比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2020-03-12 10:38:37 2020-03-12 10:41:45 188 秒

魔盾分数

10.0

Filename病毒

文件详细信息

文件名 trixware.zip ==> DLL\xd7\xa2\xc8\xeb\xc6\xf7.exe
文件大小 13251444 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5d663b8c910c7a4fd574151c51273861
SHA1 d43fae27369ea6aed82d72dd54a9fcef81b437f6
SHA256 f70177275d9728fb51c3a64866e95215d0445d85b19436c91992f48733e69596
SHA512 348067984f865accfa08c0b5565d95c4ad39e09ee718a5fb0f514663716fa1c5cce6c13c150bde60f0014c4aefdb4a434b19b4461a0446855edd09a19c683114
CRC32 4D522B53
Ssdeep 393216:Vzuzpvn+N9PHLjCcAbI35N3pdED6HLNuGFhO:VWAn1AbIn3vED6rNuGrO
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.securityxploded.com A 69.64.94.55
CNAME securityxploded.com
note.youdao.com A 59.111.179.138
A 59.111.179.137
A 59.111.179.136
A 123.58.182.252
A 59.111.179.135
A 123.58.182.251

摘要

登录查看详细行为信息
没有信息显示.
ca);CW2
on%|g
kqC5*
没有防病毒引擎扫描信息!

进程树

cmd.exe, PID: 2760, 上一级进程 PID: 2336
DLL注入器.exe, PID: 2884, 上一级进程 PID: 2760
NVIDIA Corporation.exe, PID: 2980, 上一级进程 PID: 2884
注入器.exe, PID: 3040, 上一级进程 PID: 2884
svchoss.exe, PID: 708, 上一级进程 PID: 2980
services.exe, PID: 428, 上一级进程 PID: 332
svchost.exe, PID: 2848, 上一级进程 PID: 428
svchost.exe, PID: 2764, 上一级进程 PID: 2848
svchost.exe, PID: 2432, 上一级进程 PID: 428
WerFault.exe, PID: 172, 上一级进程 PID: 2432
wermgr.exe, PID: 2144, 上一级进程 PID: 2432
mscorsvw.exe, PID: 3016, 上一级进程 PID: 428
mscorsvw.exe, PID: 1624, 上一级进程 PID: 428
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49166 39.100.119.17 80
192.168.122.201 49172 39.100.119.17 8000
192.168.122.201 49167 59.111.179.136 note.youdao.com 80
192.168.122.201 49164 69.64.94.55 www.securityxploded.com 80
192.168.122.201 49165 69.64.94.55 www.securityxploded.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 49608 192.168.122.1 53
192.168.122.201 64912 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.securityxploded.com A 69.64.94.55
CNAME securityxploded.com
note.youdao.com A 59.111.179.138
A 59.111.179.137
A 59.111.179.136
A 123.58.182.252
A 59.111.179.135
A 123.58.182.251

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49166 39.100.119.17 80
192.168.122.201 49172 39.100.119.17 8000
192.168.122.201 49167 59.111.179.136 note.youdao.com 80
192.168.122.201 49164 69.64.94.55 www.securityxploded.com 80
192.168.122.201 49165 69.64.94.55 www.securityxploded.com 443

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 49608 192.168.122.1 53
192.168.122.201 64912 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.securityxploded.com/product_versions.xml 
GET /product_versions.xml HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Software Verion Checker
Host: www.securityxploded.com
URL专业沙箱检测 -> http://39.100.119.17/rj.txt 
GET /rj.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 39.100.119.17
Cache-Control: no-cache
URL专业沙箱检测 -> http://note.youdao.com/yws/public/resource/aef3dea83bd0d0f7c1d1b0aaa18bffc7/xmlnote/9E782B06A29E4A5C80F8305FEEE92DAF/549 
GET /yws/public/resource/aef3dea83bd0d0f7c1d1b0aaa18bffc7/xmlnote/9E782B06A29E4A5C80F8305FEEE92DAF/549 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: note.youdao.com
Connection: Keep-Alive

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2020-03-12 10:40:04.570216+0800 192.168.122.201 49166 39.100.119.17 80 TCP 2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0 Potential Corporate Privacy Violation
2020-03-12 10:40:04.490379+0800 59.111.179.136 80 192.168.122.201 49167 TCP 2020201 ET TROJAN Filename server.exe Download - Common Hostile Filename A Network Trojan was detected
2020-03-12 10:40:14.486950+0800 59.111.179.136 80 192.168.122.201 49167 TCP 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2020-03-12 10:40:02.944328+0800 192.168.122.201 49165 69.64.94.55 443 TLSv1 C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=securityxploded.com f6:f2:7e:0b:3d:d8:bc:39:ec:bd:19:b7:6d:0f:c8:e9:88:41:6c:98

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 DLL\xd7\xa2\xc8\xeb\xc6\xf7.exe
相关文件
C:\Users\test\AppData\Local\Temp\zip-tmp\DLL\xe6\xb3\xa8\xe5\x85\xa5\xe5\x99\xa8.exe
文件大小 13251444 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5d663b8c910c7a4fd574151c51273861
SHA1 d43fae27369ea6aed82d72dd54a9fcef81b437f6
SHA256 f70177275d9728fb51c3a64866e95215d0445d85b19436c91992f48733e69596
CRC32 4D522B53
Ssdeep 393216:Vzuzpvn+N9PHLjCcAbI35N3pdED6HLNuGFhO:VWAn1AbIn3vED6rNuGrO
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 34.204 seconds )

  • 16.487 Suricata
  • 7.292 BehaviorAnalysis
  • 3.639 TargetInfo
  • 3.289 VirusTotal
  • 2.656 NetworkAnalysis
  • 0.743 Dropped
  • 0.069 AnalysisInfo
  • 0.023 Strings
  • 0.003 Memory
  • 0.003 Static

Signatures ( 4.807 seconds )

  • 2.061 md_url_bl
  • 0.411 api_spamming
  • 0.317 stealth_timeout
  • 0.274 stealth_decoy_document
  • 0.258 injection_createremotethread
  • 0.166 injection_runpe
  • 0.151 antiav_detectreg
  • 0.09 injection_explorer
  • 0.074 process_interest
  • 0.062 stealth_file
  • 0.061 infostealer_ftp
  • 0.055 mimics_filetime
  • 0.05 reads_self
  • 0.048 vawtrak_behavior
  • 0.042 bootkit
  • 0.041 virus
  • 0.035 antivm_generic_disk
  • 0.034 infostealer_im
  • 0.031 process_needed
  • 0.031 antianalysis_detectreg
  • 0.026 antivm_generic_scsi
  • 0.026 md_domain_bl
  • 0.023 hancitor_behavior
  • 0.022 kovter_behavior
  • 0.02 antiav_detectfile
  • 0.019 infostealer_mail
  • 0.018 antiemu_wine_func
  • 0.018 antivm_generic_services
  • 0.017 infostealer_browser_password
  • 0.015 anormaly_invoke_kills
  • 0.014 infostealer_bitcoin
  • 0.013 shifu_behavior
  • 0.011 antivm_vbox_libs
  • 0.011 anomaly_persistence_autorun
  • 0.011 geodo_banking_trojan
  • 0.009 maldun_anomaly_massive_file_ops
  • 0.009 kibex_behavior
  • 0.008 sets_autoconfig_url
  • 0.008 antivm_vbox_files
  • 0.008 antivm_xen_keys
  • 0.008 ransomware_extensions
  • 0.008 ransomware_files
  • 0.007 betabot_behavior
  • 0.007 antivm_parallels_keys
  • 0.007 darkcomet_regkeys
  • 0.006 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.006 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.006 network_http
  • 0.005 antivm_generic_diskreg
  • 0.005 recon_fingerprint
  • 0.004 ransomware_dmalocker
  • 0.004 antiav_avast_libs
  • 0.004 ransomware_message
  • 0.004 antisandbox_sunbelt_libs
  • 0.004 exec_crash
  • 0.004 securityxploded_modules
  • 0.003 tinba_behavior
  • 0.003 hawkeye_behavior
  • 0.003 network_tor
  • 0.003 rat_nanocore
  • 0.003 anomaly_persistence_bootexecute
  • 0.003 antisandbox_sboxie_libs
  • 0.003 ipc_namedpipe
  • 0.003 antiav_bitdefender_libs
  • 0.003 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.003 antidbg_windows
  • 0.003 disables_wfp
  • 0.003 antidbg_devices
  • 0.003 antisandbox_productid
  • 0.003 disables_browser_warn
  • 0.003 network_torgateway
  • 0.002 banker_prinimalka
  • 0.002 disables_spdy
  • 0.002 rat_luminosity
  • 0.002 antivm_vmware_libs
  • 0.002 anomaly_reset_winsock
  • 0.002 antisandbox_sleep
  • 0.002 kelihos_behavior
  • 0.002 creates_largekey
  • 0.002 cerber_behavior
  • 0.002 pony_behavior
  • 0.002 bypass_firewall
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 antivm_vbox_acpi
  • 0.002 antivm_vbox_keys
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_vpc_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 maldun_anormaly_invoke_vb_vba
  • 0.002 md_bad_drop
  • 0.002 network_cnc_http
  • 0.002 packer_armadillo_regkey
  • 0.002 rat_pcclient
  • 0.001 office_dl_write_exe
  • 0.001 office_write_exe
  • 0.001 infostealer_browser
  • 0.001 dridex_behavior
  • 0.001 ursnif_behavior
  • 0.001 kazybot_behavior
  • 0.001 ransomeware_modifies_desktop_wallpaper
  • 0.001 h1n1_behavior
  • 0.001 sniffer_winpcap
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_vmware_files
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 codelux_behavior
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 malicous_targeted_flame
  • 0.001 maldun_network_blacklist
  • 0.001 rat_spynet
  • 0.001 recon_programs
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.588 seconds )

  • 1.175 ReportHTMLSummary
  • 0.413 Malheur
Task ID 527364
Mongo ID 5e69a1da2f8f2e54c2dcb5bf
Cuckoo release 1.4-Maldun