SmartHawk

Time & API	Arguments	Status	Return	Repeated
1620842945.504999 __exception__	stacktrace: RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77d5e003 GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x778f3e88 kfufifvddx+0x10ccd @ 0x1380ccd kfufifvddx+0x7536e @ 0x13e536e kfufifvddx+0x7557a @ 0x13e557a kfufifvddx+0x3fa6 @ 0x1373fa6 kfufifvddx+0x8f8d @ 0x1378f8d kfufifvddx+0x96f5 @ 0x13796f5 kfufifvddx+0xa2f7 @ 0x137a2f7 kfufifvddx+0x962c @ 0x137962c kfufifvddx+0xa2f7 @ 0x137a2f7 kfufifvddx+0x962c @ 0x137962c kfufifvddx+0xa2f7 @ 0x137a2f7 kfufifvddx+0x962c @ 0x137962c kfufifvddx+0xa2f7 @ 0x137a2f7 kfufifvddx+0x962c @ 0x137962c kfufifvddx+0xd87e @ 0x137d87e kfufifvddx+0xd967 @ 0x137d967 kfufifvddx+0x1648e @ 0x138648e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 6613520 registers.edi: 17592992 registers.eax: 1114034794 registers.ebp: 6613572 registers.edx: 17593000 registers.ebx: 17593000 registers.esi: 26460856 registers.ecx: 6684672 exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e exception.instruction: mov eax, dword ptr [esi + 4] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 189342 exception.address: 0x77d5e39e	success	0	0

Time & API

Arguments

Status

Return

Repeated

1620842945.504999
__exception__

stacktrace:

RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77d5e003
GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x778f3e88
kfufifvddx+0x10ccd @ 0x1380ccd
kfufifvddx+0x7536e @ 0x13e536e
kfufifvddx+0x7557a @ 0x13e557a
kfufifvddx+0x3fa6 @ 0x1373fa6
kfufifvddx+0x8f8d @ 0x1378f8d
kfufifvddx+0x96f5 @ 0x13796f5
kfufifvddx+0xa2f7 @ 0x137a2f7
kfufifvddx+0x962c @ 0x137962c
kfufifvddx+0xa2f7 @ 0x137a2f7
kfufifvddx+0x962c @ 0x137962c
kfufifvddx+0xa2f7 @ 0x137a2f7
kfufifvddx+0x962c @ 0x137962c
kfufifvddx+0xa2f7 @ 0x137a2f7
kfufifvddx+0x962c @ 0x137962c
kfufifvddx+0xd87e @ 0x137d87e
kfufifvddx+0xd967 @ 0x137d967
kfufifvddx+0x1648e @ 0x138648e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 6613520
registers.edi: 17592992
registers.eax: 1114034794
registers.ebp: 6613572
registers.edx: 17593000
registers.ebx: 17593000
registers.esi: 26460856
registers.ecx: 6684672
exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x77d5e39e

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates (office) documents on the filesystem (4 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\ptwh.pdf
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\xtvgxflad.pdf
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\arlrkesbnr.docx
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\oorx.pdf

Creates executable files on the filesystem (4 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\lcfvvcrhg.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\irplieb.cpl
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\kfufifvddx.pif
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\irdouwnx.vbs

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\kfufifvddx.pif

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\kfufifvddx.pif

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620842946.472999 Process32NextW	process_name: kfufifvddx.pif snapshot_handle: 0x000001b0 process_identifier: 3124	success	1	0
1620842946.472999 Process32NextW	process_name: RegSvcs.exe snapshot_handle: 0x000001b0 process_identifier: 3240	success	1	0

Expresses interest in specific running processes (1 个事件)

process

regsvcs.exe

One or more of the buffers contains an embedded PE file (2 个事件)

buffer	Buffer with sha1: e52591bf46170f08484fce6d0bd1c14991f77a9c
buffer	Buffer with sha1: c0452df27eac64a3597127c679a7af6bc078fc9e

Communicates with host for which no DNS query was performed (2 个事件)

host	154.16.93.174
host	172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620842945.566999 NtAllocateVirtualMemory	process_identifier: 3240 region_size: 5337088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001a8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success	0	0

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

reg_value

0\14478533\kfufifvddx.pif 0\14478533\wulgxxw.rhb

Potential code injection by writing to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620842949.519999 WriteProcessMemory	process_identifier: 3240 buffer: ÿÿÿÿ9ú~ú~(ý~mèÿÿ jHâý~± process_handle: 0x000001a8 base_address: 0x7efde000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3124 called NtSetContextThread to modify thread in remote process 3240
1620842949.519999 NtSetContextThread	thread_handle: 0x000001a4 registers.eip: 2010382788 registers.esp: 2948320 registers.edi: 0 registers.eax: 3746763 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3240	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3124 resumed a thread in remote process 3240
1620842950.550999 NtResumeThread	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 3240	success	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (9 个事件)

Time & API	Arguments	Status	Return
1620842934.630751 CreateProcessInternalW	thread_identifier: 3128 thread_handle: 0x00000264 process_identifier: 3124 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533 filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\kfufifvddx.pif track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\kfufifvddx.pif" wulgxxw.rhb filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\14478533\kfufifvddx.pif stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000027c inherit_handles: 0	success	1
1620842943.425999 NtResumeThread	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 3124	success	0
1620842945.504999 CreateProcessInternalW	thread_identifier: 3244 thread_handle: 0x000001a4 process_identifier: 3240 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RegSvcs.exe track: 1 command_line: filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000001a8 inherit_handles: 0	success	1
1620842945.519999 NtGetContextThread	thread_handle: 0x000001a4	success	0
1620842945.566999 NtAllocateVirtualMemory	process_identifier: 3240 region_size: 5337088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001a8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success	0
1620842949.082999 WriteProcessMemory	process_identifier: 3240 buffer: process_handle: 0x000001a8 base_address: 0x00390000	success	1
1620842949.519999 WriteProcessMemory	process_identifier: 3240 buffer: ÿÿÿÿ9ú~ú~(ý~mèÿÿ jHâý~± process_handle: 0x000001a8 base_address: 0x7efde000	success	1
1620842949.519999 NtSetContextThread	thread_handle: 0x000001a4 registers.eip: 2010382788 registers.esp: 2948320 registers.edi: 0 registers.eax: 3746763 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3240	success	0
1620842950.550999 NtResumeThread	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 3240	success	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	192.168.56.101:49181
dead_host	154.16.93.174:3383

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-04-28 04:03:27

Imports

Library KERNEL32.dll:

• 0x430000 GetLastError

• 0x430004 SetLastError

• 0x430008 GetCurrentProcess

• 0x43000c DeviceIoControl

• 0x430010 SetFileTime

• 0x430014 CloseHandle

• 0x430018 CreateDirectoryW

• 0x43001c RemoveDirectoryW

• 0x430020 CreateFileW

• 0x430024 DeleteFileW

• 0x430028 CreateHardLinkW

• 0x43002c GetShortPathNameW

• 0x430030 GetLongPathNameW

• 0x430034 MoveFileW

• 0x430038 GetFileType

• 0x43003c GetStdHandle

• 0x430040 WriteFile

• 0x430044 ReadFile

• 0x430048 FlushFileBuffers

• 0x43004c SetEndOfFile

• 0x430050 SetFilePointer

• 0x430054 SetFileAttributesW

• 0x430058 GetFileAttributesW

• 0x43005c FindClose

• 0x430060 FindFirstFileW

• 0x430064 FindNextFileW

• 0x430068 GetVersionExW

• 0x43006c GetCurrentDirectoryW

• 0x430070 GetFullPathNameW

• 0x430074 FoldStringW

• 0x430078 GetModuleFileNameW

• 0x43007c GetModuleHandleW

• 0x430080 FindResourceW

• 0x430084 FreeLibrary

• 0x430088 GetProcAddress

• 0x43008c GetCurrentProcessId

• 0x430090 ExitProcess

• 0x430094 SetThreadExecutionState

• 0x430098 Sleep

• 0x43009c LoadLibraryW

• 0x4300a0 GetSystemDirectoryW

• 0x4300a4 CompareStringW

• 0x4300a8 AllocConsole

• 0x4300ac FreeConsole

• 0x4300b0 AttachConsole

• 0x4300b4 WriteConsoleW

• 0x4300b8 GetProcessAffinityMask

• 0x4300bc CreateThread

• 0x4300c0 SetThreadPriority

• 0x4300c4 InitializeCriticalSection

• 0x4300c8 EnterCriticalSection

• 0x4300cc LeaveCriticalSection

• 0x4300d0 DeleteCriticalSection

• 0x4300d4 SetEvent

• 0x4300d8 ResetEvent

• 0x4300dc ReleaseSemaphore

• 0x4300e0 WaitForSingleObject

• 0x4300e4 CreateEventW

• 0x4300e8 CreateSemaphoreW

• 0x4300ec GetSystemTime

• 0x4300f0 SystemTimeToTzSpecificLocalTime

• 0x4300f4 TzSpecificLocalTimeToSystemTime

• 0x4300f8 SystemTimeToFileTime

• 0x4300fc FileTimeToLocalFileTime

• 0x430100 LocalFileTimeToFileTime

• 0x430104 FileTimeToSystemTime

• 0x430108 GetCPInfo

• 0x43010c IsDBCSLeadByte

• 0x430110 MultiByteToWideChar

• 0x430114 WideCharToMultiByte

• 0x430118 GlobalAlloc

• 0x43011c GetTickCount

• 0x430120 LockResource

• 0x430124 GlobalLock

• 0x430128 GlobalUnlock

• 0x43012c GlobalFree

• 0x430130 LoadResource

• 0x430134 SizeofResource

• 0x430138 SetCurrentDirectoryW

• 0x43013c GetExitCodeProcess

• 0x430140 GetLocalTime

• 0x430144 MapViewOfFile

• 0x430148 UnmapViewOfFile

• 0x43014c CreateFileMappingW

• 0x430150 OpenFileMappingW

• 0x430154 GetCommandLineW

• 0x430158 SetEnvironmentVariableW

• 0x43015c ExpandEnvironmentStringsW

• 0x430160 GetTempPathW

• 0x430164 MoveFileExW

• 0x430168 GetLocaleInfoW

• 0x43016c GetTimeFormatW

• 0x430170 GetDateFormatW

• 0x430174 GetNumberFormatW

• 0x430178 SetFilePointerEx

• 0x43017c GetConsoleMode

• 0x430180 GetConsoleCP

• 0x430184 HeapSize

• 0x430188 SetStdHandle

• 0x43018c GetProcessHeap

• 0x430190 RaiseException

• 0x430194 GetSystemInfo

• 0x430198 VirtualProtect

• 0x43019c VirtualQuery

• 0x4301a0 LoadLibraryExA

• 0x4301a4 IsProcessorFeaturePresent

• 0x4301a8 IsDebuggerPresent

• 0x4301ac UnhandledExceptionFilter

• 0x4301b0 SetUnhandledExceptionFilter

• 0x4301b4 GetStartupInfoW

• 0x4301b8 QueryPerformanceCounter

• 0x4301bc GetCurrentThreadId

• 0x4301c0 GetSystemTimeAsFileTime

• 0x4301c4 InitializeSListHead

• 0x4301c8 TerminateProcess

• 0x4301cc RtlUnwind

• 0x4301d0 EncodePointer

• 0x4301d4 InitializeCriticalSectionAndSpinCount

• 0x4301d8 TlsAlloc

• 0x4301dc TlsGetValue

• 0x4301e0 TlsSetValue

• 0x4301e4 TlsFree

• 0x4301e8 LoadLibraryExW

• 0x4301ec QueryPerformanceFrequency

• 0x4301f0 GetModuleHandleExW

• 0x4301f4 GetModuleFileNameA

• 0x4301f8 GetACP

• 0x4301fc HeapFree

• 0x430200 HeapAlloc

• 0x430204 HeapReAlloc

• 0x430208 GetStringTypeW

• 0x43020c LCMapStringW

• 0x430210 FindFirstFileExA

• 0x430214 FindNextFileA

• 0x430218 IsValidCodePage

• 0x43021c GetOEMCP

• 0x430220 GetCommandLineA

• 0x430224 GetEnvironmentStringsW

• 0x430228 FreeEnvironmentStringsW

• 0x43022c DecodePointer

Library gdiplus.dll:

• 0x430234 GdiplusShutdown

• 0x430238 GdiplusStartup

• 0x43023c GdipCreateHBITMAPFromBitmap

• 0x430240 GdipCreateBitmapFromStreamICM

• 0x430244 GdipCreateBitmapFromStream

• 0x430248 GdipDisposeImage

• 0x43024c GdipCloneImage

• 0x430250 GdipFree

• 0x430254 GdipAlloc

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50003	239.255.255.250	3702
192.168.56.101	58368	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.