SmartHawk

10.6

0-day

54 个模型检测该样本为恶意！

重新分析

下载样本

91cfa121b109ceaceb8ca6dcef72ac69691291facec3569755f13c4a87f6da75

f07b1aaf7ea6097c52f7408a53fa5d03.exe

分析耗时

111s

最近分析

文件大小

931.5KB

静态报毒动态报毒 0NA103HJ20 100% 6Q0@AEKOO8J AI SCORE=81 ALI1000139 BASIC CLOUD CONFIDENCE EAWP ELDORADO EQMV FAREIT FORMBOOK GDSDA HGIASOGA HIGH CONFIDENCE HSNZUL KRYPTIK M7QV MALWARE@#1C1G9XX1I02PE MRUZN MXRESICN PWSX QISC SCORE SPYBOTNET STARTER STATIC AI SUSPICIOUS PE TASKUN TSCOPE UNSAFE WOREFLINT YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FVT!F07B1AAF7EA6	20210301	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0
Baidu		20190318	1.0.0.2
Alibaba	Trojan:Win32/starter.ali1000139	20190527	0.3.0.5
Kingsoft		20210301	2017.9.26.565
Tencent	Msil.Trojan.Taskun.Eawp	20210301	1.0.0.1
Avast	Win32:PWSX-gen [Trj]	20210301	21.1.5827.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620002014.407126 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1620002048.000876 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1620001957.234626 IsDebuggerPresent		failed	0	0
1620001957.250626 IsDebuggerPresent		failed	0	0
1620002020.671876 IsDebuggerPresent		failed	0	0
1620002020.671876 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620002015.297126 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\akxurUFArc"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620001957.281626 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.sdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 121 个事件)

Time & API	Arguments	Status
1620001956.781626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00470000	success
1620001956.781626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00480000	success
1620001957.031626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01f10000	success
1620001957.031626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f60000	success
1620001957.109626 NtProtectVirtualMemory	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1620001957.234626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02070000	success
1620001957.234626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02260000	success
1620001957.250626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0051a000	success
1620001957.250626 NtProtectVirtualMemory	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1620001957.250626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00512000	success
1620001957.515626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00522000	success
1620001957.625626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00545000	success
1620001957.625626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0054b000	success
1620001957.625626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00547000	success
1620001957.734626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00523000	success
1620001957.843626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00524000	success
1620001957.843626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00525000	success
1620001957.875626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052c000	success
1620001958.296626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00526000	success
1620001958.328626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00528000	success
1620001958.406626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1620001958.656626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053a000	success
1620001958.656626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00537000	success
1620001958.750626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00529000	success
1620001958.750626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02040000	success
1620001958.875626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad1000	success
1620001958.890626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00536000	success
1620001958.953626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02041000	success
1620001959.015626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02042000	success
1620001959.046626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef40000	success
1620001959.046626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1620001959.046626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef40000	success
1620001959.046626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef48000	success
1620001959.046626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x7ef30000	success
1620001959.046626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x7ef30000	success
1620001959.062626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad2000	success
1620001959.281626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01f61000	success
1620001959.421626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02043000	success
1620001959.609626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02044000	success
1620001959.609626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052d000	success
1620001959.625626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad3000	success
1620001959.703626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad4000	success
1620001959.765626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02045000	success
1620001959.765626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0051c000	success
1620001959.765626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00513000	success
1620001959.781626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad5000	success
1620001959.781626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad9000	success
1620001959.859626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ada000	success
1620001959.890626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02046000	success
1620001959.890626 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00adb000	success

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\akxurUFArc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp32AE.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\akxurUFArc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp32AE.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620002014.031626 ShellExecuteExW	parameters: /Create /TN "Updates\akxurUFArc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp32AE.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.837429362209135

section

{'size_of_data': '0x000b7000', 'virtual_address': '0x00002000', 'entropy': 7.837429362209135, 'name': '.text', 'virtual_size': '0x000b6f34'}

description

A section with a high entropy has been found

entropy

0.7866738312735089

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620002019.218626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1620002033.234876 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (4 个事件)

Time & API	Arguments	Status	Return
1620002019.609626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1208 process_handle: 0x0000038c	failed	0
1620002019.609626 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1208 process_handle: 0x0000038c	success	0
1620002046.687876 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x0000022c	failed	0
1620002046.687876 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2288 process_handle: 0x0000022c	failed	3221225738

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\akxurUFArc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp32AE.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\akxurUFArc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp32AE.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620002019.187626 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000384 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1620002019.796626 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Manipulates memory of a non-child process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2288 manipulating memory of non-child process 1208
1620002019.187626 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000384 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1620002019.796626 WriteProcessMemory	process_identifier: 2040 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#;_àô. @ `@ÔW P@ H.text4ó ô `.rsrcP ö@@.reloc@ü@B process_handle: 0x00000388 base_address: 0x00400000	success	1
1620002019.828626 WriteProcessMemory	process_identifier: 2040 buffer: P8h Äd#êÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNametAKBFdUfYgdZbWOJFhVHqOEecNeLCRAUEOoBQcj.exe(LegalCopyright ,OriginalFilenametAKBFdUfYgdZbWOJFhVHqOEecNeLCRAUEOoBQcj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000388 base_address: 0x00462000	success	1
1620002019.828626 WriteProcessMemory	process_identifier: 2040 buffer: 03 process_handle: 0x00000388 base_address: 0x00464000	success	1
1620002019.828626 WriteProcessMemory	process_identifier: 2040 buffer: @ process_handle: 0x00000388 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620002019.796626 WriteProcessMemory	process_identifier: 2040 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#;_àô. @ `@ÔW P@ H.text4ó ô `.rsrcP ö@@.reloc@ü@B process_handle: 0x00000388 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2288 called NtSetContextThread to modify thread in remote process 2040
1620002019.843626 NtSetContextThread	thread_handle: 0x0000038c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4592430 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2040	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2288 resumed a thread in remote process 2040
1620002020.343626 NtResumeThread	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2040	success	0	0

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1620001957.250626 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2288	success	0
1620001957.250626 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2288	success	0
1620001957.343626 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2288	success	0
1620002014.031626 CreateProcessInternalW	thread_identifier: 1160 thread_handle: 0x0000033c process_identifier: 2944 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\akxurUFArc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp32AE.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000374 inherit_handles: 0	success	1
1620002019.171626 CreateProcessInternalW	thread_identifier: 368 thread_handle: 0x00000330 process_identifier: 1208 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f07b1aaf7ea6097c52f7408a53fa5d03.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f07b1aaf7ea6097c52f7408a53fa5d03.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000384 inherit_handles: 0	success	1
1620002019.187626 NtGetContextThread	thread_handle: 0x00000330	success	0
1620002019.187626 NtAllocateVirtualMemory	process_identifier: 1208 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000384 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1620002019.796626 CreateProcessInternalW	thread_identifier: 912 thread_handle: 0x0000038c process_identifier: 2040 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f07b1aaf7ea6097c52f7408a53fa5d03.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f07b1aaf7ea6097c52f7408a53fa5d03.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000388 inherit_handles: 0	success	1
1620002019.796626 NtGetContextThread	thread_handle: 0x0000038c	success	0
1620002019.796626 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 417792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1620002019.796626 WriteProcessMemory	process_identifier: 2040 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#;_àô. @ `@ÔW P@ H.text4ó ô `.rsrcP ö@@.reloc@ü@B process_handle: 0x00000388 base_address: 0x00400000	success	1
1620002019.796626 WriteProcessMemory	process_identifier: 2040 buffer: process_handle: 0x00000388 base_address: 0x00402000	success	1
1620002019.828626 WriteProcessMemory	process_identifier: 2040 buffer: P8h Äd#êÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNametAKBFdUfYgdZbWOJFhVHqOEecNeLCRAUEOoBQcj.exe(LegalCopyright ,OriginalFilenametAKBFdUfYgdZbWOJFhVHqOEecNeLCRAUEOoBQcj.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x00000388 base_address: 0x00462000	success	1
1620002019.828626 WriteProcessMemory	process_identifier: 2040 buffer: 03 process_handle: 0x00000388 base_address: 0x00464000	success	1
1620002019.828626 WriteProcessMemory	process_identifier: 2040 buffer: @ process_handle: 0x00000388 base_address: 0x7efde008	success	1
1620002019.843626 NtSetContextThread	thread_handle: 0x0000038c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4592430 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2040	success	0
1620002020.343626 NtResumeThread	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2040	success	0
1620002020.671876 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2040	success	0
1620002020.687876 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2040	success	0
1620002020.718876 NtResumeThread	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2040	success	0
1620002052.468876 NtResumeThread	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2040	success	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.MSIL.Basic.6.Gen
FireEye	Generic.mg.f07b1aaf7ea6097c
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Fareit-FVT!F07B1AAF7EA6
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.MSIL.Formbook.MK
K7AntiVirus	Trojan ( 0056cbe11 )
BitDefender	Trojan.MSIL.Basic.6.Gen
K7GW	Trojan ( 0056cbe11 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.BKX.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
Alibaba	Trojan:Win32/starter.ali1000139
NANO-Antivirus	Trojan.Win32.Taskun.hsnzul
AegisLab	Trojan.Win32.Generic.m7QV
Rising	Trojan.Woreflint!8.F5EA (CLOUD)
Ad-Aware	Trojan.MSIL.Basic.6.Gen
Emsisoft	Trojan.MSIL.Basic.6.Gen (B)
Comodo	Malware@#1c1g9xx1i02pe
F-Secure	Trojan.TR/Dropper.MSIL.mruzn
DrWeb	BackDoor.SpyBotNET.25
Zillya	Trojan.Kryptik.Win32.2371193
TrendMicro	TROJ_FRS.0NA103HJ20
McAfee-GW-Edition	Fareit-FVT!F07B1AAF7EA6
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
GData	Trojan.MSIL.Basic.6.Gen
Jiangmin	Trojan.MSIL.qisc
MaxSecure	Win.MxResIcn.Heur.Gen
Avira	TR/Dropper.MSIL.mruzn
MAX	malware (ai score=81)
Arcabit	Trojan.MSIL.Basic.6.Gen
ZoneAlarm	HEUR:Trojan.MSIL.Taskun.gen
Microsoft	Trojan:MSIL/Formbook.MK!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Agent.C4182621
BitDefenderTheta	Gen:NN.ZemsilF.34590.6q0@aeKOO8j
ALYac	Trojan.MSIL.Basic.6.Gen
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
Panda	Trj/GdSda.A
ESET-NOD32	a variant of MSIL/Kryptik.XJL
TrendMicro-HouseCall	TROJ_FRS.0NA103HJ20
Tencent	Msil.Trojan.Taskun.Eawp
SentinelOne	Static AI - Suspicious PE

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-18 07:32:26

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.