15.8
0-day
50 个模型检测该样本为恶意!
重新分析
更多

7e69a7faf816e90b60a9043118f59b3084def9f66bc69cb0c5ca8d59309acb82

d8cf7fecfdf7a96bd9038dd3e6e7d0a1.exe

分析耗时

111s

最近分析

文件大小

877.0KB
静态报毒 动态报毒 0NA103FD20 100% 2M0@AARIG@P AGENSLA AGENTTESLA AI SCORE=85 ATTRIBUTE AVSARHER BSIDR7 CNMM CONFIDENCE ELDORADO FAREIT GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HLCAWJ INJECTNET KRYPT KRYPTIK MALICIOUS PE MALWARE@#2A9BK6KJUDRTT PURWZ QQPASS QQROB S + TROJ SCORE STATIC AI TROJANPSW TROJANX TSCOPE UNSAFE WTXN YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FUW!D8CF7FECFDF7 20201211 6.0.6.653
Baidu 20190318 1.0.0.2
Avast 20201210 21.1.5827.0
Alibaba TrojanPSW:MSIL/Agensla.f79bade3 20190527 0.3.0.5
Kingsoft 20201211 2017.9.26.565
Tencent Msil.Trojan-qqpass.Qqrob.Wtxn 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619948456.751567
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619955237.715001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 102 个事件)
Time & API Arguments Status Return Repeated
1619948411.282567
IsDebuggerPresent
failed 0 0
1619948411.282567
IsDebuggerPresent
failed 0 0
1619948412.267567
IsDebuggerPresent
failed 0 0
1619948412.751567
IsDebuggerPresent
failed 0 0
1619948413.282567
IsDebuggerPresent
failed 0 0
1619948413.751567
IsDebuggerPresent
failed 0 0
1619948414.282567
IsDebuggerPresent
failed 0 0
1619948414.751567
IsDebuggerPresent
failed 0 0
1619948415.282567
IsDebuggerPresent
failed 0 0
1619948415.751567
IsDebuggerPresent
failed 0 0
1619948416.282567
IsDebuggerPresent
failed 0 0
1619948416.751567
IsDebuggerPresent
failed 0 0
1619948417.282567
IsDebuggerPresent
failed 0 0
1619948417.751567
IsDebuggerPresent
failed 0 0
1619948418.282567
IsDebuggerPresent
failed 0 0
1619948418.751567
IsDebuggerPresent
failed 0 0
1619948419.282567
IsDebuggerPresent
failed 0 0
1619948419.751567
IsDebuggerPresent
failed 0 0
1619948420.282567
IsDebuggerPresent
failed 0 0
1619948420.751567
IsDebuggerPresent
failed 0 0
1619948421.282567
IsDebuggerPresent
failed 0 0
1619948421.751567
IsDebuggerPresent
failed 0 0
1619948422.282567
IsDebuggerPresent
failed 0 0
1619948422.751567
IsDebuggerPresent
failed 0 0
1619948423.282567
IsDebuggerPresent
failed 0 0
1619948423.751567
IsDebuggerPresent
failed 0 0
1619948424.282567
IsDebuggerPresent
failed 0 0
1619948424.751567
IsDebuggerPresent
failed 0 0
1619948425.282567
IsDebuggerPresent
failed 0 0
1619948425.751567
IsDebuggerPresent
failed 0 0
1619948426.282567
IsDebuggerPresent
failed 0 0
1619948426.751567
IsDebuggerPresent
failed 0 0
1619948427.282567
IsDebuggerPresent
failed 0 0
1619948427.751567
IsDebuggerPresent
failed 0 0
1619948428.282567
IsDebuggerPresent
failed 0 0
1619948428.751567
IsDebuggerPresent
failed 0 0
1619948429.282567
IsDebuggerPresent
failed 0 0
1619948429.751567
IsDebuggerPresent
failed 0 0
1619948430.282567
IsDebuggerPresent
failed 0 0
1619948430.751567
IsDebuggerPresent
failed 0 0
1619948431.282567
IsDebuggerPresent
failed 0 0
1619948431.751567
IsDebuggerPresent
failed 0 0
1619948432.282567
IsDebuggerPresent
failed 0 0
1619948432.751567
IsDebuggerPresent
failed 0 0
1619948433.282567
IsDebuggerPresent
failed 0 0
1619948433.751567
IsDebuggerPresent
failed 0 0
1619948434.282567
IsDebuggerPresent
failed 0 0
1619948434.751567
IsDebuggerPresent
failed 0 0
1619948435.282567
IsDebuggerPresent
failed 0 0
1619948435.751567
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619955238.512001
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\AOEwkQzimfZCfK"。
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1619955241.809751
CryptExportKey
crypto_handle: 0x005fdb50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619955241.809751
CryptExportKey
crypto_handle: 0x005fdb50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619955241.840751
CryptExportKey
crypto_handle: 0x005fdc10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948411.329567
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2067267929&cup2hreq=e6f1b64d20d14b48adcfd5eed852a799f49f0aeaa2201cd6e3a3f2603bbafb3e
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619926334&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ef6cde7380edfc09&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619926092&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:2067267929&cup2hreq=e6f1b64d20d14b48adcfd5eed852a799f49f0aeaa2201cd6e3a3f2603bbafb3e
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2067267929&cup2hreq=e6f1b64d20d14b48adcfd5eed852a799f49f0aeaa2201cd6e3a3f2603bbafb3e
Allocates read-write-execute memory (usually to unpack itself) (50 out of 400 个事件)
Time & API Arguments Status Return Repeated
1619948410.579567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003e0000
success 0 0
1619948410.579567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00410000
success 0 0
1619948410.892567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619948410.892567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00600000
success 0 0
1619948411.048567
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619948411.282567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b50000
success 0 0
1619948411.282567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d00000
success 0 0
1619948411.282567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1619948411.298567
NtProtectVirtualMemory
process_identifier: 2760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619948411.298567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1619948411.532567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f2000
success 0 0
1619948411.595567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00455000
success 0 0
1619948411.595567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045b000
success 0 0
1619948411.595567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1619948411.688567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f3000
success 0 0
1619948411.704567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fc000
success 0 0
1619948411.767567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d0000
success 0 0
1619948411.892567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f4000
success 0 0
1619948412.235567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d1000
success 0 0
1619948412.251567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d4000
success 0 0
1619948412.282567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f5000
success 0 0
1619948412.282567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f6000
success 0 0
1619948412.298567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d5000
success 0 0
1619948412.407567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f7000
success 0 0
1619948412.438567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00406000
success 0 0
1619948412.454567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040a000
success 0 0
1619948412.454567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619948412.470567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f8000
success 0 0
1619948412.501567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d6000
success 0 0
1619948412.532567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f9000
success 0 0
1619948412.548567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d7000
success 0 0
1619948445.813567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005da000
success 0 0
1619948446.063567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d10000
success 0 0
1619948446.063567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d01000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d02000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d03000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d04000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d05000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d06000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d0a000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d1b000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d1d000
success 0 0
1619948446.079567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fd000
success 0 0
1619948446.095567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005db000
success 0 0
1619948446.110567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d20000
success 0 0
1619948446.126567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005dc000
success 0 0
1619948446.126567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d21000
success 0 0
1619948446.142567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d11000
success 0 0
1619948446.204567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005dd000
success 0 0
1619948446.376567
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04d12000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description d8cf7fecfdf7a96bd9038dd3e6e7d0a1.exe tried to sleep 139 seconds, actually delayed analysis time by 139 seconds
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8FF.tmp"
cmdline schtasks.exe /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8FF.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619948457.782567
ShellExecuteExW
parameters: /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8FF.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.967423340762669 section {'size_of_data': '0x000daa00', 'virtual_address': '0x00002000', 'entropy': 7.967423340762669, 'name': '.text', 'virtual_size': '0x000da864'} description A section with a high entropy has been found
entropy 0.9977181973759269 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619948412.017567
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619955241.325751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8FF.tmp"
cmdline schtasks.exe /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8FF.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619948460.438567
NtAllocateVirtualMemory
process_identifier: 2268
region_size: 729088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000418
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Checks the version of Bios, possibly for anti-virtualization (2 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Detects virtualization software with SCSI Disk Identifier trick(s) (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8FF.tmp
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619948460.438567
WriteProcessMemory
process_identifier: 2268
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL}ë ¦à 0¨ >Æ à @  @…ðÅ Kà 8  H.textD¦ ¨  `.rsrc8à ª @@.reloc ° @B
process_handle: 0x00000418
base_address: 0x00400000
success 1 0
1619948460.454567
WriteProcessMemory
process_identifier: 2268
buffer:  €8€P€h€€ à ¬äLã êä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.0"InternalName&LegalCopyright*LegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000418
base_address: 0x004ae000
success 1 0
1619948460.454567
WriteProcessMemory
process_identifier: 2268
buffer: À @6
process_handle: 0x00000418
base_address: 0x004b0000
success 1 0
1619948460.454567
WriteProcessMemory
process_identifier: 2268
buffer: @
process_handle: 0x00000418
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619948460.438567
WriteProcessMemory
process_identifier: 2268
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL}ë ¦à 0¨ >Æ à @  @…ðÅ Kà 8  H.textD¦ ¨  `.rsrc8à ª @@.reloc ° @B
process_handle: 0x00000418
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2760 called NtSetContextThread to modify thread in remote process 2268
Time & API Arguments Status Return Repeated
1619948460.454567
NtSetContextThread
thread_handle: 0x0000031c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4900414
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2268
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2760 resumed a thread in remote process 2268
Time & API Arguments Status Return Repeated
1619948460.767567
NtResumeThread
thread_handle: 0x0000031c
suspend_count: 1
process_identifier: 2268
success 0 0
Detects VirtualBox through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
Detects VMWare through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Detects the presence of Wine emulator (1 个事件)
Time & API Arguments Status Return Repeated
1619948456.454567
LdrGetProcedureAddress
ordinal: 0
module: KERNEL32
module_address: 0x76340000
function_address: 0x0030d278
function_name: wine_get_unix_file_name
failed 3221225785 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.110:443
Executed a process and injected code into it, probably while unpacking (23 个事件)
Time & API Arguments Status Return Repeated
1619948411.282567
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2760
success 0 0
1619948411.313567
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2760
success 0 0
1619948411.376567
NtResumeThread
thread_handle: 0x0000012c
suspend_count: 1
process_identifier: 2760
success 0 0
1619948412.220567
NtResumeThread
thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2760
success 0 0
1619948412.251567
NtResumeThread
thread_handle: 0x00000210
suspend_count: 1
process_identifier: 2760
success 0 0
1619948457.282567
NtResumeThread
thread_handle: 0x00000318
suspend_count: 1
process_identifier: 2760
success 0 0
1619948457.767567
CreateProcessInternalW
thread_identifier: 2796
thread_handle: 0x000003fc
process_identifier: 1160
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AOEwkQzimfZCfK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp8FF.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000440
inherit_handles: 0
success 1 0
1619948460.438567
CreateProcessInternalW
thread_identifier: 2740
thread_handle: 0x0000031c
process_identifier: 2268
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d8cf7fecfdf7a96bd9038dd3e6e7d0a1.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d8cf7fecfdf7a96bd9038dd3e6e7d0a1.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000418
inherit_handles: 0
success 1 0
1619948460.438567
NtGetContextThread
thread_handle: 0x0000031c
success 0 0
1619948460.438567
NtAllocateVirtualMemory
process_identifier: 2268
region_size: 729088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000418
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619948460.438567
WriteProcessMemory
process_identifier: 2268
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL}ë ¦à 0¨ >Æ à @  @…ðÅ Kà 8  H.textD¦ ¨  `.rsrc8à ª @@.reloc ° @B
process_handle: 0x00000418
base_address: 0x00400000
success 1 0
1619948460.438567
WriteProcessMemory
process_identifier: 2268
buffer:
process_handle: 0x00000418
base_address: 0x00402000
success 1 0
1619948460.454567
WriteProcessMemory
process_identifier: 2268
buffer:  €8€P€h€€ à ¬äLã êä¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation° StringFileInfoè000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.0"InternalName&LegalCopyright*LegalTrademarks*OriginalFilename"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x00000418
base_address: 0x004ae000
success 1 0
1619948460.454567
WriteProcessMemory
process_identifier: 2268
buffer: À @6
process_handle: 0x00000418
base_address: 0x004b0000
success 1 0
1619948460.454567
WriteProcessMemory
process_identifier: 2268
buffer: @
process_handle: 0x00000418
base_address: 0x7efde008
success 1 0
1619948460.454567
NtSetContextThread
thread_handle: 0x0000031c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4900414
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2268
success 0 0
1619948460.767567
NtResumeThread
thread_handle: 0x0000031c
suspend_count: 1
process_identifier: 2268
success 0 0
1619948460.782567
NtResumeThread
thread_handle: 0x000003f4
suspend_count: 1
process_identifier: 2760
success 0 0
1619948460.798567
NtGetContextThread
thread_handle: 0x000003f4
success 0 0
1619948460.798567
NtResumeThread
thread_handle: 0x000003f4
suspend_count: 1
process_identifier: 2760
success 0 0
1619955240.762751
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2268
success 0 0
1619955240.778751
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2268
success 0 0
1619955240.871751
NtResumeThread
thread_handle: 0x00000198
suspend_count: 1
process_identifier: 2268
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2084-07-22 10:26:49

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49193 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49191 203.208.40.34 update.googleapis.com 443
192.168.56.101 49192 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49194 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ef6cde7380edfc09&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619926092&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ef6cde7380edfc09&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619926092&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619926334&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619926334&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.