4.6
中危
该样本未表现出任何异常!
重新分析
更多

fd3892a1b6b98137c3aad1de223c125cea178fd6b82ebaf8c0b0d435c905e680

d65bedc2c496e1fecbd9430355eedfea.exe

分析耗时

33s

最近分析

文件大小

534.0KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1620985530.603979
__exception__
stacktrace: 
d65bedc2c496e1fecbd9430355eedfea+0x5543a @ 0x45543a
d65bedc2c496e1fecbd9430355eedfea+0x3bb7 @ 0x403bb7
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637896
registers.edi: 4543596
registers.eax: 0
registers.ebp: 1638208
registers.edx: 2130566132
registers.ebx: 21
registers.esi: 1638204
registers.ecx: 2005871740
exception.instruction_r: f7 f0 90 90 3d f7 98 00 00 90 74 05 90 90 89 45
exception.symbol: d65bedc2c496e1fecbd9430355eedfea+0x5539c
exception.instruction: div eax
exception.module: d65bedc2c496e1fecbd9430355eedfea.exe
exception.exception_code: 0xc0000094
exception.offset: 349084
exception.address: 0x45539c
success 0 0
1621012952.612626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
d65bedc2c496e1fecbd9430355eedfea+0x643f8 @ 0x4643f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdd114ad
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (27 个事件)
Time & API Arguments Status Return Repeated
1620985518.103979
NtAllocateVirtualMemory
process_identifier: 1564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620985530.603979
NtAllocateVirtualMemory
process_identifier: 1564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1621012952.049626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1621012952.112626
NtAllocateVirtualMemory
process_identifier: 1060
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a30000
success 0 0
1621012952.112626
NtAllocateVirtualMemory
process_identifier: 1060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a70000
success 0 0
1621012952.112626
NtAllocateVirtualMemory
process_identifier: 1060
region_size: 376832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1621012952.112626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 348160
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00882000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.565626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x007b2000
success 0 0
1621012952.580626
NtProtectVirtualMemory
process_identifier: 1060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8468047142106965 section {'size_of_data': '0x00083c00', 'virtual_address': '0x00045000', 'entropy': 7.8468047142106965, 'name': 'UPX1', 'virtual_size': '0x00084000'} description A section with a high entropy has been found
entropy 0.9887429643527205 description Overall entropy of this PE file is high
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 117.18.232.200
host 13.227.250.142
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1564 called NtSetContextThread to modify thread in remote process 1060
Time & API Arguments Status Return Repeated
1620985531.321979
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4992128
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1060
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1564 resumed a thread in remote process 1060
Time & API Arguments Status Return Repeated
1620985531.759979
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1060
success 0 0
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1620985531.212979
CreateProcessInternalW
thread_identifier: 732
thread_handle: 0x000000f8
process_identifier: 1060
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d65bedc2c496e1fecbd9430355eedfea.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620985531.212979
NtGetContextThread
thread_handle: 0x000000f8
success 0 0
1620985531.212979
NtUnmapViewOfSection
process_identifier: 1060
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620985531.212979
NtMapViewOfSection
section_handle: 0x00000104
process_identifier: 1060
commit_size: 802816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 802816
base_address: 0x00400000
success 0 0
1620985531.306979
NtMapViewOfSection
section_handle: 0x00000100
process_identifier: 1060
commit_size: 4096
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 4096
base_address: 0x001e0000
success 0 0
1620985531.321979
NtSetContextThread
thread_handle: 0x000000f8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4992128
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1060
success 0 0
1620985531.759979
NtResumeThread
thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1060
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-05-26 02:16:10

Imports

Library KERNEL32.DLL:
0x4ca688 LoadLibraryA
0x4ca68c GetProcAddress
0x4ca690 VirtualProtect
0x4ca694 VirtualAlloc
0x4ca698 VirtualFree
0x4ca69c ExitProcess
Library advapi32.dll:
0x4ca6a4 RegCloseKey
Library comctl32.dll:
0x4ca6ac ImageList_Add
Library comdlg32.dll:
0x4ca6b4 GetOpenFileNameA
Library gdi32.dll:
0x4ca6bc SaveDC
Library oleaut32.dll:
0x4ca6c4 VariantCopy
Library user32.dll:
0x4ca6cc GetDC
Library version.dll:
0x4ca6d4 VerQueryValueA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
117.18.232.200 80 192.168.56.101 49179

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62196 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.