3.6
中危
1 个模型检测该样本为恶意!
重新分析
更多

edb065d073ef7d2f2332be4a17e2f34bfed542f9f425c41f9992eda8fa8c943c

f436968845a8fe79ed8753ab30bc1312.exe

分析耗时

84s

最近分析

文件大小

64.9KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20210122 21.1.5827.0
Tencent 20210122 1.0.0.1
Kingsoft 20210122 2017.9.26.565
McAfee 20210122 6.0.6.653
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1620827383.449375
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620827383.449375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620827358.277375
IsDebuggerPresent
failed 0 0
1620827383.074375
IsDebuggerPresent
failed 0 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path E:\Installer\Source\h2o-partner\h2o-partner\BundleConfig\UT008\obj\Release\UT008.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620827383.418375
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (1 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Allocates read-write-execute memory (usually to unpack itself) (13 个事件)
Time & API Arguments Status Return Repeated
1620827357.543375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00470000
success 0 0
1620827357.543375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00520000
success 0 0
1620827358.121375
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1620827358.293375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047a000
success 0 0
1620827358.293375
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1620827358.293375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00472000
success 0 0
1620827358.730375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00482000
success 0 0
1620827382.824375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004bb000
success 0 0
1620827382.824375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b7000
success 0 0
1620827382.871375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00483000
success 0 0
1620827382.871375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048c000
success 0 0
1620827383.043375
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004aa000
success 0 0
1620827384.059375
NtAllocateVirtualMemory
process_identifier: 2868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03160000
success 0 0
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)
DrWeb Program.Unwanted.3148
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620827360.387375
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2040-01-29 06:21:00

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49177 124.225.105.97 www.download.windowsupdate.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 61522 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56743 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 57367 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT
If-None-Match: "80f8835935d71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.