应该是病毒!
创建RWX内存
强制将一个创建的进程加载为另一个不相关进程的子进程
装载一个驱动器
driver service name: \Registry\Machine\System\CurrentControlSet\Services\PortTalk
从文件自身的二进制镜像中读取数据
self_read: process: victoria4.47b.exe, pid: 2036, offset: 0x00000000, length: 0x0000df26
self_read: process: victoria4.47b.exe, pid: 2036, offset: 0x00000000, length: 0x00010000
self_read: process: victoria4.47b.exe, pid: 2036, offset: 0x00000000, length: 0x001000e1
self_read: process: victoria4.47b.exe, pid: 2036, offset: 0x0000cf89, length: 0x00176ad2
投放出一个二进制文件并执行它
binary: C:\Users\test\AppData\Local\Temp\7ZipSfx.000\vcr447.exe
二进制源中出现非常规语言: Russian
二进制文件可能包含加密或压缩数据
section: name: UPX1, entropy: 7.90, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000b400, virtual_size: 0x0000c000
可执行文件被使用UPX压缩
section: name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00011000
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Trojan.GenericKD.5013099
CAT-QuickHeal: Trojan.Blackv
McAfee: Artemis!7A89F29503B1
Cylance: Unsafe
K7GW: Trojan ( 004b933f1 )
K7AntiVirus: Trojan ( 004b933f1 )
Cyren: W32/Trojan.FBKJ-5812
Symantec: Trojan.Gen.2
ESET-NOD32: a variant of Win32/Packed.NoobyProtect.Q suspicious
TrendMicro-HouseCall: TROJ_GEN.R005C0OLA17
Paloalto: generic.ml
GData: Trojan.GenericKD.5013099
Kaspersky: HEUR:HackTool.Win32.Generic
BitDefender: Trojan.GenericKD.5013099
NANO-Antivirus: Trojan.Win32.Blackv.eoeecq
Avast: Win32:Malware-gen
Tencent: Win32.Hacktool.Generic.Ajlx
Ad-Aware: Trojan.GenericKD.5013099
Emsisoft: Trojan.GenericKD.5013099 (B)
F-Secure: Trojan.GenericKD.5013099
DrWeb: Trojan.MulDrop7.32001
VIPRE: Trojan.Win32.Generic!BT
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Dropper.tc
Avira: TR/PWS.Sinowal.Gen
Antiy-AVL: Trojan[Packed]/Win32.Blackv
Endgame: malicious (moderate confidence)
Arcabit: Trojan.Generic.D4C7E6B
AegisLab: Packer.W32.Blackv!c
ZoneAlarm: HEUR:HackTool.Win32.Generic
Sophos: Mal/Generic-S
AhnLab-V3: Malware/Win32.Generic.C1926070
ALYac: Trojan.GenericKD.5013099
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=85)
Yandex: Riskware.NoobyProtect!
Ikarus: BHO.Win32.Webalta
Fortinet: W32/Blackv
AVG: Win32:Malware-gen
Cybereason: malicious.1b8fb7
Panda: Trj/CI.A
|