9.0
极危
51 个模型检测该样本为恶意!
重新分析
更多

87257a8478febca687e205af4d5fe832c8de27f257c8201879e7556b61da9f92

d1a4fefe8b2d9a2b7634518154a4fb6c.exe

分析耗时

85s

最近分析

文件大小

687.5KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=89 CLOUD CONFIDENCE DOWNLOADER34 ELDORADO FAREIT GDSDA GENERICKDZ HIGH CONFIDENCE HRBVUQ KRYPTIK MALICIOUS PE MASSLOGGER QM0@ASTUA R002C0PH820 R347247 SCORE SUSGEN TROJANX UNCLASSIFIEDMALWARE@0 UNSAFE URSU VIHCF WQMM ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FVT!D1A4FEFE8B2D 20200817 6.0.6.653
Alibaba Trojan:MSIL/AgentTesla.b463ef98 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20200817 18.4.3895.0
Tencent Win32.Trojan.Generic.Wqmm 20200817 1.0.0.1
Kingsoft 20200817 2013.8.14.323
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619931663.753001
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619931663.753001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (5 个事件)
Time & API Arguments Status Return Repeated
1619910852.967008
IsDebuggerPresent
failed 0 0
1619910902.639008
IsDebuggerPresent
failed 0 0
1619910903.139008
IsDebuggerPresent
failed 0 0
1619931663.049501
IsDebuggerPresent
failed 0 0
1619931663.189501
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910895.858008
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 95 个事件)
Time & API Arguments Status Return Repeated
1619910852.092008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619910852.092008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006f0000
success 0 0
1619910852.655008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619910852.983008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619910852.983008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619910852.983008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619910853.249008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00542000
success 0 0
1619910853.327008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00543000
success 0 0
1619910853.342008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057b000
success 0 0
1619910853.342008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00577000
success 0 0
1619910853.374008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054c000
success 0 0
1619910853.780008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00544000
success 0 0
1619910853.780008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00545000
success 0 0
1619910853.842008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00546000
success 0 0
1619910853.842008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b40000
success 0 0
1619910853.920008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619910853.920008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619910853.936008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056a000
success 0 0
1619910853.952008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042b000
success 0 0
1619910854.280008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00556000
success 0 0
1619910854.280008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054a000
success 0 0
1619910854.436008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00562000
success 0 0
1619910854.483008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00575000
success 0 0
1619910854.561008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b41000
success 0 0
1619910854.608008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619910895.702008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b42000
success 0 0
1619910895.733008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a20000
success 0 0
1619910895.733008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006f1000
success 0 0
1619910895.827008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b43000
success 0 0
1619910895.874008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056c000
success 0 0
1619910895.905008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b44000
success 0 0
1619910895.983008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00548000
success 0 0
1619910896.014008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b45000
success 0 0
1619910896.155008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 325632
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e10400
failed 3221225550 0
1619910901.936008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00549000
success 0 0
1619910901.936008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b47000
success 0 0
1619910901.952008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b48000
success 0 0
1619910901.967008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b49000
success 0 0
1619910902.045008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4a000
success 0 0
1619910902.420008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4b000
success 0 0
1619910902.452008
NtAllocateVirtualMemory
process_identifier: 580
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4c000
success 0 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e10178
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e101a0
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e101c8
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e101f0
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e10218
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e6051e
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e60512
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 72
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e5fc00
failed 3221225550 0
1619910902.452008
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04e6052c
failed 3221225550 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.930571981693214 section {'size_of_data': '0x00076a00', 'virtual_address': '0x00002000', 'entropy': 7.930571981693214, 'name': '.text', 'virtual_size': '0x00076958'} description A section with a high entropy has been found
entropy 0.6906841339155749 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619910896.139008
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619910903.170008
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2968
process_handle: 0x00011478
failed 0 0
1619910903.170008
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2968
process_handle: 0x00011478
success 0 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 58.63.233.69
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619910902.905008
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f514
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910903.295008
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000cc2c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 580 manipulating memory of non-child process 2968
Time & API Arguments Status Return Repeated
1619910902.905008
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f514
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELw-_à  &ÎD `@  @…€DK`°€  H.textÔ$ & `.rsrc°`(@@.reloc €.@B
process_handle: 0x0000cc2c
base_address: 0x00400000
success 1 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer:  €P€8€€h€ `$Äcê$4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°„StringFileInfo`000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.0.8XInternalNameQppjppSJpBsZtMayLBJUCc.exe,LegalCopyrightHi0LegalTrademarksHi`OriginalFilenameQppjppSJpBsZtMayLBJUCc.exe(ProductNameHi0ProductVersion1.0.88Assembly Version1.0.8.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000cc2c
base_address: 0x00456000
success 1 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer: @ Ð4
process_handle: 0x0000cc2c
base_address: 0x00458000
success 1 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer: @
process_handle: 0x0000cc2c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELw-_à  &ÎD `@  @…€DK`°€  H.textÔ$ & `.rsrc°`(@@.reloc €.@B
process_handle: 0x0000cc2c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 580 called NtSetContextThread to modify thread in remote process 2412
Time & API Arguments Status Return Repeated
1619910903.295008
NtSetContextThread
thread_handle: 0x00011478
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4539598
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2412
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 580 resumed a thread in remote process 2412
Time & API Arguments Status Return Repeated
1619910903.514008
NtResumeThread
thread_handle: 0x00011478
suspend_count: 1
process_identifier: 2412
success 0 0
Executed a process and injected code into it, probably while unpacking (21 个事件)
Time & API Arguments Status Return Repeated
1619910852.967008
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 580
success 0 0
1619910853.045008
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 580
success 0 0
1619910902.592008
NtResumeThread
thread_handle: 0x000108fc
suspend_count: 1
process_identifier: 580
success 0 0
1619910902.608008
NtResumeThread
thread_handle: 0x00009f9c
suspend_count: 1
process_identifier: 580
success 0 0
1619910902.905008
CreateProcessInternalW
thread_identifier: 2944
thread_handle: 0x00010904
process_identifier: 2968
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000f514
inherit_handles: 0
success 1 0
1619910902.905008
NtGetContextThread
thread_handle: 0x00010904
success 0 0
1619910902.905008
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f514
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910903.295008
CreateProcessInternalW
thread_identifier: 2840
thread_handle: 0x00011478
process_identifier: 2412
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000cc2c
inherit_handles: 0
success 1 0
1619910903.295008
NtGetContextThread
thread_handle: 0x00011478
success 0 0
1619910903.295008
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000cc2c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELw-_à  &ÎD `@  @…€DK`°€  H.textÔ$ & `.rsrc°`(@@.reloc €.@B
process_handle: 0x0000cc2c
base_address: 0x00400000
success 1 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer:
process_handle: 0x0000cc2c
base_address: 0x00402000
success 1 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer:  €P€8€€h€ `$Äcê$4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°„StringFileInfo`000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.0.8XInternalNameQppjppSJpBsZtMayLBJUCc.exe,LegalCopyrightHi0LegalTrademarksHi`OriginalFilenameQppjppSJpBsZtMayLBJUCc.exe(ProductNameHi0ProductVersion1.0.88Assembly Version1.0.8.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000cc2c
base_address: 0x00456000
success 1 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer: @ Ð4
process_handle: 0x0000cc2c
base_address: 0x00458000
success 1 0
1619910903.295008
WriteProcessMemory
process_identifier: 2412
buffer: @
process_handle: 0x0000cc2c
base_address: 0x7efde008
success 1 0
1619910903.295008
NtSetContextThread
thread_handle: 0x00011478
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4539598
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2412
success 0 0
1619910903.514008
NtResumeThread
thread_handle: 0x00011478
suspend_count: 1
process_identifier: 2412
success 0 0
1619931663.049501
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2412
success 0 0
1619931663.111501
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2412
success 0 0
1619931663.345501
CreateProcessInternalW
thread_identifier: 2292
thread_handle: 0x000001b0
process_identifier: 1300
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
track: 1
command_line: dw20.exe -x -s 404
filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe
stack_pivoted: 0
creation_flags: 0 ()
process_handle: 0x000001ac
inherit_handles: 1
success 1 0
1619931663.768001
NtResumeThread
thread_handle: 0x000000bc
suspend_count: 1
process_identifier: 1300
success 0 0
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69306
FireEye Generic.mg.d1a4fefe8b2d9a2b
McAfee Fareit-FVT!D1A4FEFE8B2D
Cylance Unsafe
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:MSIL/AgentTesla.b463ef98
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_100% (W)
Invincea heuristic
BitDefenderTheta Gen:NN.ZemsilF.34152.Qm0@aSTua!n
F-Prot W32/Ursu.DF.gen!Eldorado
Symantec Trojan Horse
APEX Malicious
GData Trojan.GenericKDZ.69306
BitDefender Trojan.GenericKDZ.69306
NANO-Antivirus Trojan.Win32.Kryptik.hrbvuq
ViRobot Trojan.Win32.Z.Ursu.704000.B
Avast Win32:TrojanX-gen [Trj]
Tencent Win32.Trojan.Generic.Wqmm
Ad-Aware Trojan.GenericKDZ.69306
Comodo .UnclassifiedMalware@0
F-Secure Trojan.TR/Kryptik.vihcf
DrWeb Trojan.DownLoader34.18893
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0PH820
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Cyren W32/Ursu.DF.gen!Eldorado
Avira TR/Kryptik.vihcf
Antiy-AVL Trojan/MSIL.Kryptik
Arcabit Trojan.Generic.D10EBA
AegisLab Trojan.Win32.Malicious.4!c
Microsoft Trojan:MSIL/AgentTesla.VN!MTB
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.MSIL.R347247
ALYac Trojan.GenericKDZ.69306
MAX malware (ai score=89)
Malwarebytes Backdoor.Agent.PDL
ESET-NOD32 a variant of MSIL/Kryptik.XHF
TrendMicro-HouseCall TROJ_GEN.R002C0PH820
Rising Trojan.Kryptik!8.8 (CLOUD)
Ikarus Trojan-Spy.MassLogger
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/Kryptik.4462!tr
MaxSecure Trojan.Malware.104688499.susgen
AVG Win32:TrojanX-gen [Trj]
Cybereason malicious.e8b2d9
Panda Trj/GdSda.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-08 02:52:01

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62196 239.255.255.250 1900
192.168.56.101 62198 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.