分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-hpdapp01-3 | 2020-03-26 15:02:28 | 2020-03-26 15:07:01 | 273 秒 |
魔盾分数
10.0
危险的
文件详细信息
| 文件名 | csrss.exe |
|---|---|
| 文件大小 | 6152192 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | c9c36a842008390bb04bea6ccea02c10 |
| SHA1 | ae4e1ccdf56f32dda96481af56ce4f7956403bde |
| SHA256 | c3ff6e063f7c5ca2d6fb51506b8e5b066b0209c3383e23b99a50c71f6b1b72d4 |
| SHA512 | 79ea059b8d4c7124781493106eb290483d63a2c18e1766b7578b5ea685d027726d4989d269f115bf9958ee18571438e5fad74c2208f2ee2a65e6b546579c9710 |
| CRC32 | 3748F292 |
| Ssdeep | 98304:zcXfzq2zcdFq/I42S0GtFN1ahjqmxjFqZSxoxGvLiiwnQqgRSsF3jD1Lyj0kwii8:APuPtTWj1ahjb+GDii6QqgRBFTD4j0L8 |
| Yara | 登录查看Yara规则 |
| 样本下载 提交误报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x009c802e |
| 声明校验值 | 0x005e1364 |
| 实际校验值 | 0x005e1364 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2020-03-20 15:33:52 |
| 载入哈希 | ffd9a45356e9644bee987e6c6ec15351 |
版本信息
| Translation | |
|---|---|
| InternalName | |
| FileVersion | |
| CompanyName | |
| ProductName | |
| ProductVersion | |
| OriginalFilename |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x004f9000 | 0x004f9000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.99 |
| .sedata | 0x004fa000 | 0x000cf000 | 0x000cf000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.71 |
| .idata | 0x005c9000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.55 |
| .rsrc | 0x005ca000 | 0x00011000 | 0x00011000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.11 |
| .sedata | 0x005db000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.98 |
覆盖
| 偏移量 | 0x005dc000 |
| 大小 | 0x00002000 |
导入
库: MSVBVM60.DLL:
• 0x401000 _CIcos
• 0x401004 _adj_fptan
• 0x401008 __vbaAryMove
• 0x40100c __vbaFreeVar
• 0x401010 __vbaLateIdCall
• 0x401014 __vbaFreeVarList
• 0x401018 _adj_fdiv_m64
• 0x40101c _adj_fprem1
• 0x401020 __vbaCopyBytes
• 0x401024 __vbaSetSystemError
• 0x401028 __vbaHresultCheckObj
• 0x40102c _adj_fdiv_m32
• 0x401030 __vbaAryDestruct
• 0x401034 __vbaExitProc
• 0x401038 __vbaOnError
• 0x40103c __vbaObjSet
• 0x401040 _adj_fdiv_m16i
• 0x401044 _adj_fdivr_m16i
• 0x401048 _CIsin
• 0x40104c __vbaChkstk
• 0x401050 __vbaFileClose
• 0x401054 EVENT_SINK_AddRef
• 0x401058 __vbaGenerateBoundsError
• 0x40105c __vbaPutOwner3
• 0x401060 __vbaI2I4
• 0x401064 DllFunctionCall
• 0x401068 _adj_fpatan
• 0x40106c EVENT_SINK_Release
• 0x401070 _CIsqrt
• 0x401074 EVENT_SINK_QueryInterface
• 0x401078 __vbaExceptHandler
• 0x40107c __vbaStrToUnicode
• 0x401080 _adj_fprem
• 0x401084 _adj_fdivr_m64
• 0x401088 __vbaFPException
• 0x40108c None
• 0x401090 _CIlog
• 0x401094 __vbaFileOpen
• 0x401098 __vbaVar2Vec
• 0x40109c __vbaNew2
• 0x4010a0 None
• 0x4010a4 _adj_fdiv_m32i
• 0x4010a8 _adj_fdivr_m32i
• 0x4010ac __vbaStrCopy
• 0x4010b0 __vbaI4Str
• 0x4010b4 __vbaFreeStrList
• 0x4010b8 _adj_fdivr_m32
• 0x4010bc _adj_fdiv_r
• 0x4010c0 None
• 0x4010c4 __vbaI4Var
• 0x4010c8 __vbaVarAdd
• 0x4010cc __vbaStrToAnsi
• 0x4010d0 __vbaVarCopy
• 0x4010d4 _CIatan
• 0x4010d8 _allmul
• 0x4010dc __vbaLenVarB
• 0x4010e0 _CItan
• 0x4010e4 _CIexp
• 0x4010e8 __vbaFreeStr
• 0x4010ec __vbaFreeObj
库: MSVCRT.dll:
• 0x9c9602 strncpy
库: IPHLPAPI.DLL:
• 0x9c960e GetInterfaceInfo
库: PSAPI.DLL:
• 0x9c961a GetMappedFileNameW
库: KERNEL32.dll:
• 0x9c9626 GetModuleFileNameW
库: USER32.dll:
• 0x9c9632 GetWindow
库: ADVAPI32.dll:
• 0x9c963e RegDeleteKeyA
库: SHELL32.dll:
• 0x9c964a SHGetFolderPathW
.text
.sedata
.idata
.rsrc
.sedata
Ca
Form1
wwwwwwwwwwwwwwwwwwwwp
wwwwwwwwwwwwwwwwwwwwp
wwwwwwwwwwwwwx
xwwwwwx
wwxxww
""""""""""""""""""""""""""""""""""""""""""
"555555555555555555555555555555555555555555"
"5eeeeeeeee[eZ[ZZZZZZZZZZZQZQZQZQZQQQQQQQe5"
"5eeeeeaa[eZZaaZZZZZQZQZQQQZQQQQQQQQQQQQQe5"
"5eeeee<<<<;eZaZZZZZZQZQQZQQQZQQQQQQQQQQQe5"
([aa[ZZZQWWZZQZQZQQQQQQQQQQQQQe5"
ZZa[ZZW`W`ZZQQZQQQZQZQQQQQQQQe5"
aaa[W'&&&#&&&&&&&#&#&&&QQQQQe5"
6aaea%&&#&&&##&#&######QQQQQe5"
aaZZ_ZZZZZQZQQQQQQQQQQQQQQQe5"
*aaaaZZZQZZQZZQ[QQ[QQQQQQQQe5"
BaaaZZZZZQWZQQ[ZQQQZQQQQQQe5"
Haa[ZZZQ`ZQ`ZQQW[QQQQQQQQe5"
aaaZWW`WWWZQ`Q[QQQQQQQQQe5"
a%%&&'&&&&&&&&#&&&&QQQQQe5"
eeeea%%&#&#&&&&#&#&&###QZQQQe5"
7eeaeaa[`WeZZZQZQQQQQQQQQQZQe5"
eeaeaaeaeZZZZQZ[[ZQWWWWQQQQe5"
*aeaaaaaZZZZZZQZQZWWQWQ[QQZe5"
Ceeaeaa[`WWW``Q`Q`ZQ[QQZQQe5"
HeeaaaeaeeW`[`[[Q[Q[ZQQQQe5"
e%%%%&&#&%&&&&&&&&&QQ[QQe5"
!e%''%%%'%'&&&&&&&&&Q[QZQe5"
aeeaeeeeeeeeZeZZZZQZQQQQ[QQWeA"
=eeeeeeeeeZeZZZZZZZQ[[ZQZQWZeA"
eeeeeeaaaeZeZWWWZZZQ[ZQQ`QQeA"
+eeeeeeaaaeZ`ee[ZZW`ZQ[ZQ[ZeA"
DeeeaeeeaaeZaZ`Z``ZZZQ[ZQQeA"
Maeeaeeaaaaaa[[ZZZQ`WQ[Q`eA"
eeeeeeaeaeaaa[[Z[`Z`ZQ`ZeA"
!eeeeeeaeaaaaaa[[ZZZQ`QWQeA"
"AeeeeeeeeeeeeeeeeeeeeaeaaaaaaaaZZZQ`Z[ZQeA"
"A::::::::::::::::::::::::::::::::::::::::A"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
""""""""""""""""""""""""""""""""""""""""""
K00000000000000003530000000007
0{{{{{u{uuuuuuuuuukuukkukkkkv0
0{{{y{uyyuuuuukukkkkkkkkkkkkv0
0{{{{QO;Swwuukukukukkkkkkkkks0
:{uwuuukukukukkkkkkks0
hxxuuupwkkkkkukkkkkv0
kkkkv0
Jxxuuuukxukukkkkkkv0
!ixxwuukwkukukukkus0
-{uxuupxukkkkkukks0
#{F>xxxwswkxukxukkkks0
kkkus0
v{{{yxwswukxkukukkx0
={y{y{wxuwwukkwkkus0
Z{{uv{uswuuswkskkx0
Bv)*{y{yvwwuukwkxkwkx0
/////////swkws0
<{{{{{{{y{uxsxwukwk{0
a{{{{y{yxxwwwuukwus0
"{{{{{{{y{uswukwkkx0
?{{{{y{yxxwuuwuwus0
5{{{{{{{{{.,{{{{{{{y{uuswukxs0
5NNNNNNNNNMMNNNLLNNNNNNLLLLLL0
0000000000000000000000000000K
C}VPq
Form1
WebBrowser1
SHDocVwCtl.WebBrowser
Text1
Label1
By:yw QQ: 1685151106 Beauty version 5.0.2
Label2
vb6chs.dll
Hr,g\
ReadyState
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
Form1
Module1
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
WebBrowser1
C:\Windows\SysWOW64\ieframe.oca
SHDocVwCtl
Text1
Label1
Label2
user32
FindWindowA
GetWindowThreadProcessId
clk.dll
FreeHook
EnableHook
kernel32
GetCurrentProcessId
RtlMoveMemory
CreateFileMappingA
OpenFileMappingA
MapViewOfFile
UnmapViewOfFile
CloseHandle
VBA6.DLL
__vbaAryDestruct
__vbaLateIdCall
__vbaVarCopy
__vbaI4Var
__vbaFreeObj
__vbaFreeStrList
__vbaSetSystemError
__vbaObjSet
__vbaStrToAnsi
__vbaFileClose
__vbaPutOwner3
__vbaI2I4
__vbaFileOpen
__vbaFreeVar
__vbaHresultCheckObj
__vbaNew2
__vbaVar2Vec
__vbaAryMove
UserControl
advapi32.dll
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueA
GetCurrentProcess
VirtualAllocEx
VirtualFreeEx
OpenProcess
TerminateProcess
WriteProcessMemory
GetModuleHandleA
GetProcAddress
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
EnablePrivilege
KillProcess
__vbaI4Str
__vbaGenerateBoundsError
__vbaCopyBytes
__vbaExitProc
__vbaFreeStr
__vbaStrToUnicode
__vbaFreeVarList
__vbaLenVarB
__vbaVarAdd
__vbaOnError
__vbaStrCopy
dwProcessId
pszLibFile
ProcessID
9=@dA
NPhh2A
hhVPA
http:///
dows\Explorer
1.vbp
SeDebugPrivilege
C:\Windows\wok.dll
EXPdll
C:\Windows\clk.dll
caidanDll
Kernel32
LoadLibraryA
GetModuleHandleA
FreeLibrary
shearememory535200701
进程树
- csrss.exe id: 2960
-
services.exe id: 428
-
svchost.exe id: 4072
- dwm.exe id: 3524
- svchost.exe id: 3712
-
svchost.exe id: 4072
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 41.744 seconds )
- 16.53 Static
- 15.505 Suricata
- 3.792 BehaviorAnalysis
- 3.158 VirusTotal
- 1.793 TargetInfo
- 0.433 peid
- 0.345 NetworkAnalysis
- 0.141 AnalysisInfo
- 0.03 config_decoder
- 0.014 Strings
- 0.003 Memory
Signatures ( 1.875 seconds )
- 0.248 antiav_detectreg
- 0.181 api_spamming
- 0.148 stealth_timeout
- 0.133 stealth_decoy_document
- 0.098 infostealer_ftp
- 0.056 infostealer_im
- 0.051 antianalysis_detectreg
- 0.049 antivm_generic_scsi
- 0.043 kovter_behavior
- 0.042 stealth_file
- 0.038 infostealer_browser_password
- 0.038 antiav_detectfile
- 0.036 antiemu_wine_func
- 0.033 antidbg_windows
- 0.032 mimics_filetime
- 0.032 infostealer_mail
- 0.03 antivm_generic_services
- 0.028 reads_self
- 0.028 anormaly_invoke_kills
- 0.027 infostealer_bitcoin
- 0.024 virus
- 0.023 antivm_generic_disk
- 0.021 bootkit
- 0.019 md_url_bl
- 0.017 md_domain_bl
- 0.015 kibex_behavior
- 0.015 hancitor_behavior
- 0.015 antivm_vbox_files
- 0.015 ransomware_extensions
- 0.013 antivm_xen_keys
- 0.012 betabot_behavior
- 0.012 anomaly_persistence_autorun
- 0.012 antivm_parallels_keys
- 0.012 geodo_banking_trojan
- 0.012 darkcomet_regkeys
- 0.011 ransomware_files
- 0.01 infostealer_browser
- 0.008 antivm_vbox_libs
- 0.008 packer_themida
- 0.008 injection_createremotethread
- 0.008 antivm_vbox_window
- 0.008 antivm_generic_diskreg
- 0.008 recon_fingerprint
- 0.006 maldun_anomaly_massive_file_ops
- 0.006 shifu_behavior
- 0.006 antisandbox_script_timer
- 0.006 antidbg_devices
- 0.005 network_tor
- 0.005 antiav_avast_libs
- 0.005 injection_explorer
- 0.005 browser_needed
- 0.005 antisandbox_sunbelt_libs
- 0.005 injection_runpe
- 0.005 antisandbox_productid
- 0.005 packer_armadillo_regkey
- 0.005 rat_pcclient
- 0.004 dridex_behavior
- 0.004 antisandbox_sboxie_libs
- 0.004 antiav_bitdefender_libs
- 0.004 exec_crash
- 0.004 bypass_firewall
- 0.004 antivm_xen_keys
- 0.004 antivm_hyperv_keys
- 0.004 antivm_vbox_acpi
- 0.004 antivm_vbox_keys
- 0.004 antivm_vmware_keys
- 0.004 antivm_vpc_keys
- 0.004 disables_browser_warn
- 0.004 maldun_anomaly_invoke_vb_vba
- 0.003 tinba_behavior
- 0.003 hawkeye_behavior
- 0.003 rat_nanocore
- 0.003 kazybot_behavior
- 0.003 antivm_vmware_files
- 0.003 codelux_behavior
- 0.003 md_bad_drop
- 0.003 recon_programs
- 0.002 antivm_vmware_libs
- 0.002 antisandbox_sleep
- 0.002 ipc_namedpipe
- 0.002 cerber_behavior
- 0.002 sniffer_winpcap
- 0.002 antianalysis_detectfile
- 0.002 antivm_generic_bios
- 0.002 antivm_generic_cpu
- 0.002 antivm_generic_system
- 0.002 browser_security
- 0.002 modify_proxy
- 0.002 maldun_malicious_drop_executable_file_to_temp_folder
- 0.002 network_tor_service
- 0.001 maldun_malicious_write_executeable_under_temp_to_regrun
- 0.001 rat_luminosity
- 0.001 anomaly_persistence_bootexecute
- 0.001 maldun_anomaly_write_exe_and_obsfucate_extension
- 0.001 anomaly_reset_winsock
- 0.001 sets_autoconfig_url
- 0.001 ursnif_behavior
- 0.001 heapspray_js
- 0.001 ransomeware_modifies_desktop_wallpaper
- 0.001 ransomware_file_modifications
- 0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
- 0.001 h1n1_behavior
- 0.001 antisandbox_sunbelt_files
- 0.001 antivm_vpc_files
- 0.001 banker_cridex
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 disables_system_restore
- 0.001 disables_windows_defender
- 0.001 malicous_targeted_flame
- 0.001 office_security
- 0.001 ransomware_radamant
- 0.001 rat_spynet
- 0.001 stealth_hide_notifications
- 0.001 stealth_modify_uac_prompt
Reporting ( 1.601 seconds )
- 0.927 ReportHTMLSummary
- 0.674 Malheur
| Task ID | 531588 |
|---|---|
| Mongo ID | 5e7c54f22f8f2e3e964a5f12 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号