SmartHawk

6.0

高危

51 个模型检测该样本为恶意！

重新分析

下载样本

4cd23a989a8f196b1f49e5e66c6ecfa0cebf63f04950ae4d64127aaedda9e89c

e6a286544172058f451ad9df54ad1292.exe

分析耗时

140s

最近分析

文件大小

4.0KB

静态报毒动态报毒 100% 1GTL90ILBIS3XJ1FZH6OFG 9NHC AI SCORE=89 AIDETECTVM ALIG ARTEMIS ASHIFY ATTRIBUTE AUW@AY CONFIDENCE ERCHP EXECUTION GDSDA GENERIC@ML GENERICKD HIGHCONFIDENCE JWPRE KILLMBR MALICIOUS PE MALWARE1 MBRLOCK QVM20 R + TROJ R06EC0DI220 RDMK SCORE STATIC AI SUSGEN TROJANX UNSAFE WACATAC XVF8FJ1CEAG ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!E6A286544172	20201228	6.0.6.653
Alibaba	Trojan:Win32/Ashify.b6a2b55d	20190527	0.3.0.5
Avast	Win32:TrojanX-gen [Trj]	20201228	21.1.5827.0
Tencent	Win32.Trojan.Generic.Alig	20201228	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20201228	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619976433.378499 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619976434.081499 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.code
section	.upx

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619976433.378499 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00405000	success
1619976433.378499 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00405000	success
1619976433.409499 NtProtectVirtualMemory	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00405000	success

Creates a suspicious process (2 个事件)

cmdline	cmd.exe /c shutdown -r -t 1 -f
cmdline	"C:\Windows\System32\cmd.exe" /c shutdown -r -t 1 -f

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619976434.503499 ShellExecuteExW	parameters: /c shutdown -r -t 1 -f filepath: cmd.exe filepath_r: cmd.exe show_type: 0	success	1	0

Uses Windows utilities for basic Windows functionality (3 个事件)

cmdline	shutdown -r -t 1 -f
cmdline	cmd.exe /c shutdown -r -t 1 -f
cmdline	"C:\Windows\System32\cmd.exe" /c shutdown -r -t 1 -f

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.40.34
host	203.208.41.65

Likely installs a bootkit via raw harddisk modifications (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619976433.409499 NtCreateFile	create_disposition: 1 (FILE_OPEN) file_handle: 0x000000b0 filepath: \??\PhysicalDrive0 desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 2 (FILE_SHARE_WRITE)	success	0	0
1619976433.409499 NtWriteFile	file_handle: 0x000000b0 filepath: \Device\Harddisk0\DR0 buffer: ú¸ÀØÐ¼\|û¸Í¸½&\|º¹»Íëþ~SentinelOne Labs Ransomware~ Your system was unprotected, so we locked down access to Windows. You need to buy SentinelOne antivirus in order to restore your computer. My name is Vitali Kremez. Contacts are below. Phone: +1 203-690-6543 E-Mail 1: vitalik@sentinelone.com E-Mail 2: vkremez@hotmail.com After you buy my antivirus I will send you unlock code. Enter Unlock code:Uª offset: 0	success	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Bkav	W32.AIDetectVM.malware1
MicroWorld-eScan	Trojan.GenericKD.33658001
FireEye	Generic.mg.e6a286544172058f
McAfee	Artemis!E6A286544172
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Ashify.b6a2b55d
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.441720
Arcabit	Trojan.Generic.D2019491
BitDefenderTheta	Gen:NN.ZexaF.34700.auW@ay!9nhc
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.33658001
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Generic.Alig
Ad-Aware	Trojan.GenericKD.33658001
Sophos	Mal/Generic-R + Troj/KillMBR-V
F-Secure	Trojan.TR/Ransom.MBRlock.jwpre
DrWeb	Trojan.KillMBR.24847
TrendMicro	TROJ_GEN.R06EC0DI220
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.33658001 (B)
Ikarus	Trojan.Win32.MBRlock
Jiangmin	Trojan.Generic.erchp
Webroot	W32.Trojan.Gen
Avira	TR/Ransom.MBRlock.jwpre
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.Wacatac
Microsoft	Trojan:Win32/Execution!rfn
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKD.33658001
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.MBRlock.C4061673
Malwarebytes	Trojan.MBRLock
ESET-NOD32	a variant of Win32/MBRlock.BF
TrendMicro-HouseCall	TROJ_GEN.R06EC0DI220
Rising	Trojan.Generic@ML.95 (RDMK:1Gtl90iLBiS3xj1FzH6OFg)
Yandex	Trojan.MBRlock!xVF8fJ1CEag
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/MBRlock.BF!tr.ransom
MaxSecure	Trojan.Malware.7164915.susgen
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-12 23:18:36

Imports

Library KERNEL32.DLL:

• 0x403088 CloseHandle

• 0x40308c CopyFileW

• 0x403090 CreateFileW

• 0x403094 ExitProcess

• 0x403098 GetModuleFileNameW

• 0x40309c IsDebuggerPresent

• 0x4030a0 VirtualAlloc

• 0x4030a4 VirtualFree

• 0x4030a8 VirtualProtect

• 0x4030ac WriteFile

• 0x4030b0 lstrcatW

Library SHELL32.DLL:

• 0x40316c SHGetSpecialFolderPathW

• 0x403170 ShellExecuteW

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.