9.4
极危
53 个模型检测该样本为恶意!
重新分析
更多

f46ea866a034694bb34ddd4207ae960a5e43390ca9f9ad58daf4d14c42dbbc79

d638058854e4c346a0d7479951e2dbd3.exe

分析耗时

35s

最近分析

文件大小

406.0KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=83 BTOYYD CONFIDENCE CRYPTERX CYJA ELDORADO FSJJ GDSDA HIGH CONFIDENCE IGENT JQERK KRYPT KRYPTIK MALICIOUS PE MALWARE@#1XCVJBHXJ2DVH MSILPERSEUS NANOBOT QVM03 R06EC0DIA20 R337637 REMCOS SCORE SIGGEN SIGGEN2 SOKO STATIC AI SUSGEN SWOTTER UNSAFE WPSY YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Trojan-FSJJ!D638058854E4 20201211 6.0.6.653
Alibaba TrojanSpy:MSIL/AgentTesla.e1e1db44 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20201210 21.1.5827.0
Tencent Msil.Backdoor.Nanobot.Wpsy 20201211 1.0.0.1
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619921782.002502
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619921778.861
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619921782.986502
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\gZcaalA"。
console_handle: 0x00000007
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (47 个事件)
Time & API Arguments Status Return Repeated
1619921778.345
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00330000
success 0 0
1619921778.345
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00340000
success 0 0
1619921778.736
NtProtectVirtualMemory
process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619921778.861
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619921778.861
NtProtectVirtualMemory
process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619921778.861
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619921779.064
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b2000
success 0 0
1619921779.158
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b3000
success 0 0
1619921779.174
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004eb000
success 0 0
1619921779.174
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e7000
success 0 0
1619921779.205
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004bc000
success 0 0
1619921779.564
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b4000
success 0 0
1619921779.58
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b5000
success 0 0
1619921779.611
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b6000
success 0 0
1619921779.627
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e0000
success 0 0
1619921779.72
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ca000
success 0 0
1619921779.72
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619921779.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004da000
success 0 0
1619921779.767
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042b000
success 0 0
1619921779.83
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c6000
success 0 0
1619921779.892
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e1000
success 0 0
1619921780.252
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d2000
success 0 0
1619921780.314
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e5000
success 0 0
1619921780.564
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00341000
success 0 0
1619921780.674
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e4000
success 0 0
1619921780.674
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b7000
success 0 0
1619921780.689
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04bd0000
success 0 0
1619921780.689
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c80000
success 0 0
1619921780.689
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c81000
success 0 0
1619921780.72
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c82000
success 0 0
1619921780.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c83000
success 0 0
1619921780.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c84000
success 0 0
1619921780.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c85000
success 0 0
1619921780.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c88000
success 0 0
1619921780.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c8a000
success 0 0
1619921780.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c8d000
success 0 0
1619921780.736
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04c91000
success 0 0
1619921780.767
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b8000
success 0 0
1619921780.783
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e5000
success 0 0
1619921780.799
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ca2000
success 0 0
1619921780.814
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e6000
success 0 0
1619921780.861
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d90000
success 0 0
1619921781.142
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d91000
success 0 0
1619921781.174
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ba000
success 0 0
1619921785.377
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e7000
success 0 0
1619921785.97
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00423000
success 0 0
1619921786.1745
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00910000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\gZcaalA" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61D2.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZcaalA" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61D2.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619921781.689
ShellExecuteExW
parameters: /Create /TN "Updates\gZcaalA" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61D2.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.912505550986884 section {'size_of_data': '0x00064c00', 'virtual_address': '0x00002000', 'entropy': 7.912505550986884, 'name': '.text', 'virtual_size': '0x00064aa8'} description A section with a high entropy has been found
entropy 0.9938347718865598 description Overall entropy of this PE file is high
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\gZcaalA" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61D2.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZcaalA" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61D2.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619921785.58
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 184320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000039c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61D2.tmp
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619921785.58
WriteProcessMemory
process_identifier: 2712
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂðW¢ì£W¢ì£W¢ì£8ÔG£¢ì£8Ôr£T¢ì£8Ôq£V¢ì£RichW¢ì£PEL·“Là  º°âÐ@Ð@.textT¸º `
process_handle: 0x0000039c
base_address: 0x00400000
success 1 0
1619921785.595
WriteProcessMemory
process_identifier: 2712
buffer: @
process_handle: 0x0000039c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619921785.58
WriteProcessMemory
process_identifier: 2712
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂðW¢ì£W¢ì£W¢ì£8ÔG£¢ì£8Ôr£T¢ì£8Ôq£V¢ì£RichW¢ì£PEL·“Là  º°âÐ@Ð@.textT¸º `
process_handle: 0x0000039c
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 3044 called NtSetContextThread to modify thread in remote process 2712
Time & API Arguments Status Return Repeated
1619921785.595
NtSetContextThread
thread_handle: 0x00000340
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4317872
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2712
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 3044 resumed a thread in remote process 2712
Time & API Arguments Status Return Repeated
1619921785.892
NtResumeThread
thread_handle: 0x00000340
suspend_count: 1
process_identifier: 2712
success 0 0
Executed a process and injected code into it, probably while unpacking (12 个事件)
Time & API Arguments Status Return Repeated
1619921778.861
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 3044
success 0 0
1619921778.908
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 3044
success 0 0
1619921781.064
NtResumeThread
thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 3044
success 0 0
1619921781.689
CreateProcessInternalW
thread_identifier: 152
thread_handle: 0x0000034c
process_identifier: 2228
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZcaalA" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61D2.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000384
inherit_handles: 0
success 1 0
1619921785.533
CreateProcessInternalW
thread_identifier: 784
thread_handle: 0x00000340
process_identifier: 2712
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d638058854e4c346a0d7479951e2dbd3.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d638058854e4c346a0d7479951e2dbd3.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000039c
inherit_handles: 0
success 1 0
1619921785.58
NtGetContextThread
thread_handle: 0x00000340
success 0 0
1619921785.58
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 184320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000039c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619921785.58
WriteProcessMemory
process_identifier: 2712
buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÈº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂðW¢ì£W¢ì£W¢ì£8ÔG£¢ì£8Ôr£T¢ì£8Ôq£V¢ì£RichW¢ì£PEL·“Là  º°âÐ@Ð@.textT¸º `
process_handle: 0x0000039c
base_address: 0x00400000
success 1 0
1619921785.58
WriteProcessMemory
process_identifier: 2712
buffer:
process_handle: 0x0000039c
base_address: 0x00401000
success 1 0
1619921785.595
WriteProcessMemory
process_identifier: 2712
buffer: @
process_handle: 0x0000039c
base_address: 0x7efde008
success 1 0
1619921785.595
NtSetContextThread
thread_handle: 0x00000340
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4317872
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2712
success 0 0
1619921785.892
NtResumeThread
thread_handle: 0x00000340
suspend_count: 1
process_identifier: 2712
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Generic.Soko.1.B19C6F2C
FireEye Generic.mg.d638058854e4c346
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Trojan-FSJJ!D638058854E4
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005672541 )
Alibaba TrojanSpy:MSIL/AgentTesla.e1e1db44
K7GW Trojan ( 005672541 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Generic.Soko.1.B19C6F2C
Cyren W32/MSIL_Kryptik.ASY.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:CrypterX-gen [Trj]
ClamAV Win.Packed.Msilperseus-7890616-0
Kaspersky HEUR:Backdoor.MSIL.NanoBot.gen
BitDefender Generic.Soko.1.B19C6F2C
Paloalto generic.ml
Ad-Aware Generic.Soko.1.B19C6F2C
Sophos Mal/Generic-S
Comodo Malware@#1xcvjbhxj2dvh
F-Secure Trojan.TR/AD.Swotter.jqerk
DrWeb Trojan.PWS.Siggen2.49161
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Emsisoft Generic.Soko.1.B19C6F2C (B)
SentinelOne Static AI - Malicious PE
Jiangmin Backdoor.MSIL.cyja
Webroot W32.Trojan.Gen
Avira TR/AD.Swotter.jqerk
MAX malware (ai score=83)
Antiy-AVL Trojan[Backdoor]/MSIL.NanoBot
Microsoft TrojanSpy:MSIL/AgentTesla.SA!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Backdoor.MSIL.NanoBot.gen
GData Generic.Soko.1.B19C6F2C
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R337637
ALYac Generic.Soko.1.B19C6F2C
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.VZW
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Tencent Msil.Backdoor.Nanobot.Wpsy
Yandex Trojan.Igent.bTOyyd.1
Ikarus Trojan.MSIL.Krypt
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Siggen.9161!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-21 09:38:07

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.