
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$wz$ck.lnk
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.914198791406173 section {'size_of_data': '0x00046600', 'virtual_address': '0x00002000', 'entropy': 7.914198791406173, 'name': '.text', 'virtual_size': '0x00046434'} description A section with a high entropy has been found
entropy 0.8674884437596302 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619910858.643241
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 130 个事件)
Time & API Arguments Status Return Repeated
1619923458.334
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000001ec
process_identifier: 2240
failed 0 0
1619923458.334
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000001ec
process_identifier: 2240
failed 0 0
1619923459.365
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000001ec
process_identifier: 2240
failed 0 0
1619923459.396
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000001ec
process_identifier: 648
failed 0 0
1619923459.396
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000001ec
process_identifier: 648
failed 0 0
1619923460.506
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923460.521
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923461.553
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923461.553
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923461.584
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923462.646
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923462.693
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923462.725
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923463.756
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923463.771
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923463.787
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923464.803
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923464.818
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923464.818
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923465.881
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923465.896
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923465.896
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923467.021
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923467.037
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923467.053
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923468.1
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923468.115
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923468.131
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923469.162
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923469.178
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923469.193
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923470.225
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923470.24
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923470.256
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923471.271
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923471.287
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923471.303
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923472.318
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923472.35
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923472.365
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923473.381
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923473.396
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923473.412
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923474.428
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923474.443
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923474.443
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923475.459
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923475.475
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923475.49
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
1619923476.537
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000001f4
process_identifier: 920
failed 0 0
Terminates another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910874.487241
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1632
process_handle: 0x00000338
failed 0 0
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 412f8f4af128c5936d9de1bcdcd7c251b3f10095
buffer Buffer with sha1: 991ed24bd2007fd182683a5fb11de7ece000f55b
Communicates with host for which no DNS query was performed (2 个事件)
host 149.28.115.223
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619910862.190241
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 1417216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002dc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Attempts to identify installed AV products by installation directory (2 个事件)
file C:\Program Files\AVAST Software
file C:\Program Files (x86)\AVAST Software
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$wz$ck.lnk
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞX‰œš9çϚ9çϚ9çÏY6¸Ï›9çϓAcϛ9çϓAtφ9çϚ9æÏx9çÏY6ºÏ™9çϽÿŠÏ›9çϽÿ‰Ï™9çϟ5èϛ9çϓAdϙ9çÏ PîÎè9çÏ Pϛ9çÏ PåΛ9çÏRichš9çÏPELDáh^à 2[P@ @…L‚@p,p(ЀPP.textþ12 `.rdatadDPF6@@.datax’ H|@À.rsrcp,@.Ä@@.reloc(pò@B.bss@@
process_handle: 0x000002dc
base_address: 0x00400000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer: 2¡~c÷¢×°ü‰{g¦=œbŏÑÓwö© ya Â*ì Ó¡Á»~Dh ´¤¿jŽ_=AqTÙ$ „¼°Eܚρ«‚}£†«M“¢ãVb)ó_§†jB›§¶R,4V{®ÉL/:gqü¿i‹/ü|CëOñCöԃʼn%£ª
process_handle: 0x000002dc
base_address: 0x00559000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer: @
process_handle: 0x000002dc
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞX‰œš9çϚ9çϚ9çÏY6¸Ï›9çϓAcϛ9çϓAtφ9çϚ9æÏx9çÏY6ºÏ™9çϽÿŠÏ›9çϽÿ‰Ï™9çϟ5èϛ9çϓAdϙ9çÏ PîÎè9çÏ Pϛ9çÏ PåΛ9çÏRichš9çÏPELDáh^à 2[P@ @…L‚@p,p(ЀPP.textþ12 `.rdatadDPF6@@.datax’ H|@À.rsrcp,@.Ä@@.reloc(pò@B.bss@@
process_handle: 0x000002dc
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1632 called NtSetContextThread to modify thread in remote process 1320
Time & API Arguments Status Return Repeated
1619910862.190241
NtSetContextThread
thread_handle: 0x000004a0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217619
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1320
success 0 0
Expresses interest in specific running processes (1 个事件)
process: potential process injection target explorer.exe
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1632 resumed a thread in remote process 1320
Time & API Arguments Status Return Repeated
1619910862.596241
NtResumeThread
thread_handle: 0x000004a0
suspend_count: 1
process_identifier: 1320
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 149.28.115.223:3404
Executed a process and injected code into it, probably while unpacking (19 个事件)
Time & API Arguments Status Return Repeated
1619910850.799241
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1632
success 0 0
1619910850.831241
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1632
success 0 0
1619910850.877241
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 1632
success 0 0
1619910859.018241
NtResumeThread
thread_handle: 0x00000264
suspend_count: 1
process_identifier: 1632
success 0 0
1619910859.159241
NtResumeThread
thread_handle: 0x000002dc
suspend_count: 1
process_identifier: 1632
success 0 0
1619910862.002241
NtResumeThread
thread_handle: 0x00000498
suspend_count: 1
process_identifier: 1632
success 0 0
1619910862.174241
CreateProcessInternalW
thread_identifier: 624
thread_handle: 0x000004a0
process_identifier: 1320
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d102d5c8bf9fa5a0034fcfdc759d5f01.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d102d5c8bf9fa5a0034fcfdc759d5f01.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d102d5c8bf9fa5a0034fcfdc759d5f01.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000002dc
inherit_handles: 0
success 1 0
1619910862.190241
NtGetContextThread
thread_handle: 0x000004a0
success 0 0
1619910862.190241
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 1417216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002dc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞX‰œš9çϚ9çϚ9çÏY6¸Ï›9çϓAcϛ9çϓAtφ9çϚ9æÏx9çÏY6ºÏ™9çϽÿŠÏ›9çϽÿ‰Ï™9çϟ5èϛ9çϓAdϙ9çÏ PîÎè9çÏ Pϛ9çÏ PåΛ9çÏRichš9çÏPELDáh^à 2[P@ @…L‚@p,p(ЀPP.textþ12 `.rdatadDPF6@@.datax’ H|@À.rsrcp,@.Ä@@.reloc(pò@B.bss@@
process_handle: 0x000002dc
base_address: 0x00400000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer:
process_handle: 0x000002dc
base_address: 0x00401000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer:
process_handle: 0x000002dc
base_address: 0x00415000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer:
process_handle: 0x000002dc
base_address: 0x0041a000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer:
process_handle: 0x000002dc
base_address: 0x00554000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer:
process_handle: 0x000002dc
base_address: 0x00557000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer: 2¡~c÷¢×°ü‰{g¦=œbŏÑÓwö© ya Â*ì Ó¡Á»~Dh ´¤¿jŽ_=AqTÙ$ „¼°Eܚρ«‚}£†«M“¢ãVb)ó_§†jB›§¶R,4V{®ÉL/:gqü¿i‹/ü|CëOñCöԃʼn%£ª
process_handle: 0x000002dc
base_address: 0x00559000
success 1 0
1619910862.190241
WriteProcessMemory
process_identifier: 1320
buffer: @
process_handle: 0x000002dc
base_address: 0x7efde008
success 1 0
1619910862.190241
NtSetContextThread
thread_handle: 0x000004a0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217619
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1320
success 0 0
1619910862.596241
NtResumeThread
thread_handle: 0x000004a0
suspend_count: 1
process_identifier: 1320
success 0 0
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Siggen2.49342
MicroWorld-eScan Trojan.MSIL.Basic.7.Gen
FireEye Generic.mg.d102d5c8bf9fa5a0
McAfee Artemis!D102D5C8BF9F
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.MSIL.AveMaria.gen
Alibaba TrojanSpy:MSIL/AveMaria.a29b6526
Cybereason malicious.8bf9fa
Arcabit Trojan.MSIL.Basic.7.Gen
BitDefenderTheta Gen:NN.ZemsilF.34590.um0@aWWQDo
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Generik.GJUIYTJ
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan-Spy.MSIL.AveMaria.gen
BitDefender Trojan.MSIL.Basic.7.Gen
Paloalto generic.ml
Ad-Aware Trojan.MSIL.Basic.7.Gen
Sophos Mal/Generic-S
Comodo Malware@#1ukmzazk22xc9
F-Secure Trojan.TR/AD.MortyStealer.bxbli
Zillya Trojan.AveMaria.Win32.538
McAfee-GW-Edition Artemis!Trojan
Emsisoft Trojan.MSIL.Basic.7.Gen (B)
Jiangmin TrojanSpy.MSIL.aqne
MaxSecure Trojan.Malware.74161614.susgen
Avira TR/AD.MortyStealer.bxbli
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Trojan.Win32.Gen.ba
Microsoft Trojan:Win32/AgentTesla!ml
ZoneAlarm HEUR:Trojan-Spy.MSIL.AveMaria.gen
GData Trojan.MSIL.Basic.7.Gen
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Stealer.C4109116
VBA32 TScope.Trojan.MSIL
ALYac Trojan.MSIL.Basic.7.Gen
MAX malware (ai score=100)
Malwarebytes Backdoor.AveMaria
Rising Spyware.AveMaria!8.108C2 (CLOUD)
Ikarus Trojan.MortyStealer
Fortinet MSIL/AveMaria.GJUIYTJ!tr
Webroot W32.Trojan.Gen
AVG Win32:Malware-gen
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/HEUR/QVM03.0.7622.Malware.Gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-24 05:04:09

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.