SmartHawk

7.8

高危

55 个模型检测该样本为恶意！

重新分析

下载样本

1e8315d8e46e1d98697dca99d93efd602cb81e57aa6a1271ddf057a68fb44aeb

d724f44df04d18690cf4997ff61c7e27.exe

分析耗时

75s

最近分析

文件大小

777.0KB

静态报毒动态报毒 100% AI SCORE=89 ATTRIBUTE CLOUD CONFIDENCE ELDORADO FAREIT HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HQZZTN KRYPTIK MALICIOUS PE MALWAREX MASSLOGGER MSILPERSEUS NANOCORE PACKEDNET QFQFN R06BC0WH720 R347092 SCORE SKEEYAH UNCLASSIFIEDMALWARE@0 UNSAFE URSU WM0@AQPAXGD ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Kryptik.0705eaf4	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20200817	18.4.3895.0
Tencent		20200817	1.0.0.1
Kingsoft		20200817	2013.8.14.323
McAfee	Fareit-FXH!D724F44DF04D	20200817	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (6 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948418.564567 IsDebuggerPresent		failed	0	0
1619948418.579567 IsDebuggerPresent		failed	0	0
1619948467.548567 IsDebuggerPresent		failed	0	0
1619948468.064567 IsDebuggerPresent		failed	0	0
1619979052.869501 IsDebuggerPresent		failed	0	0
1619979052.885501 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948418.642567 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 131 个事件)

Time & API	Arguments	Status	Return
1619948417.657567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x007c0000	success	0
1619948417.657567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c0000	success	0
1619948418.173567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02020000	success	0
1619948418.173567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020d0000	success	0
1619948418.329567 NtProtectVirtualMemory	process_identifier: 1464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619948418.564567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02110000	success	0
1619948418.564567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02250000	success	0
1619948418.579567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fa000	success	0
1619948418.595567 NtProtectVirtualMemory	process_identifier: 1464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619948418.595567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f2000	success	0
1619948418.985567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00602000	success	0
1619948419.095567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00665000	success	0
1619948419.095567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0066b000	success	0
1619948419.095567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00667000	success	0
1619948419.173567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00603000	success	0
1619948419.189567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060c000	success	0
1619948419.251567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00800000	success	0
1619948419.626567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00604000	success	0
1619948419.626567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00606000	success	0
1619948419.720567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00607000	success	0
1619948419.720567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00608000	success	0
1619948419.735567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00801000	success	0
1619948419.782567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0065a000	success	0
1619948419.782567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00657000	success	0
1619948419.892567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00656000	success	0
1619948419.939567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00802000	success	0
1619948420.157567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060a000	success	0
1619948420.235567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00609000	success	0
1619948420.282567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02030000	success	0
1619948420.314567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00807000	success	0
1619948420.329567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00808000	success	0
1619948420.517567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080a000	success	0
1619948420.595567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02031000	success	0
1619948420.657567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02032000	success	0
1619948420.689567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080b000	success	0
1619948420.735567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02033000	success	0
1619948420.751567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080c000	success	0
1619948420.767567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080f000	success	0
1619948420.767567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060d000	success	0
1619948461.782567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02034000	success	0
1619948461.782567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x049d0000	success	0
1619948461.798567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020d1000	success	0
1619948461.876567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x049d1000	success	0
1619948461.892567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x049d2000	success	0
1619948461.985567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fc000	success	0
1619948462.048567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x049d3000	success	0
1619948462.064567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02035000	success	0
1619948462.079567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x049d4000	success	0
1619948462.173567 NtProtectVirtualMemory	process_identifier: 1464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 271872 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04f70400	failed	3221225550
1619948466.767567 NtAllocateVirtualMemory	process_identifier: 1464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x049d5000	success	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.62351966555659

section

{'size_of_data': '0x0008ce00', 'virtual_address': '0x00002000', 'entropy': 7.62351966555659, 'name': '.text', 'virtual_size': '0x0008cc94'}

description

A section with a high entropy has been found

entropy

0.7256922086284611

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948462.157567 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948468.032567 NtAllocateVirtualMemory	process_identifier: 2120 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000f128 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619948468.032567 WriteProcessMemory	process_identifier: 2120 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL½´"_àVt @ À@DtWÀ H.text¤T V `.rsrcÀX@@.reloc ^@B process_handle: 0x0000f128 base_address: 0x00400000	success	1
1619948468.048567 WriteProcessMemory	process_identifier: 2120 buffer: P8h 4Ôê44VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfop000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.4.8`InternalNamebZyhSGIBFekodKJBtyKjdSdpIg.exe,LegalCopyrightHi0LegalTrademarksHihOriginalFilenamebZyhSGIBFekodKJBtyKjdSdpIg.exe(ProductNameHi0ProductVersion1.4.88Assembly Version1.4.8.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x0000f128 base_address: 0x00448000	success	1
1619948468.048567 WriteProcessMemory	process_identifier: 2120 buffer: p 4 process_handle: 0x0000f128 base_address: 0x0044a000	success	1
1619948468.048567 WriteProcessMemory	process_identifier: 2120 buffer: @ process_handle: 0x0000f128 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948468.032567 WriteProcessMemory	process_identifier: 2120 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL½´"_àVt @ À@DtWÀ H.text¤T V `.rsrcÀX@@.reloc ^@B process_handle: 0x0000f128 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1464 called NtSetContextThread to modify thread in remote process 2120
1619948468.048567 NtSetContextThread	thread_handle: 0x0000b298 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486302 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2120	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1464 resumed a thread in remote process 2120
1619948468.298567 NtResumeThread	thread_handle: 0x0000b298 suspend_count: 1 process_identifier: 2120	success	0	0

Executed a process and injected code into it, probably while unpacking (18 个事件)

Time & API	Arguments	Status	Return
1619948418.579567 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1464	success	0
1619948418.610567 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 1464	success	0
1619948418.657567 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 1464	success	0
1619948467.517567 NtResumeThread	thread_handle: 0x00004ac0 suspend_count: 1 process_identifier: 1464	success	0
1619948467.532567 NtResumeThread	thread_handle: 0x0000d2d4 suspend_count: 1 process_identifier: 1464	success	0
1619948468.032567 CreateProcessInternalW	thread_identifier: 2956 thread_handle: 0x0000b298 process_identifier: 2120 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000f128 inherit_handles: 0	success	1
1619948468.032567 NtGetContextThread	thread_handle: 0x0000b298	success	0
1619948468.032567 NtAllocateVirtualMemory	process_identifier: 2120 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000f128 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619948468.032567 WriteProcessMemory	process_identifier: 2120 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL½´"_àVt @ À@DtWÀ H.text¤T V `.rsrcÀX@@.reloc ^@B process_handle: 0x0000f128 base_address: 0x00400000	success	1
1619948468.032567 WriteProcessMemory	process_identifier: 2120 buffer: process_handle: 0x0000f128 base_address: 0x00402000	success	1
1619948468.048567 WriteProcessMemory	process_identifier: 2120 buffer: P8h 4Ôê44VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfop000004b0 CommentsHi(CompanyNameHi0FileDescriptionHi,FileVersion1.4.8`InternalNamebZyhSGIBFekodKJBtyKjdSdpIg.exe,LegalCopyrightHi0LegalTrademarksHihOriginalFilenamebZyhSGIBFekodKJBtyKjdSdpIg.exe(ProductNameHi0ProductVersion1.4.88Assembly Version1.4.8.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x0000f128 base_address: 0x00448000	success	1
1619948468.048567 WriteProcessMemory	process_identifier: 2120 buffer: p 4 process_handle: 0x0000f128 base_address: 0x0044a000	success	1
1619948468.048567 WriteProcessMemory	process_identifier: 2120 buffer: @ process_handle: 0x0000f128 base_address: 0x7efde008	success	1
1619948468.048567 NtSetContextThread	thread_handle: 0x0000b298 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4486302 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2120	success	0
1619948468.298567 NtResumeThread	thread_handle: 0x0000b298 suspend_count: 1 process_identifier: 2120	success	0
1619979052.885501 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2120	success	0
1619979052.916501 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2120	success	0
1619979052.994501 NtResumeThread	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2120	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILPerseus.227705
FireEye	Generic.mg.d724f44df04d1869
CAT-QuickHeal	Trojan.MSIL
ALYac	Gen:Variant.MSILPerseus.227705
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2356065
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c20e1 )
Alibaba	Trojan:Win32/Kryptik.0705eaf4
K7GW	Trojan ( 0056c20e1 )
Cybereason	malicious.df04d1
F-Prot	W32/Ursu.DF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Dropper.Nanocore-9248945-0
GData	Gen:Variant.MSILPerseus.227705
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Gen:Variant.MSILPerseus.227705
NANO-Antivirus	Trojan.Win32.Crypt.hqzztn
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Ursu.795648
Ad-Aware	Gen:Variant.MSILPerseus.227705
Comodo	.UnclassifiedMalware@0
F-Secure	Trojan.TR/Kryptik.qfqfn
DrWeb	Trojan.PackedNET.405
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06BC0WH720
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Cyren	W32/Ursu.DF.gen!Eldorado
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.qfqfn
Antiy-AVL	Trojan/Win32.Generic
Arcabit	Trojan.MSILPerseus.D37979
AegisLab	Trojan.MSIL.Crypt.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
Microsoft	Trojan:Win32/Skeeyah.A!rfn
AhnLab-V3	Trojan/Win32.MSIL.R347092
McAfee	Fareit-FXH!D724F44DF04D
MAX	malware (ai score=89)
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Backdoor.Agent.PDL
ESET-NOD32	a variant of MSIL/Kryptik.XGH
TrendMicro-HouseCall	TROJ_GEN.R06BC0WH720
Rising	Trojan.Crypt!8.2E3 (CLOUD)
Ikarus	Trojan-Spy.MassLogger
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Kryptik.XFP!tr

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-06 11:50:37

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.