13.2
0-day
52 个模型检测该样本为恶意!
重新分析
更多

423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31

d9bacd363a8e4a4235b38fd59afd02e6.exe

分析耗时

128s

最近分析

文件大小

515.5KB
静态报毒 动态报毒 AGENT@0 AGENTTESLA AI SCORE=82 ATTRIBUTE BUHECA CONFIDENCE ELDORADO EQGF FAREIT FORMBOOK GDSDA GENERICKD GENKRYPTIK GENOME GM0@A4A3KHN HIGH CONFIDENCE HIGHCONFIDENCE HTFSXF IGENERIC IGENT INJECT3 KRYPTIK MALICIOUS PE NOON R002C0WHH20 RATX SCORE SUSGEN UNSAFE WTXI YIKNY ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FYE!D9BACD363A8E 20200914 6.0.6.653
Alibaba TrojanSpy:MSIL/Kryptik.f0fd0332 20190527 0.3.0.5
Avast Win32:RATX-gen [Trj] 20200914 18.4.3895.0
Tencent Msil.Trojan-spy.Noon.Wtxi 20200915 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200915 2013.8.14.323
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619974393.993499
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (14 个事件)
Time & API Arguments Status Return Repeated
1619948417.312886
IsDebuggerPresent
failed 0 0
1619948417.312886
IsDebuggerPresent
failed 0 0
1619948468.656886
IsDebuggerPresent
failed 0 0
1619948469.140886
IsDebuggerPresent
failed 0 0
1619948469.656886
IsDebuggerPresent
failed 0 0
1619948470.140886
IsDebuggerPresent
failed 0 0
1619948470.656886
IsDebuggerPresent
failed 0 0
1619948471.140886
IsDebuggerPresent
failed 0 0
1619948471.656886
IsDebuggerPresent
failed 0 0
1619948472.140886
IsDebuggerPresent
failed 0 0
1619948472.656886
IsDebuggerPresent
failed 0 0
1619948473.140886
IsDebuggerPresent
failed 0 0
1619974398.212001
IsDebuggerPresent
failed 0 0
1619974398.212001
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619974395.025499
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\eZhOHjo"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948417.343886
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:527790888&cup2hreq=13a229d9d6f473fb36a66d14836a89699868188d621d7e2ea105448965a8e341
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619945293&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b95fa58d4db6c1c3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945533&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:527790888&cup2hreq=13a229d9d6f473fb36a66d14836a89699868188d621d7e2ea105448965a8e341
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:527790888&cup2hreq=13a229d9d6f473fb36a66d14836a89699868188d621d7e2ea105448965a8e341
Allocates read-write-execute memory (usually to unpack itself) (50 out of 119 个事件)
Time & API Arguments Status Return Repeated
1619948416.781886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00860000
success 0 0
1619948416.781886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a10000
success 0 0
1619948417.125886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619948417.125886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020f0000
success 0 0
1619948417.187886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619948417.312886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02130000
success 0 0
1619948417.312886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022d0000
success 0 0
1619948417.328886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005aa000
success 0 0
1619948417.328886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619948417.328886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a2000
success 0 0
1619948417.515886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b2000
success 0 0
1619948417.609886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d5000
success 0 0
1619948417.609886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005db000
success 0 0
1619948417.609886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d7000
success 0 0
1619948417.687886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b3000
success 0 0
1619948417.718886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005bc000
success 0 0
1619948418.093886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b4000
success 0 0
1619948418.093886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b6000
success 0 0
1619948418.203886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f20000
success 0 0
1619948418.297886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ca000
success 0 0
1619948418.297886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c7000
success 0 0
1619948418.593886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c6000
success 0 0
1619948418.593886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
1619948418.656886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f21000
success 0 0
1619948418.828886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b7000
success 0 0
1619948418.828886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b8000
success 0 0
1619948418.875886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b9000
success 0 0
1619948460.422886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f22000
success 0 0
1619948460.437886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020f1000
success 0 0
1619948460.531886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f23000
success 0 0
1619948460.672886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ac000
success 0 0
1619948460.734886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f24000
success 0 0
1619948460.781886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04450000
success 0 0
1619948460.797886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f25000
success 0 0
1619948460.890886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04451000
success 0 0
1619948460.906886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 370688
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05600400
failed 3221225550 0
1619948468.187886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f26000
success 0 0
1619948468.187886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f27000
success 0 0
1619948468.281886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f28000
success 0 0
1619948468.297886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f29000
success 0 0
1619948468.312886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f2a000
success 0 0
1619948468.375886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04452000
success 0 0
1619948468.390886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f2b000
success 0 0
1619948468.422886
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f2c000
success 0 0
1619948468.422886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05600178
failed 3221225550 0
1619948468.422886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x056001a0
failed 3221225550 0
1619948468.422886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x056001c8
failed 3221225550 0
1619948468.422886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x056001f0
failed 3221225550 0
1619948468.422886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05600218
failed 3221225550 0
1619948468.422886
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0565b49e
failed 3221225550 0
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eZhOHjo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1D04.tmp"
cmdline schtasks.exe /Create /TN "Updates\eZhOHjo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1D04.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619948469.468886
ShellExecuteExW
parameters: /Create /TN "Updates\eZhOHjo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1D04.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.917086429723138 section {'size_of_data': '0x00080400', 'virtual_address': '0x00002000', 'entropy': 7.917086429723138, 'name': '.text', 'virtual_size': '0x000802c0'} description A section with a high entropy has been found
entropy 0.996116504854369 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619948460.890886
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619974410.447001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619948472.781886
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2436
process_handle: 0x000026e4
failed 0 0
1619948472.781886
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2436
process_handle: 0x000026e4
success 0 0
1619948473.125886
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1416
process_handle: 0x0000ccc8
failed 0 0
1619948473.125886
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1416
process_handle: 0x0000ccc8
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eZhOHjo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1D04.tmp"
cmdline schtasks.exe /Create /TN "Updates\eZhOHjo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1D04.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (3 个事件)
Time & API Arguments Status Return Repeated
1619948472.453886
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000089b0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948472.922886
NtAllocateVirtualMemory
process_identifier: 1416
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d5bc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948473.234886
NtAllocateVirtualMemory
process_identifier: 1056
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000da04
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1D04.tmp
Manipulates memory of a non-child process indicative of process injection (4 个事件)
Process injection Process 912 manipulating memory of non-child process 2436
Process injection Process 912 manipulating memory of non-child process 1416
Time & API Arguments Status Return Repeated
1619948472.453886
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000089b0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948472.922886
NtAllocateVirtualMemory
process_identifier: 1416
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d5bc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619948473.234886
WriteProcessMemory
process_identifier: 1056
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL&§9_à  öî @ `@…˜S H@  H.textôõ ö `.rsrcH ø@@.reloc @þ@B
process_handle: 0x0000da04
base_address: 0x00400000
success 1 0
1619948473.250886
WriteProcessMemory
process_identifier: 1056
buffer:  €P€8€€h€  ¼\#ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameaskhPfppDdROyBNgbKOeAqmeZnIfIsRKLoWj.exe(LegalCopyright |)OriginalFilenameaskhPfppDdROyBNgbKOeAqmeZnIfIsRKLoWj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000da04
base_address: 0x00462000
success 1 0
1619948473.250886
WriteProcessMemory
process_identifier: 1056
buffer:  ð5
process_handle: 0x0000da04
base_address: 0x00464000
success 1 0
1619948473.250886
WriteProcessMemory
process_identifier: 1056
buffer: @
process_handle: 0x0000da04
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619948473.234886
WriteProcessMemory
process_identifier: 1056
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL&§9_à  öî @ `@…˜S H@  H.textôõ ö `.rsrcH ø@@.reloc @þ@B
process_handle: 0x0000da04
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 912 called NtSetContextThread to modify thread in remote process 1056
Time & API Arguments Status Return Repeated
1619948473.250886
NtSetContextThread
thread_handle: 0x0000ccc8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4593134
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1056
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 912 resumed a thread in remote process 1056
Time & API Arguments Status Return Repeated
1619948473.453886
NtResumeThread
thread_handle: 0x0000ccc8
suspend_count: 1
process_identifier: 1056
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
Executed a process and injected code into it, probably while unpacking (25 个事件)
Time & API Arguments Status Return Repeated
1619948417.312886
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 912
success 0 0
1619948417.328886
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 912
success 0 0
1619948417.359886
NtResumeThread
thread_handle: 0x00000164
suspend_count: 1
process_identifier: 912
success 0 0
1619948468.593886
NtResumeThread
thread_handle: 0x00003d68
suspend_count: 1
process_identifier: 912
success 0 0
1619948468.640886
NtResumeThread
thread_handle: 0x0000886c
suspend_count: 1
process_identifier: 912
success 0 0
1619948469.468886
CreateProcessInternalW
thread_identifier: 2960
thread_handle: 0x0000a030
process_identifier: 2948
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eZhOHjo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp1D04.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000ff9c
inherit_handles: 0
success 1 0
1619948472.453886
CreateProcessInternalW
thread_identifier: 1376
thread_handle: 0x00006b70
process_identifier: 2436
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9bacd363a8e4a4235b38fd59afd02e6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9bacd363a8e4a4235b38fd59afd02e6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000089b0
inherit_handles: 0
success 1 0
1619948472.453886
NtGetContextThread
thread_handle: 0x00006b70
success 0 0
1619948472.453886
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000089b0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948472.906886
CreateProcessInternalW
thread_identifier: 2264
thread_handle: 0x000026e4
process_identifier: 1416
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9bacd363a8e4a4235b38fd59afd02e6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9bacd363a8e4a4235b38fd59afd02e6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000d5bc
inherit_handles: 0
success 1 0
1619948472.922886
NtGetContextThread
thread_handle: 0x000026e4
success 0 0
1619948472.922886
NtAllocateVirtualMemory
process_identifier: 1416
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000d5bc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948473.218886
CreateProcessInternalW
thread_identifier: 1932
thread_handle: 0x0000ccc8
process_identifier: 1056
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9bacd363a8e4a4235b38fd59afd02e6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d9bacd363a8e4a4235b38fd59afd02e6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000da04
inherit_handles: 0
success 1 0
1619948473.234886
NtGetContextThread
thread_handle: 0x0000ccc8
success 0 0
1619948473.234886
NtAllocateVirtualMemory
process_identifier: 1056
region_size: 417792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000da04
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619948473.234886
WriteProcessMemory
process_identifier: 1056
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL&§9_à  öî @ `@…˜S H@  H.textôõ ö `.rsrcH ø@@.reloc @þ@B
process_handle: 0x0000da04
base_address: 0x00400000
success 1 0
1619948473.234886
WriteProcessMemory
process_identifier: 1056
buffer:
process_handle: 0x0000da04
base_address: 0x00402000
success 1 0
1619948473.250886
WriteProcessMemory
process_identifier: 1056
buffer:  €P€8€€h€  ¼\#ê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t)InternalNameaskhPfppDdROyBNgbKOeAqmeZnIfIsRKLoWj.exe(LegalCopyright |)OriginalFilenameaskhPfppDdROyBNgbKOeAqmeZnIfIsRKLoWj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000da04
base_address: 0x00462000
success 1 0
1619948473.250886
WriteProcessMemory
process_identifier: 1056
buffer:  ð5
process_handle: 0x0000da04
base_address: 0x00464000
success 1 0
1619948473.250886
WriteProcessMemory
process_identifier: 1056
buffer: @
process_handle: 0x0000da04
base_address: 0x7efde008
success 1 0
1619948473.250886
NtSetContextThread
thread_handle: 0x0000ccc8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4593134
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1056
success 0 0
1619948473.453886
NtResumeThread
thread_handle: 0x0000ccc8
suspend_count: 1
process_identifier: 1056
success 0 0
1619974398.212001
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1056
success 0 0
1619974398.243001
NtResumeThread
thread_handle: 0x0000012c
suspend_count: 1
process_identifier: 1056
success 0 0
1619974398.259001
NtResumeThread
thread_handle: 0x00000174
suspend_count: 1
process_identifier: 1056
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.Inject3.51227
MicroWorld-eScan Trojan.GenericKD.43680713
FireEye Generic.mg.d9bacd363a8e4a42
CAT-QuickHeal Trojan.IGENERIC
McAfee Fareit-FYE!D9BACD363A8E
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2366317
Sangfor Malware
K7AntiVirus Trojan ( 0056c9be1 )
Alibaba TrojanSpy:MSIL/Kryptik.f0fd0332
K7GW Trojan ( 0056c9be1 )
Cybereason malicious.dbf8bf
Arcabit Trojan.Generic.D29A83C9
Invincea Mal/Generic-S
BitDefenderTheta Gen:NN.ZemsilF.34242.Gm0@a4a3kHn
Cyren W32/MSIL_Kryptik.BIB.gen!Eldorado
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall TROJ_GEN.R002C0WHH20
Avast Win32:RATX-gen [Trj]
Cynet Malicious (score: 90)
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Trojan.GenericKD.43680713
NANO-Antivirus Trojan.Win32.Noon.htfsxf
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Tencent Msil.Trojan-spy.Noon.Wtxi
Ad-Aware Trojan.GenericKD.43680713
Comodo TrojWare.Win32.Genome.agent@0
F-Secure Trojan.TR/Kryptik.yikny
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0WHH20
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Inject
Avira TR/Kryptik.yikny
MAX malware (ai score=82)
Microsoft Trojan:MSIL/Formbook!rfn
ZoneAlarm HEUR:Trojan-Spy.MSIL.Noon.gen
GData Trojan.GenericKD.43680713
AhnLab-V3 Malware/Win32.RL_Generic.C4182378
ALYac Trojan.GenericKD.43680713
Malwarebytes Spyware.AgentTesla
APEX Malicious
ESET-NOD32 a variant of MSIL/Kryptik.XJA
Yandex Trojan.Igent.bUhECA.22
SentinelOne DFI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/GenKryptik.EQGF!tr
AVG Win32:RATX-gen [Trj]
Panda Trj/GdSda.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-17 06:19:41

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49201 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49200 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49199 203.208.41.66 update.googleapis.com 443
192.168.56.101 49202 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b95fa58d4db6c1c3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945533&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b95fa58d4db6c1c3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619945533&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619945293&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619945293&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.