3.4
中危
6 个模型检测该样本为恶意!
重新分析
更多

7680c3529fc5020e7c048fe5e973d1e94ff6c97b4847f3a4535edefc769bf6c9

ed8f4c210c141aca43bcc80151530a5b.exe

分析耗时

80s

最近分析

文件大小

4.2MB
静态报毒 动态报毒 56CCIPDB1LK GENERIC@ML KCLOUD POPCLICK PRESENOKER RDML SW+TV4SQX33KQFNZRNTVQA 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Alibaba 20190527 0.3.0.5
Avast 20210102 21.1.5827.0
Tencent 20210101 1.0.0.1
Kingsoft Win32.Malware.Generic.a.(kcloud) 20210101 2017.9.26.565
McAfee 20210102 6.0.6.653
CrowdStrike 20190702 1.0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1620813146.322374
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620813146.322374
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620813146.337374
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 356352
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00420000
success 0 0
1620813147.120249
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
Foreign language identified in PE resource (16 个事件)
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x0006c5ac filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE offset 0x00075b58 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000000bc
name RT_VERSION language LANG_CHINESE offset 0x00075c14 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000488
name RT_MANIFEST language LANG_CHINESE offset 0x0007609c filetype XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000462
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-BJGQ9.tmp\_isetup\_shfoldr.dll
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-TU6K9.tmp\ed8f4c210c141aca43bcc80151530a5b.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-BJGQ9.tmp\_isetup\_shfoldr.dll
File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 个事件)
DrWeb Trojan.Popclick.47
Kingsoft Win32.Malware.Generic.a.(kcloud)
Microsoft PUA:Win32/Presenoker
VBA32 suspected of Trojan.Downloader.gen.h
Rising Trojan.Generic@ML.95 (RDML:sW+Tv4sqx33kqFnzrNTVQA)
Yandex Trojan.Popclick!56cCIPdb1Lk
Queries for potentially installed applications (2 个事件)
Time & API Arguments Status Return Repeated
1620813148.292249
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{762724C3-2029-42CA-8007-813EDB8282E6}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{762724C3-2029-42CA-8007-813EDB8282E6}_is1
options: 0
failed 2 0
1620813148.292249
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{762724C3-2029-42CA-8007-813EDB8282E6}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{762724C3-2029-42CA-8007-813EDB8282E6}_is1
options: 0
failed 2 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2011-03-19 02:01:05

Imports

Library oleaut32.dll:
0x41e350 SysFreeString
0x41e354 SysReAllocStringLen
0x41e358 SysAllocStringLen
Library advapi32.dll:
0x41e360 RegQueryValueExW
0x41e364 RegOpenKeyExW
0x41e368 RegCloseKey
Library user32.dll:
0x41e370 GetKeyboardType
0x41e374 LoadStringW
0x41e378 MessageBoxA
0x41e37c CharNextW
Library kernel32.dll:
0x41e384 GetACP
0x41e388 Sleep
0x41e38c VirtualFree
0x41e390 VirtualAlloc
0x41e394 GetSystemInfo
0x41e398 GetTickCount
0x41e3a0 GetVersion
0x41e3a4 GetCurrentThreadId
0x41e3a8 VirtualQuery
0x41e3ac WideCharToMultiByte
0x41e3b0 MultiByteToWideChar
0x41e3b4 lstrlenW
0x41e3b8 lstrcpynW
0x41e3bc LoadLibraryExW
0x41e3c0 GetThreadLocale
0x41e3c4 GetStartupInfoA
0x41e3c8 GetProcAddress
0x41e3cc GetModuleHandleW
0x41e3d0 GetModuleFileNameW
0x41e3d4 GetLocaleInfoW
0x41e3d8 GetCommandLineW
0x41e3dc FreeLibrary
0x41e3e0 FindFirstFileW
0x41e3e4 FindClose
0x41e3e8 ExitProcess
0x41e3ec WriteFile
0x41e3f4 RtlUnwind
0x41e3f8 RaiseException
0x41e3fc GetStdHandle
0x41e400 CloseHandle
Library kernel32.dll:
0x41e408 TlsSetValue
0x41e40c TlsGetValue
0x41e410 LocalAlloc
0x41e414 GetModuleHandleW
Library user32.dll:
0x41e41c CreateWindowExW
0x41e420 TranslateMessage
0x41e424 SetWindowLongW
0x41e428 PeekMessageW
0x41e430 MessageBoxW
0x41e434 LoadStringW
0x41e438 GetSystemMetrics
0x41e43c ExitWindowsEx
0x41e440 DispatchMessageW
0x41e444 DestroyWindow
0x41e448 CharUpperBuffW
0x41e44c CallWindowProcW
Library kernel32.dll:
0x41e454 WriteFile
0x41e458 WideCharToMultiByte
0x41e45c WaitForSingleObject
0x41e460 VirtualQuery
0x41e464 VirtualProtect
0x41e468 VirtualFree
0x41e46c VirtualAlloc
0x41e470 SizeofResource
0x41e474 SignalObjectAndWait
0x41e478 SetLastError
0x41e47c SetFilePointer
0x41e480 SetEvent
0x41e484 SetErrorMode
0x41e488 SetEndOfFile
0x41e48c ResetEvent
0x41e490 RemoveDirectoryW
0x41e494 ReadFile
0x41e498 MultiByteToWideChar
0x41e49c LockResource
0x41e4a0 LoadResource
0x41e4a4 LoadLibraryW
0x41e4b4 GetVersionExW
0x41e4bc GetThreadLocale
0x41e4c0 GetSystemInfo
0x41e4c4 GetStdHandle
0x41e4c8 GetProcAddress
0x41e4cc GetModuleHandleW
0x41e4d0 GetModuleFileNameW
0x41e4d4 GetLocaleInfoW
0x41e4d8 GetLocalTime
0x41e4dc GetLastError
0x41e4e0 GetFullPathNameW
0x41e4e4 GetFileSize
0x41e4e8 GetFileAttributesW
0x41e4ec GetExitCodeProcess
0x41e4f4 GetDiskFreeSpaceW
0x41e4f8 GetDateFormatW
0x41e4fc GetCurrentProcess
0x41e500 GetCommandLineW
0x41e504 GetCPInfo
0x41e508 InterlockedExchange
0x41e510 FreeLibrary
0x41e514 FormatMessageW
0x41e518 FindResourceW
0x41e51c EnumCalendarInfoW
0x41e524 DeleteFileW
0x41e52c CreateProcessW
0x41e530 CreateFileW
0x41e534 CreateEventW
0x41e538 CreateDirectoryW
0x41e53c CompareStringW
0x41e540 CloseHandle
Library advapi32.dll:
0x41e548 RegQueryValueExW
0x41e54c RegOpenKeyExW
0x41e550 RegCloseKey
0x41e554 OpenProcessToken
Library comctl32.dll:
0x41e560 InitCommonControls
Library kernel32.dll:
0x41e568 Sleep
Library advapi32.dll:
Library oleaut32.dll:
0x41e578 SafeArrayPtrOfIndex
0x41e57c SafeArrayGetUBound
0x41e580 SafeArrayGetLBound
0x41e584 SafeArrayCreate
0x41e588 VariantChangeType
0x41e58c VariantCopy
0x41e590 VariantClear
0x41e594 VariantInit

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.