10.0
0-day
54 个模型检测该样本为恶意!
重新分析
更多

59724a1404d2b346afa700641f38c7ec0fe10e38167aa955b2706e69fbdd83f8

e2d8063b3b71b9a0c63ff8006af36174.exe

分析耗时

97s

最近分析

文件大小

435.5KB
静态报毒 动态报毒 AGEN AGENSLA AGENTTESLA AI SCORE=89 AKYQ ATTRIBUTE BMW@A808NGJI BTL1DE CLOUD CONFIDENCE GDSDA GENERICKD GENERICRXKP HIGH CONFIDENCE HIGHCONFIDENCE HSNH IGENT KRYPTIK MALREP OCCAMY QQPASS QQROB RNDCRYPT SCORE SIGGEN9 SUSGEN THEBFBO TROJANPSW TROJANPWS TROJANX UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKP-KN!E2D8063B3B71 20200614 6.0.6.653
Alibaba TrojanPSW:MSIL/Kryptik.3e4bf63e 20190527 0.3.0.5
Avast Win32:TrojanX-gen [Trj] 20200614 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200614 2013.8.14.323
Tencent Msil.Trojan-qqpass.Qqrob.Akyq 20200614 1.0.0.1
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619972892.340374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619972897.558374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619972902.418374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619972902.683374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619972849.903124
IsDebuggerPresent
failed 0 0
1619972849.903124
IsDebuggerPresent
failed 0 0
1619972887.105374
IsDebuggerPresent
failed 0 0
1619972887.105374
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619972895.544249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe
console_handle: 0x00000007
success 1 0
1619972895.919249
WriteConsoleW
buffer: 另一个程序正在使用此文件,进程无法访问。
console_handle: 0x0000000b
success 1 0
1619972891.105626
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619972849.934124
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619972900.449374
__exception__
stacktrace: 
0x4a0f8e5
0x4a0eb76
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3403008
registers.edi: 44400364
registers.eax: 0
registers.ebp: 3403052
registers.edx: 8
registers.ebx: 0
registers.esi: 1391540935
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 b2 3c 5d b1
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x29b31ca
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 110 个事件)
Time & API Arguments Status Return Repeated
1619972847.137124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003f0000
success 0 0
1619972847.137124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00460000
success 0 0
1619972849.716124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619972849.716124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00680000
success 0 0
1619972849.794124
NtProtectVirtualMemory
process_identifier: 1300
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619972849.903124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00be0000
success 0 0
1619972849.903124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ca0000
success 0 0
1619972849.903124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0029a000
success 0 0
1619972849.903124
NtProtectVirtualMemory
process_identifier: 1300
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619972849.903124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00292000
success 0 0
1619972853.137124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a2000
success 0 0
1619972853.184124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c5000
success 0 0
1619972853.184124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002cb000
success 0 0
1619972853.184124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c7000
success 0 0
1619972853.481124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a3000
success 0 0
1619972853.497124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ac000
success 0 0
1619972853.622124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00630000
success 0 0
1619972853.653124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b6000
success 0 0
1619972853.731124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ba000
success 0 0
1619972853.731124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b7000
success 0 0
1619972853.794124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a4000
success 0 0
1619972854.356124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a5000
success 0 0
1619972854.497124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00631000
success 0 0
1619972854.637124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00660000
success 0 0
1619972885.903124
NtAllocateVirtualMemory
process_identifier: 1300
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c60000
success 0 0
1619972887.074374
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74521000
success 0 0
1619972887.074374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00950000
success 0 0
1619972887.074374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ad0000
success 0 0
1619972887.090374
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619972887.090374
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ad1000
success 0 0
1619972887.090374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00460000
success 0 0
1619972887.090374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e0000
success 0 0
1619972887.105374
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619972887.105374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619972887.105374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00630000
success 0 0
1619972887.105374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049a000
success 0 0
1619972887.105374
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619972887.105374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00492000
success 0 0
1619972887.121374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a2000
success 0 0
1619972887.121374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c5000
success 0 0
1619972887.121374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004cb000
success 0 0
1619972887.121374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c7000
success 0 0
1619972887.121374
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619972887.121374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a3000
success 0 0
1619972887.121374
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1619972887.136374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a4000
success 0 0
1619972887.136374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ac000
success 0 0
1619972887.152374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a00000
success 0 0
1619972887.152374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a01000
success 0 0
1619972887.168374
NtAllocateVirtualMemory
process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a7000
success 0 0
Creates a suspicious process (2 个事件)
cmdline cmd.exe /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe"
cmdline "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe"
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619972887.481124
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.134118413195624 section {'size_of_data': '0x0005c000', 'virtual_address': '0x00002000', 'entropy': 7.134118413195624, 'name': '.text', 'virtual_size': '0x0005bf84'} description A section with a high entropy has been found
entropy 0.8459770114942529 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619972889.011374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline cmd.exe /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe"
cmdline "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
A process attempted to delay the analysis task. (1 个事件)
description RegAsm.exe tried to sleep 2728173 seconds, actually delayed analysis time by 2728173 seconds
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e2d8063b3b71b9a0c63ff8006af36174.exe
Manipulates memory of a non-child process indicative of process injection (3 个事件)
Process injection Process 1300 manipulating memory of non-child process 2516
Time & API Arguments Status Return Repeated
1619972886.403124
NtAllocateVirtualMemory
process_identifier: 2516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000234
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619972886.403124
NtAllocateVirtualMemory
process_identifier: 2516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000234
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\None:Zone.Identifier
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
DrWeb Trojan.Siggen9.50693
MicroWorld-eScan Trojan.GenericKD.33879400
FireEye Generic.mg.e2d8063b3b71b9a0
CAT-QuickHeal Trojanpws.Msil
McAfee GenericRXKP-KN!E2D8063B3B71
Cylance Unsafe
K7AntiVirus Trojan ( 0056081c1 )
Alibaba TrojanPSW:MSIL/Kryptik.3e4bf63e
K7GW Trojan ( 0056081c1 )
Cybereason malicious.052281
Arcabit Trojan.Generic.D204F568
Invincea heuristic
BitDefenderTheta Gen:NN.ZemsilF.34128.BmW@a808Ngji
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33879400
AegisLab Trojan.MSIL.Agensla.i!c
Avast Win32:TrojanX-gen [Trj]
Rising Trojan.Kryptik!8.8 (CLOUD)
Endgame malicious (high confidence)
Emsisoft Trojan.GenericKD.33879400 (B)
F-Secure Heuristic.HEUR/AGEN.1116653
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.MSIL.MALREP.THEBFBO
McAfee-GW-Edition BehavesLike.Win32.Generic.gh
Sophos Mal/Generic-S
Cyren W32/Trojan.HSNH-3731
Jiangmin Trojan.PSW.MSIL.zdc
Avira HEUR/AGEN.1116653
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:Win32/Occamy.C59
ViRobot Trojan.Win32.Z.Kryptik.445952.CS
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33879400
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.C4106671
ALYac Spyware.AgentTesla
MAX malware (ai score=89)
Ad-Aware Trojan.GenericKD.33879400
Malwarebytes Trojan.RNDCrypt.MSIL.Generic
ESET-NOD32 a variant of MSIL/Kryptik.VZM
TrendMicro-HouseCall Trojan.MSIL.MALREP.THEBFBO
Tencent Msil.Trojan-qqpass.Qqrob.Akyq
Yandex Trojan.Igent.bTL1DE.4
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_76%
Fortinet MSIL/Kryptik.VCR!tr
MaxSecure Trojan.Malware.300983.susgen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-21 06:40:43

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.