1.5
低危
该样本未表现出任何异常!
重新分析
更多

029f4f8b9ce0f45b1432efbb7201b76deeefa07196306926f98aa8f65c619bac

029f4f8b9ce0f45b1432efbb7201b76deeefa07196306926f98aa8f65c619bac.exe

分析耗时

76s

最近分析

389天前

文件大小

35.4KB
静态报毒 动态报毒 UNKNOWN
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.68
MFGraph 0.00
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
查询计算机名称 (2 个事件)
Time & API Arguments Status Return Repeated
1727545283.516
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545283.875
GetComputerNameW
computer_name: TU-PC
success 1 0
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报) (1 个事件)
section DATA
行为判定
动态指标
分配可读-可写-可执行内存(通常用于自解压) (20 个事件)
Time & API Arguments Status Return Repeated
1727545283.469
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00800000
region_size: 86016
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.469
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00400000
length: 86016
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.469
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01f00000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.469
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01f00000
region_size: 16384
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.469
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01f10000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.469
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01f20000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.469
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01f30000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.484
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00400000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.484
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00401000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.484
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00402000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 616
success 0 0
1727545283.844
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00820000
region_size: 86016
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.844
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00400000
length: 86016
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.844
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00840000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.844
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00840000
region_size: 16384
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.844
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00850000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.844
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00860000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.844
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00870000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.859
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00400000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.859
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00401000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
1727545283.859
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x00402000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1404
success 0 0
在文件系统上创建可执行文件 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\jezxr.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\jezxr.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\jezxr.exe
一个进程创建了一个隐藏窗口 (1 个事件)
Time & API Arguments Status Return Repeated
1727545283.656
ShellExecuteExW
filepath: C:\Users\Administrator\AppData\Local\Temp\jezxr.exe
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\jezxr.exe
parameters:
show_type: 0
success 1 0
网络通信
与未执行 DNS 查询的主机进行通信 (2 个事件)
host 114.114.114.114
host 8.8.8.8
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2013-10-11 11:17:02

PE Imphash

b80b9adb041fd6c710660590b7c5f60c

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00008200 0x00000800 2.338179657765769
DATA 0x0000a000 0x00004a00 0x00001c00 4.7159842070158655
.rsrc 0x0000f000 0x000059f0 0x00005a00 3.8668638463372313

Resources

Name Offset Size Language Sub-language File type
RT_MENU 0x0000f1d2 0x00000137 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_MENU 0x0000f1d2 0x00000137 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_BITMAP 0x0000f309 0x00003044 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0001234d 0x000025a8 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_GROUP_ICON 0x000148f5 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL None

Imports

Library iprop.dll:
0x40a000 PropVariantCopy
Library msi.DLL:
0x40a008 MsiDatabaseExportW
0x40a018 MsiDatabaseMergeA
0x40a01c MsiDatabaseMergeW
0x40a030 MsiDeleteUserDataA
0x40a034 MsiDeleteUserDataW
0x40a044 MsiDoActionA
0x40a048 MsiDoActionW
0x40a04c MsiEnableLogA
0x40a050 MsiEnableLogW
0x40a054 MsiEnableUIPreview
0x40a058 MsiEnumClientsA
0x40a05c MsiEnumClientsW
0x40a068 MsiEnumComponentsA
0x40a06c MsiEnumComponentsW
0x40a070 MsiEnumFeaturesA
0x40a074 MsiEnumFeaturesW
0x40a078 MsiEnumPatchesA
0x40a07c MsiEnumPatchesExA
0x40a080 MsiEnumPatchesExW
Library kernel32.dll:
0x40a088 MapViewOfFileEx
0x40a08c GetACP
0x40a090 GetSystemDirectoryA
0x40a094 LocalFree
0x40a098 SetConsoleTitleW
0x40a09c EnumCalendarInfoW
0x40a0a0 GetFileSize
0x40a0a4 ReadFile
0x40a0a8 _lopen
Library MSDTCPRX.dll:
0x40a0b0 DTC_XaOpen
0x40a0b4 DTC_XaPrepare
0x40a0b8 DTC_XaRollback
Library adsldpc.dll:
0x40a0c0 ADSIFreeColumn
0x40a0c4 ADSIGetColumn
0x40a0c8 ADSIGetFirstRow
0x40a0d0 ADSIGetNextRow
0x40a0d8 ADSIGetPreviousRow
0x40a0dc ADSIModifyRdn
Library msrating.dll:
0x40a0e4 RatingCustomInit
Library MTXCLU.DLL:
Library SAMLIB.dll:
0x40a0f4 SamAddMemberToAlias
L!This program cannot be run in DOS mode.
vsRich
GJuPjdh
MvPjdh
JRhr.dlhduse\
IuX[YZa`
PropVariantCopy
iprop.dll
MsiDatabaseExportW
MsiDatabaseGetPrimaryKeysA
MsiDatabaseGetPrimaryKeysW
MsiDatabaseIsTablePersistentW
MsiDatabaseMergeA
MsiDatabaseMergeW
MsiDatabaseOpenViewA
MsiDatabaseOpenViewW
MsiDecomposeDescriptorA
MsiDecomposeDescriptorW
MsiDeleteUserDataA
MsiDeleteUserDataW
MsiDetermineApplicablePatchesA
MsiDeterminePatchSequenceA
MsiDeterminePatchSequenceW
MsiDoActionA
MsiDoActionW
MsiEnableLogA
MsiEnableLogW
MsiEnableUIPreview
MsiEnumClientsA
MsiEnumClientsW
MsiEnumComponentCostsA
MsiEnumComponentCostsW
MsiEnumComponentsA
MsiEnumComponentsW
MsiEnumFeaturesA
MsiEnumFeaturesW
MsiEnumPatchesA
MsiEnumPatchesExA
MsiEnumPatchesExW
msi.DLL
MapViewOfFileEx
GetACP
GetSystemDirectoryA
LocalFree
SetConsoleTitleW
EnumCalendarInfoW
GetFileSize
ReadFile
_lopen
kernel32.dll
DTC_XaOpen
DTC_XaPrepare
DTC_XaRollback
MSDTCPRX.dll
ADSIFreeColumn
ADSIGetColumn
ADSIGetFirstRow
ADSIGetNextColumnName
ADSIGetNextRow
ADSIGetObjectAttributes
ADSIGetPreviousRow
ADSIModifyRdn
adsldpc.dll
RatingCustomInit
msrating.dll
MtxCluIsClusterPresent
MTXCLU.DLL
SamAddMemberToAlias
SAMLIB.dll
*X?NQ=Ye*.i
LW3VqN]n,D3+w@b:
Q6v7o:53=
8xWTTb
aDM%0^
LKboza~\Z^1
~TBbiTN\
uy"9!.
Z:t3$0
Kw**p!
/+zu3V
0;c`a%
l7,5(M
i0fqtdI
3Rt vy
IIg???K<??IK????
SC`6??
HJ_IK<??s
PIK<??q
x;/IK<??y
mIK<??e
IK<??{
"IK??}
-I!IK
?{ScOK????
'??Um_m
gK>??iKZ>??
giK>??
kiK>??Ue
'??UiK??
?g}U!U[<
IqIUKE??[
???w[C???aY??a7
OK>??a_+a[IK??w_}???Iw_9?[
yeKI???
o_Mo?[
_>I???
eskkIw7IM3M_=Mo_=ofw_5w
S??S\5??
-7T{"@
-/Dz]&M
-3Bz@^
-3{@_-&M
-+Ku???
'???993
%V}???xm???do???D}???C
?7??K=
?7??=-?7??qq
;??5NH
?7??K=
?7??=-?7??qq
 !"#$%&'()*+,-./0123456789:;<=>?@AD
Hdx+S|d_
KElT{/dq
h(^ratK\@uMs7"h
^hZv)z
`:ZUE>#y]
8!2ECab`EER
sy<u)xf?
`_D1Dabi
)mv0oG-Gfz5KY \]A2
G1yU;,^iBA6\?EA
A03UI8
Xy!r{+++
w.uzrbT
R-`dk<
G_&`C[W
9UEVIJTi
Q4?EGW[
SPrUKgkM
B)#Dk`:ZRz(#t7
:~{8VHj<my
{F=J1\-f
m`@Py:hrw
]%Ab@~'*lK
olv\*w}h
je)\Yv@U
TlTfM14vsA6x
omOXwCQA
R0~CWW]
LD$a|r
MD@]B)e
`nT6q+0
@or|]jv
_+%S:G
Ifi(i-V"4M''
{`de.E<K
E{5^[\[c'
&x?H:b\y
FJ>ZhHT>)],x=
F^OY#
Vb066n"^
0HXFQ4n$
Sao8#V22
N#{Dm-(
8^BJ\y'9$
lP"KI)N
+"=,T}:TD8:(
9?YZUv%2n.B9W ).Yq
n/ GXQ~?
3X)">
UW6t+yr
]GERk2^<aJP)~?CA
dlvs8xR
;9HxkYJ
2tgbDS
-'2,?c
V4Nu#,
W` Hz\Ya
=" {?@6j6MR=
7l*e8_
[<*nb8
7H=:=YUk-z
<DXR^sr
.@?}/M
XhflS`8k
d}1E%0;]
z$:]U_^2t
'TI1@wZ
JaTDs[8
4^)?5a
T0Z$K3kjPMgl9
]eUXf\ZE/qQ{`.
4$ivdRrcY=
3 }13ph[z<_5YP
pDjHB}?9:6h/
E&5yDYdi&
Apft=&n2
C,mJ.[_
~XG-opC]:
plh'56"XURtN
x$t, d+
EB63njV}
=Ch$$$
Xur$$$
f0xf$$$
!vv$$$
BhB$$$
H!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T!T
N!S!S!S!S!S!S!S!S S!S!S!S!S S S S!U!S!S S!S!S!S!S!S!S!S!S!S!S
#Z#ZQ$$$
Q*_*_*_*_*_*_*_*_*_*_t*_*_#V#V']*_*_*_*_*_*_*_!S$$$
#Y/`/`/`/`/`/`/`/`Lp/`/`.b/`/`/`/`/`/`/`/`/`#Y$$$
*_5h5h5h5h5h5h5h5h5hf5h5hx5h5h5h5h5h5h5h5h5h5h5h5h*_$$$
1e:k:k:k:k:k:k:k:kg:kg:k:k1e1e:k:k:k:k:k:k:k:k1e$$$
:k?m?m?m?m?m?m?m?m?m~?m?m?m?m?m?m?m?m?m:k$$$
?mFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFqFq?m$$$
HvJuFqFqFqJuJuJuJuJuJuJuJuJuJuJuJuJuJuJuJuJuFqFqFqFqFqFqJuJuJuHv$$$
HvHvooooooooooooooooooooooooooooHvOz$$$
WFFFEEEED
C:\Users\a\Documents\invoice_447589545\invoice_447589545.exe
C:\1354c603d402bb5e4ed841909db479200db9266060417ddb1d058fe5511e9748
C:\e9611f1b791d0b2e26d9bf06545604a7082c9320d79097a30ea9bcb6ab6118f9
C:\DMaDrii8.exe
C:\_2mTVBI9.exe
C:\XfbIzaz4.exe
C:\riZNuKoE.exe
C:\sHmaP9nI.exe
C:\hNV9E_DW.exe
C:\G2EmDi8q.exe
C:\5QjVbtsS.exe
C:\3rp0kNVb.exe
C:\pu7nM1sc.exe
C:\5qndbSKc.exe
C:\W5FgKpTU.exe
C:\pOE8pbAM.exe
C:\VMVLCu2L.exe
C:\kb3RSjS1.exe
C:\cu2iUyae.exe
C:\myS6cxBk.exe
C:\151cc13baad8712d704cd20219f7acd4a216198f090a13a71ad67bab08d593a2
C:\83W45JiB.exe
C:\_WeGbh9Z.exe
C:\M2RfZyH9.exe
C:\oQ5H9UA0.exe
C:\gXWsNBop.exe
C:\yIlKHxdW.exe
C:\usBwhb7v.exe
C:\2BAXowdH.exe
C:\IpvFpoZy.exe
C:\iBPgUrgm.exe
C:\78b2b96c683ef6e1eb19bd7caedecdb14e3a5ab2a801d99da4f86fa7f0374a60
C:\nnQPCXx5.exe
C:\488416c3c1ea1a67c0fad8697d41d20ba048db9ae8c1401b502e805fd1f3b3ed
C:\g0mAgoyf.exe
C:\kLehFuP2.exe
C:\k3A_o16s.exe
C:\_n5FhH2V.exe
C:\mFPhAyKP.exe
C:\iRPcma9s.exe
C:\sz2Cejvv.exe
C:\ea3a31960358d270a087bc67673899a24182e614ba980419f355f7dd2743c3ed
C:\w1oX7Nm_.exe
C:\xkA2VyYR.exe
C:\84bZBfMh.exe
C:\Users\Administrator\AppData\Local\Temp\cuckoo-b5aec8a425ad5e6ff81ae2ae867d92efeb783efd873bd9554a71c46d9090a4f4.exe
C:\lxa6Ti3X.exe
C:\b01vY3u7.exe
C:\ecbe3d5e1359ad1a3d383e7d85a61efd22aa67e13c8b43796fa9de22409d97d5
C:\7ed8654481c32669889313f9f4c754e9d127f946a3ccd7ab2cfcd2256894dc31
C:\Users\Petra\AppData\Local\Temp\jezxr.pe32
C:\7dd6b0ddab02dd90d9768f1e04ecde689e7cba1cc1448a7a6db7170e25dfc61b

Process Tree

029f4f8b9ce0f45b1432efbb7201b76deeefa07196306926f98aa8f65c619bac.exe, PID: 616, Parent PID: 2224

default registry file network process services synchronisation iexplore office pdf

jezxr.exe, PID: 1404, Parent PID: 616

default registry file network process services synchronisation iexplore office pdf

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 61714 8.8.8.8 53
192.168.56.101 56933 8.8.8.8 53
192.168.56.101 138 192.168.56.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 3d2e3bcd53ad219e_jezxr.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\jezxr.exe
Size 35.6KB
Processes 616 (029f4f8b9ce0f45b1432efbb7201b76deeefa07196306926f98aa8f65c619bac.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 69ac574631a71b7d3a8d43eaa1972fc7
SHA1 715e03c73079a065b1c5c94559405e30e2907bff
SHA256 3d2e3bcd53ad219e40e2aa20ce2c4444bd6876c7204aabd04b765736c11817e2
CRC32 6E655326
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.