分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2020-09-25 19:06:08 2020-09-25 19:08:33 145 秒

魔盾分数

3.35

可疑的

文件详细信息

文件名 范思哲.exe
文件大小 2433024 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 26f539582060468c8cdfb52d4ccc89a4
SHA1 30d836cb7ace058d64575eaf87be4b84b79a2ee5
SHA256 22b9423c9f157c7005a2fe581c9065dfbd2517ec8b98324c2a4ae9210021a476
SHA512 f78fef1375ad12bbe88d5a78c8e712aa596b359b8932854d6756af4011588cf2c097945f19a88972c9b7e8095378099997875f19689ada89b0c1c15ac47e447e
CRC32 573ADD72
Ssdeep 49152:zML6yLrOvDbw8XgWhp5ow6JiR9Ca0GdMIA8YyrMFL93w5NlOPfKk5Rz+Sr09ab2:trXgWTmJtIAhy+pA5NlPk5RzRrkM2
Yara
样本下载 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 96.17.68.64
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 96.17.68.99

摘要

C:\Users\test\AppData\Local\Temp\_________.exe
C:\Users\test\AppData\Local\Temp\MSVCP140.dll
C:\Windows\System32\MSVCP140.dll
C:\Windows\system\MSVCP140.dll
C:\Windows\MSVCP140.dll
C:\ProgramData\Oracle\Java\javapath\MSVCP140.dll
C:\Windows\System32\wbem\MSVCP140.dll
C:\Windows\System32\WindowsPowerShell\v1.0\MSVCP140.dll
C:\Program Files (x86)\WinRAR\MSVCP140.dll
C:\Users\test\AppData\Local\Temp\_________.exe
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
d3d9.dll.Direct3DCreate9
kernel32.dll.VirtualProtect
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.IsBadReadPtr
kernel32.dll.GetProcessHeap
kernel32.dll.FreeLibrary
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.HeapReAlloc
kernel32.dll.MultiByteToWideChar
kernel32.dll.WideCharToMultiByte
kernel32.dll.DeleteCriticalSection
kernel32.dll.SetEvent
kernel32.dll.ResetEvent
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.WaitForSingleObjectEx
kernel32.dll.CreateEventW
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetProcAddress
kernel32.dll.GlobalLock
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.GetCurrentProcess
kernel32.dll.TerminateProcess
kernel32.dll.IsDebuggerPresent
kernel32.dll.GetCurrentProcessId
kernel32.dll.QueryPerformanceFrequency
kernel32.dll.GetModuleHandleW
kernel32.dll.GlobalUnlock
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.CloseHandle
kernel32.dll.DisableThreadLibraryCalls
kernel32.dll.InitializeSListHead
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.GlobalAlloc
kernel32.dll.InitializeCriticalSectionAndSpinCount
user32.dll.CloseClipboard
user32.dll.OpenClipboard
user32.dll.GetClipboardData
user32.dll.ReleaseCapture
user32.dll.GetClientRect
user32.dll.SetCursor
user32.dll.SetCapture
user32.dll.EmptyClipboard
user32.dll.SetClipboardData
user32.dll.SetCursorPos
user32.dll.LoadCursorW
user32.dll.GetAsyncKeyState
user32.dll.GetKeyState
user32.dll.GetCapture
user32.dll.ClientToScreen
imm32.dll.ImmSetCompositionWindow
imm32.dll.ImmGetContext

PE 信息

初始地址 0x00400000
入口地址 0x00927963
声明校验值 0x00000000
实际校验值 0x00259652
最低操作系统版本要求 5.0
编译时间 2020-09-18 00:07:19
载入哈希 356d674482410c21e1fe3fa5fb35a03c

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000a5956 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.rdata 0x000a7000 0x0006fb54 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00
.data 0x00117000 0x000445e8 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.vmp0 0x0015c000 0x001a19e4 0x00000000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.vmp1 0x002fe000 0x0024b23c 0x0024c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.90
.rsrc 0x0054a000 0x000045a1 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.40

导入

库: RASAPI32.dll:
0x6fe4c8 RasHangUpA
库: KERNEL32.dll:
0x6fe4d0 VirtualProtect
库: USER32.dll:
0x6fe4d8 MessageBoxW
库: GDI32.dll:
0x6fe4e0 CreateCompatibleDC
库: WINMM.dll:
0x6fe4e8 waveOutReset
库: WINSPOOL.DRV:
0x6fe4f0 OpenPrinterA
库: ADVAPI32.dll:
0x6fe4f8 RegQueryValueA
库: SHELL32.dll:
0x6fe500 DragQueryFileA
库: ole32.dll:
0x6fe508 CLSIDFromString
库: OLEAUT32.dll:
0x6fe510 LoadTypeLib
库: COMCTL32.dll:
库: WS2_32.dll:
0x6fe520 closesocket
库: WININET.dll:
0x6fe528 InternetCloseHandle
库: comdlg32.dll:
0x6fe530 GetOpenFileNameA
库: KERNEL32.dll:
0x6fe538 GetModuleFileNameW
库: KERNEL32.dll:
0x6fe540 GetModuleHandleA
0x6fe544 LoadLibraryA
0x6fe548 LocalAlloc
0x6fe54c LocalFree
0x6fe550 GetModuleFileNameA
0x6fe554 ExitProcess

.text
`.rdata
@.data
.vmp0
.vmp1
.rsrc
RegQueryValueA
ole32.dll
ExitProcess
/|k$t
没有防病毒引擎扫描信息!

进程树


_________.exe, PID: 2456, 上一级进程 PID: 2172

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 96.17.68.64 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63282 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 96.17.68.64
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 96.17.68.99

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 96.17.68.64 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63282 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 26.276 seconds )

  • 15.473 Suricata
  • 6.77 Static
  • 1.415 VirusTotal
  • 0.976 NetworkAnalysis
  • 0.939 TargetInfo
  • 0.464 peid
  • 0.134 AnalysisInfo
  • 0.075 BehaviorAnalysis
  • 0.016 Strings
  • 0.01 config_decoder
  • 0.004 Memory

Signatures ( 2.026 seconds )

  • 1.875 md_url_bl
  • 0.025 md_domain_bl
  • 0.016 antiav_detectreg
  • 0.008 antiav_detectfile
  • 0.007 anomaly_persistence_autorun
  • 0.007 infostealer_ftp
  • 0.006 ransomware_files
  • 0.005 geodo_banking_trojan
  • 0.005 infostealer_bitcoin
  • 0.005 infostealer_im
  • 0.005 network_http
  • 0.005 ransomware_extensions
  • 0.003 tinba_behavior
  • 0.003 antianalysis_detectreg
  • 0.003 antivm_vbox_files
  • 0.003 disables_browser_warn
  • 0.003 infostealer_mail
  • 0.003 network_torgateway
  • 0.002 stealth_decoy_document
  • 0.002 rat_nanocore
  • 0.002 api_spamming
  • 0.002 cerber_behavior
  • 0.002 stealth_timeout
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 md_bad_drop
  • 0.002 network_cnc_http
  • 0.001 antiemu_wine_func
  • 0.001 antivm_vbox_libs
  • 0.001 betabot_behavior
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 infostealer_browser_password
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_network_blacklist
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.264 seconds )

  • 0.918 ReportHTMLSummary
  • 0.346 Malheur
Task ID 577681
Mongo ID 5f6dcfd82f8f2e0ab752d7a2
Cuckoo release 1.4-Maldun