8.6
极危
53 个模型检测该样本为恶意!
重新分析
更多

9c0d802afcd907fdf41624eecad59b190ae1e8c7d9202868a2815ad28ea3cc9d

ed38b4ef24f3c5ced5870ac6dc4a81fb.exe

分析耗时

81s

最近分析

文件大小

1.2MB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=88 ALI1000139 ALIM ATTRIBUTE AVSARHER BUBVUR CONFIDENCE DAPATO ELDORADO FAREIT GDSDA GENERICKD HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HQQNMH KCLOUD KRYPTIK MALICIOUS PE MALWARE@#H5D9SUXCVE33 NEGASTEAL NN0@AMOQADG R347026 RATX SCORE SHRNR STARTER STATIC AI SUSGEN THJOHBO UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20201210 21.1.5827.0
Alibaba Trojan:Win32/starter.ali1000139 20190527 0.3.0.5
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FXY!ED38B4EF24F3 20201211 6.0.6.653
Tencent Msil.Trojan.Kryptik.Alim 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620010576.890501
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 107 个事件)
Time & API Arguments Status Return Repeated
1619999683.75711
IsDebuggerPresent
failed 0 0
1619999684.77211
IsDebuggerPresent
failed 0 0
1619999685.27211
IsDebuggerPresent
failed 0 0
1619999685.77211
IsDebuggerPresent
failed 0 0
1619999686.27211
IsDebuggerPresent
failed 0 0
1619999686.77211
IsDebuggerPresent
failed 0 0
1619999687.27211
IsDebuggerPresent
failed 0 0
1619999687.77211
IsDebuggerPresent
failed 0 0
1619999688.27211
IsDebuggerPresent
failed 0 0
1619999688.77211
IsDebuggerPresent
failed 0 0
1619999689.27211
IsDebuggerPresent
failed 0 0
1619999689.77211
IsDebuggerPresent
failed 0 0
1619999690.27211
IsDebuggerPresent
failed 0 0
1619999690.77211
IsDebuggerPresent
failed 0 0
1619999691.27211
IsDebuggerPresent
failed 0 0
1619999691.77211
IsDebuggerPresent
failed 0 0
1619999692.27211
IsDebuggerPresent
failed 0 0
1619999692.77211
IsDebuggerPresent
failed 0 0
1619999693.27211
IsDebuggerPresent
failed 0 0
1619999693.77211
IsDebuggerPresent
failed 0 0
1619999694.27211
IsDebuggerPresent
failed 0 0
1619999694.77211
IsDebuggerPresent
failed 0 0
1619999695.27211
IsDebuggerPresent
failed 0 0
1619999695.77211
IsDebuggerPresent
failed 0 0
1619999696.27211
IsDebuggerPresent
failed 0 0
1619999696.77211
IsDebuggerPresent
failed 0 0
1619999697.27211
IsDebuggerPresent
failed 0 0
1619999697.77211
IsDebuggerPresent
failed 0 0
1619999698.27211
IsDebuggerPresent
failed 0 0
1619999698.77211
IsDebuggerPresent
failed 0 0
1619999699.27211
IsDebuggerPresent
failed 0 0
1619999699.77211
IsDebuggerPresent
failed 0 0
1619999700.27211
IsDebuggerPresent
failed 0 0
1619999700.77211
IsDebuggerPresent
failed 0 0
1619999701.27211
IsDebuggerPresent
failed 0 0
1619999701.77211
IsDebuggerPresent
failed 0 0
1619999702.27211
IsDebuggerPresent
failed 0 0
1619999702.77211
IsDebuggerPresent
failed 0 0
1619999703.27211
IsDebuggerPresent
failed 0 0
1619999703.77211
IsDebuggerPresent
failed 0 0
1619999704.27211
IsDebuggerPresent
failed 0 0
1619999704.77211
IsDebuggerPresent
failed 0 0
1619999705.27211
IsDebuggerPresent
failed 0 0
1619999705.77211
IsDebuggerPresent
failed 0 0
1619999706.27211
IsDebuggerPresent
failed 0 0
1619999706.77211
IsDebuggerPresent
failed 0 0
1619999707.27211
IsDebuggerPresent
failed 0 0
1619999707.77211
IsDebuggerPresent
failed 0 0
1619999708.27211
IsDebuggerPresent
failed 0 0
1619999708.77211
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1620010577.843501
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\UYqrivl"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619999684.17911
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 74 个事件)
Time & API Arguments Status Return Repeated
1619999682.89711
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00540000
success 0 0
1619999682.89711
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619999683.67911
NtProtectVirtualMemory
process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619999683.75711
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619999683.75711
NtProtectVirtualMemory
process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619999683.75711
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619999683.92911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00432000
success 0 0
1619999684.02211
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00433000
success 0 0
1619999684.03811
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056b000
success 0 0
1619999684.03811
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00567000
success 0 0
1619999684.05411
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043c000
success 0 0
1619999684.11611
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619999684.16311
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00691000
success 0 0
1619999684.16311
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00434000
success 0 0
1619999684.17911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00692000
success 0 0
1619999684.17911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00693000
success 0 0
1619999684.19411
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00694000
success 0 0
1619999684.36611
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00695000
success 0 0
1619999684.38211
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00696000
success 0 0
1619999684.41311
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619999684.49111
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619999684.53811
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00552000
success 0 0
1619999684.58511
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00435000
success 0 0
1619999684.60111
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00565000
success 0 0
1619999684.99111
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00436000
success 0 0
1619999685.06911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042b000
success 0 0
1619999685.08511
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054a000
success 0 0
1619999685.08511
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619999685.16311
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055c000
success 0 0
1619999685.19411
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00438000
success 0 0
1619999685.19411
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00697000
success 0 0
1619999685.21011
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1619999685.21011
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619999685.21011
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619999685.21011
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1619999685.21011
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1619999685.25711
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00546000
success 0 0
1619999685.27211
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00698000
success 0 0
1619999685.30411
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00699000
success 0 0
1619999685.33511
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00439000
success 0 0
1619999732.28811
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x054f0000
success 0 0
1619999732.28811
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056d0000
success 0 0
1619999732.28811
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056d1000
success 0 0
1619999732.31911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056d2000
success 0 0
1619999732.31911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056d3000
success 0 0
1619999732.31911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056d4000
success 0 0
1619999732.31911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056d5000
success 0 0
1619999732.31911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056d9000
success 0 0
1619999732.31911
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056ea000
success 0 0
1619999732.33511
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x056eb000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description ed38b4ef24f3c5ced5870ac6dc4a81fb.exe tried to sleep 151 seconds, actually delayed analysis time by 151 seconds
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UYqrivl" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp17A5.tmp"
cmdline schtasks.exe /Create /TN "Updates\UYqrivl" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp17A5.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619999733.39711
ShellExecuteExW
parameters: /Create /TN "Updates\UYqrivl" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp17A5.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.590259886443025 section {'size_of_data': '0x00132a00', 'virtual_address': '0x00002000', 'entropy': 7.590259886443025, 'name': '.text', 'virtual_size': '0x00132994'} description A section with a high entropy has been found
entropy 0.9859324758842444 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619999684.46011
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (10 个事件)
Time & API Arguments Status Return Repeated
1619999736.56911
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2960
process_handle: 0x000003d4
failed 0 0
1619999736.56911
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2960
process_handle: 0x000003d4
success 0 0
1619999736.86611
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2448
process_handle: 0x000003dc
failed 0 0
1619999736.86611
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2448
process_handle: 0x000003dc
success 0 0
1619999737.16311
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2412
process_handle: 0x000003e4
failed 0 0
1619999737.16311
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2412
process_handle: 0x000003e4
success 0 0
1619999737.46011
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2956
process_handle: 0x000003ec
failed 0 0
1619999737.46011
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2956
process_handle: 0x000003ec
success 0 0
1619999737.80411
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3000
process_handle: 0x000003f4
failed 0 0
1619999737.80411
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3000
process_handle: 0x000003f4
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UYqrivl" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp17A5.tmp"
cmdline schtasks.exe /Create /TN "Updates\UYqrivl" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp17A5.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 58.63.233.69
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619999736.27211
NtAllocateVirtualMemory
process_identifier: 2960
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999736.66311
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999736.94411
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999737.27211
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999737.58511
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp17A5.tmp
Manipulates memory of a non-child process indicative of process injection (10 个事件)
Process injection Process 2308 manipulating memory of non-child process 2960
Process injection Process 2308 manipulating memory of non-child process 2448
Process injection Process 2308 manipulating memory of non-child process 2412
Process injection Process 2308 manipulating memory of non-child process 2956
Process injection Process 2308 manipulating memory of non-child process 3000
Time & API Arguments Status Return Repeated
1619999736.27211
NtAllocateVirtualMemory
process_identifier: 2960
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999736.66311
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999736.94411
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999737.27211
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999737.58511
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Executed a process and injected code into it, probably while unpacking (20 个事件)
Time & API Arguments Status Return Repeated
1619999683.75711
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2308
success 0 0
1619999683.80411
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2308
success 0 0
1619999684.71011
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2308
success 0 0
1619999684.75711
NtResumeThread
thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2308
success 0 0
1619999733.39711
CreateProcessInternalW
thread_identifier: 2648
thread_handle: 0x00000384
process_identifier: 2668
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UYqrivl" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp17A5.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003bc
inherit_handles: 0
success 1 0
1619999736.27211
CreateProcessInternalW
thread_identifier: 2964
thread_handle: 0x00000378
process_identifier: 2960
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003cc
inherit_handles: 0
success 1 0
1619999736.27211
NtGetContextThread
thread_handle: 0x00000378
success 0 0
1619999736.27211
NtAllocateVirtualMemory
process_identifier: 2960
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999736.64711
CreateProcessInternalW
thread_identifier: 1752
thread_handle: 0x000003d4
process_identifier: 2448
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003d0
inherit_handles: 0
success 1 0
1619999736.66311
NtGetContextThread
thread_handle: 0x000003d4
success 0 0
1619999736.66311
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999736.94411
CreateProcessInternalW
thread_identifier: 2576
thread_handle: 0x000003dc
process_identifier: 2412
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003d8
inherit_handles: 0
success 1 0
1619999736.94411
NtGetContextThread
thread_handle: 0x000003dc
success 0 0
1619999736.94411
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999737.27211
CreateProcessInternalW
thread_identifier: 376
thread_handle: 0x000003e4
process_identifier: 2956
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003e0
inherit_handles: 0
success 1 0
1619999737.27211
NtGetContextThread
thread_handle: 0x000003e4
success 0 0
1619999737.27211
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619999737.56911
CreateProcessInternalW
thread_identifier: 2080
thread_handle: 0x000003ec
process_identifier: 3000
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ed38b4ef24f3c5ced5870ac6dc4a81fb.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003e8
inherit_handles: 0
success 1 0
1619999737.58511
NtGetContextThread
thread_handle: 0x000003ec
success 0 0
1619999737.58511
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 303104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34297580
FireEye Generic.mg.ed38b4ef24f3c5ce
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKD.34297580
Cylance Unsafe
Zillya Dropper.Dapato.Win32.78976
Sangfor Malware
K7AntiVirus Trojan ( 0056bf671 )
BitDefender Trojan.GenericKD.34297580
K7GW Trojan ( 0056bf671 )
BitDefenderTheta Gen:NN.ZemsilF.34670.nn0@amOqaDg
Cyren W32/MSIL_Kryptik.BHS.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.XFR
APEX Malicious
Avast Win32:RATX-gen [Trj]
Alibaba Trojan:Win32/starter.ali1000139
NANO-Antivirus Trojan.Win32.Dapato.hqqnmh
AegisLab Trojan.Multi.Generic.4!c
Ad-Aware Trojan.GenericKD.34297580
Sophos Mal/Generic-S
Comodo Malware@#h5d9suxcve33
F-Secure Trojan.TR/Kryptik.shrnr
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.MSIL.NEGASTEAL.THJOHBO
McAfee-GW-Edition Fareit-FXY!ED38B4EF24F3
Emsisoft Trojan.GenericKD.34297580 (B)
Ikarus Trojan.MSIL.Crypt
Avira TR/Kryptik.shrnr
MAX malware (ai score=88)
Antiy-AVL Trojan[Dropper]/MSIL.Dapato
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft TrojanSpy:MSIL/AgentTesla.AQ!MTB
Gridinsoft Trojan.Win32.Kryptik.oa
Arcabit Trojan.Generic.D20B56EC
AhnLab-V3 Trojan/Win32.Kryptik.R347026
ZoneAlarm HEUR:Trojan-Dropper.MSIL.Dapato.gen
GData Trojan.GenericKD.34297580
Cynet Malicious (score: 100)
McAfee Fareit-FXY!ED38B4EF24F3
VBA32 CIL.HeapOverride.Heur
Malwarebytes Trojan.MalPack
Panda Trj/GdSda.A
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.THJOHBO
Tencent Msil.Trojan.Kryptik.Alim
Yandex Trojan.AvsArher.bUbVUr
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Kryptik.XFR!tr
MaxSecure Trojan.Malware.73693254.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-05 20:35:26

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.