SmartHawk

10.8

0-day

43 个模型检测该样本为恶意！

重新分析

下载样本

4b2b31e1ba770d309096fa591bac54daf1a7abec5af7e77ebb31fc5d20ca1d45

d9165752ef20e5a0c88e4fb3e3b191ce.exe

分析耗时

129s

最近分析

文件大小

468.5KB

静态报毒动态报毒 AGENSLA AI SCORE=89 ATTRIBUTE AVSARHER BSIDR7 CCKDM CONFIDENCE DM0@AM75DGO ELDORADO EQGF FAREIT FORMBOOK GDSDA GENERICKDZ GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HRZRWB KRYPTIK MALWARE@#2IWHRR9NPYW3Z QQPASS QQROB SIGGEN10 TROJANPSW TROJANX UNSAFE WQCS YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FYE!D9165752EF20	20201023	6.0.6.653
Alibaba	TrojanPSW:MSIL/Formbook.4f1dee4f	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20201023	18.4.3895.0
Tencent	Msil.Trojan-qqpass.Qqrob.Wqcs	20201023	1.0.0.1
Kingsoft		20201023	2013.8.14.323
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Checks if process is being debugged by a debugger (6 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948417.469408 IsDebuggerPresent		failed	0	0
1619948417.469408 IsDebuggerPresent		failed	0	0
1619948466.548408 IsDebuggerPresent		failed	0	0
1619948467.094408 IsDebuggerPresent		failed	0	0
1619974678.301374 IsDebuggerPresent		failed	0	0
1619974678.316374 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948417.501408 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:1468833457&cup2hreq=51fcc4278d8f769a333cdc5f7e80e0f7abcaa15c913f578ca8f69761f6667f17

Performs some HTTP requests (5 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619945772&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m
request	GET http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:1468833457&cup2hreq=51fcc4278d8f769a333cdc5f7e80e0f7abcaa15c913f578ca8f69761f6667f17

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:1468833457&cup2hreq=51fcc4278d8f769a333cdc5f7e80e0f7abcaa15c913f578ca8f69761f6667f17

Allocates read-write-execute memory (usually to unpack itself) (50 out of 123 个事件)

Time & API	Arguments	Status	Return
1619948416.516408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00400000	success	0
1619948416.516408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00410000	success	0
1619948416.938408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005e0000	success	0
1619948416.938408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006f0000	success	0
1619948417.282408 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619948417.469408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01fc0000	success	0
1619948417.469408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02110000	success	0
1619948417.469408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005aa000	success	0
1619948417.469408 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619948417.469408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a2000	success	0
1619948417.735408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b2000	success	0
1619948417.813408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e5000	success	0
1619948417.813408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005eb000	success	0
1619948417.813408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e7000	success	0
1619948417.891408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b3000	success	0
1619948417.923408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005bc000	success	0
1619948418.298408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b4000	success	0
1619948418.313408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b6000	success	0
1619948418.423408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success	0
1619948418.516408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ca000	success	0
1619948418.516408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c7000	success	0
1619948418.657408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00981000	success	0
1619948418.876408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c6000	success	0
1619948418.891408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ba000	success	0
1619948418.891408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b7000	success	0
1619948418.891408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00982000	success	0
1619948419.063408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b8000	success	0
1619948419.126408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005b9000	success	0
1619948419.126408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02030000	success	0
1619948419.141408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00983000	success	0
1619948460.141408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00984000	success	0
1619948460.173408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006f1000	success	0
1619948460.251408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00985000	success	0
1619948460.376408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ac000	success	0
1619948460.454408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00986000	success	0
1619948460.501408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02031000	success	0
1619948460.516408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00987000	success	0
1619948460.610408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00988000	success	0
1619948460.610408 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 286208 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04f90400	failed	3221225550
1619948465.798408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02032000	success	0
1619948465.798408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00989000	success	0
1619948465.813408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0098a000	success	0
1619948465.813408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0098b000	success	0
1619948465.891408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0098c000	success	0
1619948465.923408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0098d000	success	0
1619948466.360408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04d20000	success	0
1619948466.360408 NtAllocateVirtualMemory	process_identifier: 428 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04d21000	success	0
1619948466.376408 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04f90178	failed	3221225550
1619948466.376408 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04f901a0	failed	3221225550
1619948466.376408 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x04f901c8	failed	3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.7617585060244565

section

{'size_of_data': '0x00074800', 'virtual_address': '0x00002000', 'entropy': 7.7617585060244565, 'name': '.text', 'virtual_size': '0x000747c0'}

description

A section with a high entropy has been found

entropy

0.9957264957264957

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948460.594408 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619974690.347374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.41.66

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948466.798408 NtAllocateVirtualMemory	process_identifier: 1812 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000ecc4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿5_à$^B `@ @BO` H.textd" $ `.rsrc`&@@.reloc*@B process_handle: 0x0000ecc4 base_address: 0x00400000	success	1
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: 0HX`¤¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNameHzPCteYRIvpcfHzgnJVHmnwXONylhJ.exe(LegalCopyright p#OriginalFilenameHzPCteYRIvpcfHzgnJVHmnwXONylhJ.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000ecc4 base_address: 0x00456000	success	1
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: @`2 process_handle: 0x0000ecc4 base_address: 0x00458000	success	1
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: @ process_handle: 0x0000ecc4 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿5_à$^B `@ @BO` H.textd" $ `.rsrc`&@@.reloc*@B process_handle: 0x0000ecc4 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 428 called NtSetContextThread to modify thread in remote process 1812
1619948466.813408 NtSetContextThread	thread_handle: 0x000065f4 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4538974 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1812	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 428 resumed a thread in remote process 1812
1619948467.094408 NtResumeThread	thread_handle: 0x000065f4 suspend_count: 1 process_identifier: 1812	success	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.110:443

Executed a process and injected code into it, probably while unpacking (18 个事件)

Time & API	Arguments	Status	Return
1619948417.469408 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 428	success	0
1619948417.485408 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 428	success	0
1619948417.563408 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 428	success	0
1619948466.516408 NtResumeThread	thread_handle: 0x0000cb60 suspend_count: 1 process_identifier: 428	success	0
1619948466.532408 NtResumeThread	thread_handle: 0x0000c870 suspend_count: 1 process_identifier: 428	success	0
1619948466.798408 CreateProcessInternalW	thread_identifier: 2228 thread_handle: 0x000065f4 process_identifier: 1812 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9165752ef20e5a0c88e4fb3e3b191ce.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9165752ef20e5a0c88e4fb3e3b191ce.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000ecc4 inherit_handles: 0	success	1
1619948466.798408 NtGetContextThread	thread_handle: 0x000065f4	success	0
1619948466.798408 NtAllocateVirtualMemory	process_identifier: 1812 region_size: 368640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000ecc4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿5_à$^B `@ @BO` H.textd" $ `.rsrc`&@@.reloc*@B process_handle: 0x0000ecc4 base_address: 0x00400000	success	1
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: process_handle: 0x0000ecc4 base_address: 0x00402000	success	1
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: 0HX`¤¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h#InternalNameHzPCteYRIvpcfHzgnJVHmnwXONylhJ.exe(LegalCopyright p#OriginalFilenameHzPCteYRIvpcfHzgnJVHmnwXONylhJ.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x0000ecc4 base_address: 0x00456000	success	1
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: @`2 process_handle: 0x0000ecc4 base_address: 0x00458000	success	1
1619948466.813408 WriteProcessMemory	process_identifier: 1812 buffer: @ process_handle: 0x0000ecc4 base_address: 0x7efde008	success	1
1619948466.813408 NtSetContextThread	thread_handle: 0x000065f4 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4538974 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1812	success	0
1619948467.094408 NtResumeThread	thread_handle: 0x000065f4 suspend_count: 1 process_identifier: 1812	success	0
1619974678.316374 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1812	success	0
1619974678.332374 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 1812	success	0
1619974678.379374 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 1812	success	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69447
FireEye	Generic.mg.d9165752ef20e5a0
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FYE!D9165752EF20
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0056d57d1 )
Alibaba	TrojanPSW:MSIL/Formbook.4f1dee4f
K7GW	Trojan ( 0056d57d1 )
Arcabit	Trojan.Generic.D10F47
BitDefenderTheta	Gen:NN.ZemsilF.34570.Dm0@am75dGo
Cyren	W32/MSIL_Kryptik.BKN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKDZ.69447
NANO-Antivirus	Trojan.Win32.Agensla.hrzrwb
Paloalto	generic.ml
Tencent	Msil.Trojan-qqpass.Qqrob.Wqcs
Ad-Aware	Trojan.GenericKDZ.69447
Sophos	Mal/Generic-S
Comodo	Malware@#2iwhrr9npyw3z
DrWeb	Trojan.Siggen10.4036
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-S
McAfee-GW-Edition	Fareit-FYE!D9165752EF20
Emsisoft	Trojan.GenericKDZ.69447 (B)
Ikarus	Trojan.MSIL.Inject
Avira	TR/Kryptik.cckdm
Microsoft	Trojan:MSIL/Formbook.VN!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKDZ.69447
AhnLab-V3	Trojan/Win32.Fareit.C4181405
MAX	malware (ai score=89)
ESET-NOD32	a variant of MSIL/Kryptik.XIP
Yandex	Trojan.AvsArher.bSIdr7
Fortinet	MSIL/GenKryptik.EQGF!tr
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Generic/Trojan.PSW.374

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2051-03-04 00:36:22

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
r4---sn-j5o76n7l.gvt1.com	A 58.63.233.69 CNAME r4.sn-j5o76n7l.gvt1.com	58.63.233.69
redirector.gvt1.com	A 203.208.41.33	203.208.41.33
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
r1---sn-j5o76n7e.gvt1.com	CNAME r1.sn-j5o76n7e.gvt1.com A 113.108.239.130	113.108.239.130
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.40.34	203.208.40.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49192	113.108.239.130 r1---sn-j5o76n7e.gvt1.com	80
192.168.56.101	49189	203.208.40.34 update.googleapis.com	443
192.168.56.101	49191	203.208.41.33 redirector.gvt1.com	80
192.168.56.101	49193	58.63.233.69 r4---sn-j5o76n7l.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=0-6955 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=6956-17586 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=9d24d41700eb6ba3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945772&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r4---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619945772&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619945772&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o76n7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.