比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2020-06-21 13:37:16 2020-06-21 13:39:47 151 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 Pacify-安抚修改器V1.3.exe
文件大小 5894144 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 dabb6de7180b1e3d5e7cb2561c32f293
SHA1 6fbd7607783d716bad7da69677ef8124562873c2
SHA256 eb666065f4c6e35effc26031bec8fd43ba67bfd06259c9274f6807f2fbbcf4a7
SHA512 c23ff4caa45c003a3610ab2bfdfc28f164053fa5c0b3b106ecb04d6c6fe0db17a68511b086a406d9fb6120705859f19a699917960539cb89934cd294731c590e
CRC32 A2DED731
Ssdeep 98304:3gEnoSE5BC0o4krlbKyWuwKiXODxF1fMQaXUKrvLlSMnW580eTX/8MFXz1Qf9dPe:gC0ozlbKcplakS8MnWk/hNM9dL9Y8k7D
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x004015eb
声明校验值 0x00011163
实际校验值 0x005ac2c7
最低操作系统版本要求 5.0
编译时间 2013-06-28 22:45:44
载入哈希 8d92fa1956a6a631c642190121740197

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00008d54 0x00008e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.56
.rdata 0x0000a000 0x00002114 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.44
.data 0x0000d000 0x00002adc 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.10
.rsrc 0x00010000 0x00591bac 0x00591c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.97
.reloc 0x005a2000 0x00000eea 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.33

导入

库: SHLWAPI.dll:
0x40a144 PathAddBackslashA
0x40a148 PathStripPathA
0x40a14c PathRemoveFileSpecA
库: KERNEL32.dll:
0x40a008 GetModuleFileNameA
0x40a00c FindResourceA
0x40a010 GetModuleHandleA
0x40a014 SizeofResource
0x40a018 LoadResource
0x40a01c GetTempPathA
0x40a020 CreateDirectoryA
0x40a024 DeleteFileA
0x40a028 CreateFileA
0x40a02c WriteFile
0x40a030 CloseHandle
0x40a034 CreateProcessA
0x40a038 WaitForSingleObject
0x40a03c RemoveDirectoryA
0x40a040 FlushFileBuffers
0x40a044 GetTempFileNameA
0x40a048 GetCurrentThreadId
0x40a04c GetCommandLineA
0x40a050 GetStartupInfoA
0x40a054 TerminateProcess
0x40a058 GetCurrentProcess
0x40a064 IsDebuggerPresent
0x40a068 GetModuleHandleW
0x40a06c Sleep
0x40a070 GetProcAddress
0x40a074 ExitProcess
0x40a078 GetStdHandle
0x40a088 WideCharToMultiByte
0x40a08c GetLastError
0x40a094 SetHandleCount
0x40a098 GetFileType
0x40a0a0 TlsGetValue
0x40a0a4 TlsAlloc
0x40a0a8 TlsSetValue
0x40a0ac TlsFree
0x40a0b4 SetLastError
0x40a0bc HeapCreate
0x40a0c0 VirtualFree
0x40a0c4 HeapFree
0x40a0cc GetTickCount
0x40a0d0 GetCurrentProcessId
0x40a0d8 SetFilePointer
0x40a0dc GetConsoleCP
0x40a0e0 GetConsoleMode
0x40a0ec GetCPInfo
0x40a0f0 GetACP
0x40a0f4 GetOEMCP
0x40a0f8 IsValidCodePage
0x40a0fc LoadLibraryA
0x40a104 HeapAlloc
0x40a108 VirtualAlloc
0x40a10c HeapReAlloc
0x40a110 RtlUnwind
0x40a114 SetStdHandle
0x40a118 WriteConsoleA
0x40a11c GetConsoleOutputCP
0x40a120 WriteConsoleW
0x40a124 MultiByteToWideChar
0x40a128 LCMapStringA
0x40a12c LCMapStringW
0x40a130 GetStringTypeA
0x40a134 GetStringTypeW
0x40a138 GetLocaleInfoA
0x40a13c HeapSize
库: USER32.dll:
0x40a154 MessageBoxA
库: ADVAPI32.dll:
.text
`.rdata
@.data
.rsrc
@.reloc
YQPVh
uBh,)@
teh3,@
URPQQhls@
SVWUj
(null)
`h````
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
-ORIGIN:"%s"
DECOMPRESSOR
ARCHIVE
cetrainers
CET_Archive.dat
%s\%s
"%s" %s
Trainer failure
Launch Error
Failure creating a temporary folder
Failure assigning a temporary name
Failure getting the temp folder
D:(A;OICI;GA;;;WD)
PathRemoveFileSpecA
PathAddBackslashA
PathStripPathA
SHLWAPI.dll
GetModuleFileNameA
FindResourceA
GetModuleHandleA
SizeofResource
LoadResource
GetTempPathA
CreateDirectoryA
GetTempFileNameA
DeleteFileA
CreateFileA
WriteFile
CloseHandle
CreateProcessA
WaitForSingleObject
RemoveDirectoryA
KERNEL32.dll
MessageBoxA
USER32.dll
ConvertStringSecurityDescriptorToSecurityDescriptorA
ADVAPI32.dll
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
GetProcAddress
ExitProcess
GetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
GetConsoleCP
GetConsoleMode
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LoadLibraryA
InitializeCriticalSectionAndSpinCount
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
FlushFileBuffers
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
CET_TRAINER.CETRAINER
(null)
mscoree.dll
KERNEL32.DLL
DECOMPRESSOR
没有防病毒引擎扫描信息!

进程树

Pacify-_______________V1.3.exe, PID: 2692, 上一级进程 PID: 2336
Pacify-_______________V1.3.exe, PID: 2808, 上一级进程 PID: 2692
Pacify-_______________V1.3.exe, PID: 2892, 上一级进程 PID: 2808
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 38.905 seconds )

  • 16.71 Static
  • 15.577 Suricata
  • 2.796 VirusTotal
  • 1.711 TargetInfo
  • 1.203 BehaviorAnalysis
  • 0.425 peid
  • 0.355 NetworkAnalysis
  • 0.086 AnalysisInfo
  • 0.021 config_decoder
  • 0.018 Strings
  • 0.003 Memory

Signatures ( 0.684 seconds )

  • 0.059 api_spamming
  • 0.05 antiav_detectreg
  • 0.046 stealth_timeout
  • 0.044 stealth_decoy_document
  • 0.04 antiav_detectfile
  • 0.031 infostealer_ftp
  • 0.028 infostealer_bitcoin
  • 0.02 infostealer_im
  • 0.02 md_url_bl
  • 0.019 md_domain_bl
  • 0.016 antivm_vbox_files
  • 0.013 antisandbox_sleep
  • 0.012 maldun_anomaly_massive_file_ops
  • 0.012 infostealer_mail
  • 0.011 antianalysis_detectreg
  • 0.011 ransomware_extensions
  • 0.01 reads_self
  • 0.01 antidbg_windows
  • 0.01 kovter_behavior
  • 0.009 mimics_filetime
  • 0.009 infostealer_browser_password
  • 0.009 virus
  • 0.009 ransomware_files
  • 0.008 antiemu_wine_func
  • 0.008 bootkit
  • 0.008 stealth_file
  • 0.008 antivm_generic_disk
  • 0.007 anomaly_persistence_autorun
  • 0.007 antidbg_devices
  • 0.006 rat_pcclient
  • 0.005 network_tor
  • 0.005 injection_createremotethread
  • 0.005 betabot_behavior
  • 0.005 kibex_behavior
  • 0.005 geodo_banking_trojan
  • 0.004 infostealer_browser
  • 0.004 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.004 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.004 antivm_generic_scsi
  • 0.003 tinba_behavior
  • 0.003 rat_luminosity
  • 0.003 antivm_generic_services
  • 0.003 kazybot_behavior
  • 0.003 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.003 injection_runpe
  • 0.003 antivm_vmware_files
  • 0.003 disables_browser_warn
  • 0.003 codelux_behavior
  • 0.002 hawkeye_behavior
  • 0.002 antivm_vbox_libs
  • 0.002 rat_nanocore
  • 0.002 antivm_vbox_window
  • 0.002 anormaly_invoke_kills
  • 0.002 cerber_behavior
  • 0.002 hancitor_behavior
  • 0.002 sniffer_winpcap
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_xen_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 darkcomet_regkeys
  • 0.002 md_bad_drop
  • 0.002 network_tor_service
  • 0.002 recon_fingerprint
  • 0.001 ransomware_message
  • 0.001 injection_explorer
  • 0.001 sets_autoconfig_url
  • 0.001 ursnif_behavior
  • 0.001 ipc_namedpipe
  • 0.001 ransomeware_modifies_desktop_wallpaper
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 vawtrak_behavior
  • 0.001 antisandbox_script_timer
  • 0.001 securityxploded_modules
  • 0.001 bypass_firewall
  • 0.001 antisandbox_productid
  • 0.001 antisandbox_sunbelt_files
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vpc_files
  • 0.001 banker_cridex
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 malicous_targeted_flame
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 office_security
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_spynet
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.242 seconds )

  • 0.928 ReportHTMLSummary
  • 0.314 Malheur
Task ID 554141
Mongo ID 5eeef2df2f8f2e4ca4e167a2
Cuckoo release 1.4-Maldun