SmartHawk

7.4

高危

50 个模型检测该样本为恶意！

重新分析

下载样本

238bdecceff568c7d9d8e80e466cb9ba2df600bd47e24e4c69b75cbe7104bf18

e26e602e61a75c0e38fdf5bff1b109d0.exe

分析耗时

79s

最近分析

文件大小

584.5KB

静态报毒动态报毒 AGENTTESLA AI SCORE=80 AIHY AVSETECER BUBCVG CONFIDENCE ELDORADO FAREIT HIGH CONFIDENCE HPYXLT KRYPTIK MALWARE@#26UE40LMN0I4T MASSLOGGER PWSX QAEJ R002C0DLB20 R346301 RAZY RNKBEND RZLRS SCORE SIGGEN2 TSCOPE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:MSIL/AgentTesla.0abb1fa2	20190527	0.3.0.5
Kingsoft		20201226	2017.9.26.565
McAfee	Fareit-FXU!E26E602E61A7	20201226	6.0.6.653
Tencent	Msil.Trojan.Crypt.Aihy	20201226	1.0.0.1
CrowdStrike	win/malicious_confidence_70% (W)	20190702	1.0

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619965005.895125 IsDebuggerPresent		failed	0	0
1619965005.895125 IsDebuggerPresent		failed	0	0
1619965049.457125 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619965005.910125 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 97 个事件)

Time & API	Arguments	Status	Return
1619965005.238125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00310000	success	0
1619965005.238125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00330000	success	0
1619965005.723125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00880000	success	0
1619965005.723125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00930000	success	0
1619965005.770125 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success	0
1619965005.895125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x020f0000	success	0
1619965005.895125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021b0000	success	0
1619965005.895125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success	0
1619965005.895125 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success	0
1619965005.895125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00432000	success	0
1619965006.191125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00442000	success	0
1619965006.238125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00465000	success	0
1619965006.254125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046b000	success	0
1619965006.254125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00467000	success	0
1619965006.410125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00443000	success	0
1619965006.410125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00444000	success	0
1619965006.457125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044c000	success	0
1619965006.535125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00800000	success	0
1619965006.676125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021b1000	success	0
1619965006.676125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021b2000	success	0
1619965006.738125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00445000	success	0
1619965006.754125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00456000	success	0
1619965006.770125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00801000	success	0
1619965006.770125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021b3000	success	0
1619965006.770125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021b4000	success	0
1619965006.848125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021b5000	success	0
1619965006.848125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00802000	success	0
1619965006.848125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0045a000	success	0
1619965006.848125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00457000	success	0
1619965007.020125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00446000	success	0
1619965007.035125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00447000	success	0
1619965007.488125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00448000	success	0
1619965007.816125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00449000	success	0
1619965008.160125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00803000	success	0
1619965008.176125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02140000	success	0
1619965008.191125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00804000	success	0
1619965047.098125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043c000	success	0
1619965047.098125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00807000	success	0
1619965047.191125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02141000	success	0
1619965047.191125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044d000	success	0
1619965047.191125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02142000	success	0
1619965047.223125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00808000	success	0
1619965047.410125 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 306688 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05400400	failed	3221225550
1619965049.082125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00809000	success	0
1619965049.098125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080a000	success	0
1619965049.098125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080b000	success	0
1619965049.129125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080c000	success	0
1619965049.129125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080d000	success	0
1619965049.301125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02143000	success	0
1619965049.301125 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0080e000	success	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.700226345044754

section

{'size_of_data': '0x00091600', 'virtual_address': '0x00002000', 'entropy': 7.700226345044754, 'name': '.text', 'virtual_size': '0x0009152c'}

description

A section with a high entropy has been found

entropy

0.9957191780821918

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619965047.395125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619965049.738125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x000056ac	failed
1619965049.738125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x000056ac	success
1619965049.785125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1416 process_handle: 0x000049b4	failed
1619965049.785125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1416 process_handle: 0x000049b4	success
1619965049.816125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2956 process_handle: 0x0000e064	failed
1619965049.816125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2956 process_handle: 0x0000e064	success
1619965049.848125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1316 process_handle: 0x00010a2c	failed
1619965049.848125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1316 process_handle: 0x00010a2c	success
1619965049.895125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2056 process_handle: 0x0000c2cc	failed
1619965049.895125 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2056 process_handle: 0x0000c2cc	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619965049.629125 NtAllocateVirtualMemory	process_identifier: 2840 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000318c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.754125 NtAllocateVirtualMemory	process_identifier: 1416 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002f1c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.801125 NtAllocateVirtualMemory	process_identifier: 2956 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000fbf4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.832125 NtAllocateVirtualMemory	process_identifier: 1316 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000094a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.863125 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000dad8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Manipulates memory of a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1880 manipulating memory of non-child process 2840
Process injection	Process 1880 manipulating memory of non-child process 1416
Process injection	Process 1880 manipulating memory of non-child process 2956
Process injection	Process 1880 manipulating memory of non-child process 1316
Process injection	Process 1880 manipulating memory of non-child process 2056
1619965049.629125 NtAllocateVirtualMemory	process_identifier: 2840 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000318c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619965049.754125 NtAllocateVirtualMemory	process_identifier: 1416 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002f1c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619965049.801125 NtAllocateVirtualMemory	process_identifier: 2956 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000fbf4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619965049.832125 NtAllocateVirtualMemory	process_identifier: 1316 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000094a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619965049.863125 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000dad8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Executed a process and injected code into it, probably while unpacking (20 个事件)

Time & API	Arguments	Status	Return
1619965005.895125 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 1880	success	0
1619965005.895125 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 1880	success	0
1619965005.910125 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 1880	success	0
1619965049.410125 NtResumeThread	thread_handle: 0x0000b27c suspend_count: 1 process_identifier: 1880	success	0
1619965049.410125 NtResumeThread	thread_handle: 0x000051b0 suspend_count: 1 process_identifier: 1880	success	0
1619965049.629125 CreateProcessInternalW	thread_identifier: 1344 thread_handle: 0x00010d7c process_identifier: 2840 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000318c inherit_handles: 0	success	1
1619965049.629125 NtGetContextThread	thread_handle: 0x00010d7c	success	0
1619965049.629125 NtAllocateVirtualMemory	process_identifier: 2840 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000318c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.754125 CreateProcessInternalW	thread_identifier: 2796 thread_handle: 0x000056ac process_identifier: 1416 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00002f1c inherit_handles: 0	success	1
1619965049.754125 NtGetContextThread	thread_handle: 0x000056ac	success	0
1619965049.754125 NtAllocateVirtualMemory	process_identifier: 1416 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00002f1c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.801125 CreateProcessInternalW	thread_identifier: 708 thread_handle: 0x000049b4 process_identifier: 2956 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000fbf4 inherit_handles: 0	success	1
1619965049.801125 NtGetContextThread	thread_handle: 0x000049b4	success	0
1619965049.801125 NtAllocateVirtualMemory	process_identifier: 2956 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000fbf4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.832125 CreateProcessInternalW	thread_identifier: 2712 thread_handle: 0x0000e064 process_identifier: 1316 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000094a4 inherit_handles: 0	success	1
1619965049.832125 NtGetContextThread	thread_handle: 0x0000e064	success	0
1619965049.832125 NtAllocateVirtualMemory	process_identifier: 1316 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000094a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619965049.863125 CreateProcessInternalW	thread_identifier: 1404 thread_handle: 0x00010a2c process_identifier: 2056 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e26e602e61a75c0e38fdf5bff1b109d0.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000dad8 inherit_handles: 0	success	1
1619965049.863125 NtGetContextThread	thread_handle: 0x00010a2c	success	0
1619965049.863125 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000dad8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.726510
FireEye	Generic.mg.e26e602e61a75c0e
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Gen:Variant.Razy.726510
Malwarebytes	Spyware.MassLogger
Zillya	Trojan.Crypt.Win32.64300
K7AntiVirus	Trojan ( 0056b6591 )
Alibaba	Trojan:MSIL/AgentTesla.0abb1fa2
K7GW	Trojan ( 0056b6591 )
Cybereason	malicious.e61a75
Arcabit	Trojan.Razy.DB15EE
Cyren	W32/MSIL_Kryptik.BGI.gen!Eldorado
Symantec	Trojan.Gen.MBT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Gen:Variant.Razy.726510
NANO-Antivirus	Trojan.Win32.Crypt.hpyxlt
Ad-Aware	Gen:Variant.Razy.726510
Emsisoft	Gen:Variant.Razy.726510 (B)
Comodo	Malware@#26ue40lmn0i4t
F-Secure	Trojan.TR/Kryptik.rzlrs
DrWeb	Trojan.PWS.Siggen2.53534
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DLB20
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Sophos	Mal/Generic-S
Jiangmin	Trojan.MSIL.qaej
Avira	TR/Kryptik.rzlrs
Antiy-AVL	Trojan/MSIL.Crypt
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
Microsoft	Trojan:MSIL/AgentTesla.GK!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Gen:Variant.Razy.726510
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.R346301
McAfee	Fareit-FXU!E26E602E61A7
MAX	malware (ai score=80)
VBA32	TScope.Trojan.MSIL
ESET-NOD32	a variant of MSIL/Kryptik.XCS
TrendMicro-HouseCall	TROJ_GEN.R002C0DLB20
Tencent	Msil.Trojan.Crypt.Aihy
Yandex	Trojan.AvsEtecer.bUbcVg
Ikarus	Trojan.MSIL.Crypt
Fortinet	MSIL/Agent.BMW!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/RnkBend.A
CrowdStrike	win/malicious_confidence_70% (W)
Qihoo-360	Win32/Trojan.PWS.d75

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-29 12:47:28

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702
192.168.56.101	55369	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.