SmartHawk

11.2

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

51837e07f216a7af44fbabf5a9e0b91dcbc2dfd3c3428badf554049a193938cf

de5d4464be06fa32db6a46ddd41880a1.exe

分析耗时

76s

最近分析

文件大小

573.5KB

静态报毒动态报毒 100% AGENSLA AGENTTESLA AI SCORE=81 ATTRIBUTE BTNOIY CLOUD CONFIDENCE ELDORADO GENERICKD HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HOSTS IGENT JM0@AIJUUGB KRYPTIK MALICIOUS MALICIOUS PE PWSX QQPASS QQROB R049C0WER20 STEALE SUSGEN TROJANPSW UJEWG UNSAFE WACATAC WTNP ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	RDN/Generic.dx	20200604	6.0.6.653
Alibaba	TrojanPSW:MSIL/Kryptik.76029847	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20200604	18.4.3895.0
Kingsoft		20200604	2013.8.14.323
Tencent	Msil.Trojan-qqpass.Qqrob.Wtnp	20200604	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619962968.578124 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619962985.592751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619962987.186751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619962989.092751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619962989.530751 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948413.507633 IsDebuggerPresent		failed	0	0
1619962972.561751 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619962969.953124 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\kfcsBXRXeQVK"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948414.335633 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619962988.967751 __exception__	stacktrace: 0x7100ae 0xb4f0b2 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 4125056 registers.edi: 4125088 registers.eax: 0 registers.ebp: 4125104 registers.edx: 158 registers.ebx: 0 registers.esi: 43051316 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 d8 b8 2a 52 44 d3 eb 86 8b exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7104c1	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619962988.967751
__exception__

stacktrace:

0x7100ae
0xb4f0b2
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4125056
registers.edi: 4125088
registers.eax: 0
registers.ebp: 4125104
registers.edx: 158
registers.ebx: 0
registers.esi: 43051316
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 b8 2a 52 44 d3 eb 86 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7104c1

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 个事件)

Time & API	Arguments	Status
1619948412.663633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x005c0000	success
1619948412.663633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e0000	success
1619948413.382633 NtProtectVirtualMemory	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619948413.522633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success
1619948413.522633 NtProtectVirtualMemory	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619948413.522633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00582000	success
1619948413.850633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00592000	success
1619948414.069633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00593000	success
1619948414.100633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005db000	success
1619948414.100633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d7000	success
1619948414.194633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059c000	success
1619948414.272633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c40000	success
1619948414.319633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c41000	success
1619948414.319633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c42000	success
1619948414.319633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c43000	success
1619948414.350633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c44000	success
1619948414.366633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00594000	success
1619948414.694633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00595000	success
1619948414.710633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00596000	success
1619948414.757633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success
1619948414.757633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c45000	success
1619948414.835633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005aa000	success
1619948414.835633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a7000	success
1619948414.850633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ca000	success
1619948414.866633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058b000	success
1619948414.882633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00598000	success
1619948414.882633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00599000	success
1619948414.882633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c46000	success
1619948414.897633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b90000	success
1619948414.897633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c47000	success
1619948414.913633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005a6000	success
1619948415.194633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c48000	success
1619948415.241633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c00000	success
1619948415.257633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b91000	success
1619948415.257633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059d000	success
1619948415.257633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c49000	success
1619948415.272633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b92000	success
1619948415.272633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c4a000	success
1619948415.288633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c4b000	success
1619948415.304633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c4c000	success
1619948415.304633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059a000	success
1619948415.304633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c4d000	success
1619948415.350633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e1000	success
1619948415.460633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c4e000	success
1619948415.475633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c4f000	success
1619948415.491633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c2000	success
1619948415.522633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d5000	success
1619948415.772633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x047c0000	success
1619948415.835633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b93000	success
1619948415.944633 NtAllocateVirtualMemory	process_identifier: 3056 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x05850000	success

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\kfcsBXRXeQVK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp879A.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kfcsBXRXeQVK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp879A.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948426.897633 ShellExecuteExW	parameters: /Create /TN "Updates\kfcsBXRXeQVK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp879A.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.749842025910762

section

{'size_of_data': '0x0007e200', 'virtual_address': '0x00002000', 'entropy': 7.749842025910762, 'name': '.text', 'virtual_size': '0x0007e194'}

description

A section with a high entropy has been found

entropy

0.8804537521815009

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948430.616633 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619962973.092751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619962984.967751 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3056 process_handle: 0x00000220	failed	0	0
1619962984.967751 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3056 process_handle: 0x00000220	success	0	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\kfcsBXRXeQVK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp879A.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kfcsBXRXeQVK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp879A.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948430.319633 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

de5d4464be06fa32db6a46ddd41880a1.exe tried to sleep 2728200 seconds, actually delayed analysis time by 2728200 seconds

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp879A.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619948430.319633 WriteProcessMemory	process_identifier: 1948 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¾mÌ^à¬NÊ à@ @üÉOà H.textTª ¬ `.rsrcà®@@.reloc²@B process_handle: 0x000003b4 base_address: 0x00400000	success	1
1619948430.335633 WriteProcessMemory	process_identifier: 1948 buffer: 0HXà¬¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNameGbOjkZzVvIpqIBHJcEXhSkvbTxwhDDSWm.exe(LegalCopyright t&OriginalFilenameGbOjkZzVvIpqIBHJcEXhSkvbTxwhDDSWm.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000003b4 base_address: 0x0044e000	success	1
1619948430.335633 WriteProcessMemory	process_identifier: 1948 buffer: ÀP: process_handle: 0x000003b4 base_address: 0x00450000	success	1
1619948430.335633 WriteProcessMemory	process_identifier: 1948 buffer: @ process_handle: 0x000003b4 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948430.319633 WriteProcessMemory	process_identifier: 1948 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¾mÌ^à¬NÊ à@ @üÉOà H.textTª ¬ `.rsrcà®@@.reloc²@B process_handle: 0x000003b4 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3056 called NtSetContextThread to modify thread in remote process 1948
1619948430.335633 NtSetContextThread	thread_handle: 0x00000360 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4508238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1948	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3056 resumed a thread in remote process 1948
1619948430.585633 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 1948	success	0	0

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619948413.507633 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 3056	success	0
1619948413.538633 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 3056	success	0
1619948426.241633 NtResumeThread	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 3056	success	0
1619948426.882633 CreateProcessInternalW	thread_identifier: 2196 thread_handle: 0x0000036c process_identifier: 2120 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kfcsBXRXeQVK" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp879A.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000003a4 inherit_handles: 0	success	1
1619948430.319633 CreateProcessInternalW	thread_identifier: 1888 thread_handle: 0x00000360 process_identifier: 1948 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\de5d4464be06fa32db6a46ddd41880a1.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\de5d4464be06fa32db6a46ddd41880a1.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003b4 inherit_handles: 0	success	1
1619948430.319633 NtGetContextThread	thread_handle: 0x00000360	success	0
1619948430.319633 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619948430.319633 WriteProcessMemory	process_identifier: 1948 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¾mÌ^à¬NÊ à@ @üÉOà H.textTª ¬ `.rsrcà®@@.reloc²@B process_handle: 0x000003b4 base_address: 0x00400000	success	1
1619948430.319633 WriteProcessMemory	process_identifier: 1948 buffer: process_handle: 0x000003b4 base_address: 0x00402000	success	1
1619948430.335633 WriteProcessMemory	process_identifier: 1948 buffer: 0HXà¬¬4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoè000004b0,FileDescription 0FileVersion0.0.0.0l&InternalNameGbOjkZzVvIpqIBHJcEXhSkvbTxwhDDSWm.exe(LegalCopyright t&OriginalFilenameGbOjkZzVvIpqIBHJcEXhSkvbTxwhDDSWm.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000003b4 base_address: 0x0044e000	success	1
1619948430.335633 WriteProcessMemory	process_identifier: 1948 buffer: ÀP: process_handle: 0x000003b4 base_address: 0x00450000	success	1
1619948430.335633 WriteProcessMemory	process_identifier: 1948 buffer: @ process_handle: 0x000003b4 base_address: 0x7efde008	success	1
1619948430.335633 NtSetContextThread	thread_handle: 0x00000360 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4508238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1948	success	0
1619948430.585633 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 1948	success	0
1619948430.600633 NtResumeThread	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 3056	success	0
1619962972.561751 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1948	success	0
1619962972.608751 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1948	success	0
1619962986.999751 NtResumeThread	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 1948	success	0
1619962987.030751 NtResumeThread	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 1948	success	0
1619962988.999751 NtResumeThread	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 1948	success	0
1619962995.530751 NtResumeThread	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 1948	success	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

MicroWorld-eScan	Trojan.GenericKD.33907260
CAT-QuickHeal	Trojan.Multi
McAfee	RDN/Generic.dx
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0056771d1 )
Alibaba	TrojanPSW:MSIL/Kryptik.76029847
K7GW	Trojan ( 0056771d1 )
TrendMicro	TROJ_GEN.R049C0WER20
BitDefenderTheta	Gen:NN.ZemsilF.34126.Jm0@aiJuUgb
F-Prot	W32/MSIL_Kryptik.ATF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TROJ_GEN.R049C0WER20
Avast	Win32:PWSX-gen [Trj]
GData	Trojan.GenericKD.33907260
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.33907260
Paloalto	generic.ml
ViRobot	Trojan.Win32.S.Infostealer.587264.A
Rising	Trojan.Kryptik!8.8 (CLOUD)
Ad-Aware	Trojan.GenericKD.33907260
Sophos	Troj/Steale-YG
F-Secure	Trojan.TR/AD.AgentTesla.ujewg
DrWeb	Trojan.Hosts.47624
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
McAfee-GW-Edition	RDN/Generic.dx
SentinelOne	DFI - Malicious PE
FireEye	Generic.mg.de5d4464be06fa32
Emsisoft	Trojan.GenericKD.33907260 (B)
APEX	Malicious
Cyren	W32/MSIL_Kryptik.ATF.gen!Eldorado
Webroot	W32.Adware.Gen
Avira	TR/AD.AgentTesla.ujewg
Antiy-AVL	Trojan/Win32.Wacatac
Endgame	malicious (high confidence)
Arcabit	Trojan.Generic.D205623C
AegisLab	Trojan.Multi.Generic.4!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
Microsoft	TrojanSpy:MSIL/AgentTesla!MTB
TACHYON	Trojan/W32.DN-Agensla.587264
AhnLab-V3	Malware/Win32.RL_Generic.C4109722
VBA32	CIL.HeapOverride.Heur
ALYac	Trojan.Agent.Wacatac
MAX	malware (ai score=81)
Malwarebytes	Spyware.AgentTesla
ESET-NOD32	a variant of MSIL/Kryptik.WBA
Tencent	Msil.Trojan-qqpass.Qqrob.Wtnp
Yandex	Trojan.Igent.bTNOIY.78
Ikarus	Trojan.Inject

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-26 10:11:23

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.