分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-2 2020-11-30 10:25:50 2020-11-30 10:27:53 123 秒

魔盾分数

2.95

可疑的

文件详细信息

文件名 WannaMine4.0释放1
文件大小 109056 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6445aacb6c450c96da2ad158b9e7aaab
SHA1 71faca3a24bb44db27e9d5502d7d63ef378697be
SHA256 28082444a350c27c0e9431f11c4004a6ff932b7acbcee8facad08fc98cc744e8
SHA512 7f4eec578cf5689382c6474bac7167a65d2e853af41d6162d79f42ea15ea3e6ed2c437beaefde0b880cb72003e5c314b1ca53d0d3f25bd84c7f3432daeb32916
CRC32 2CCD9F9D
Ssdeep 3072:K1eSFG0tXAR+JMCX3LuI7Jdw603Gwy2GqqSjl0:e44AYLnLNxiGxqHl0
Yara 登录查看Yara规则
样本下载 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.211.14.171
A 23.211.14.185

摘要

登录查看详细行为信息

PE 信息

初始地址 0x10000000
入口地址 0x10006048
声明校验值 0x00000000
实际校验值 0x0001d317
最低操作系统版本要求 5.1
编译时间 2019-03-18 14:27:56
载入哈希 d9a8407aabeebd7fab435133b068aad5
导出DLL库名称 core32

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000f696 0x0000f800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.67
.rdata 0x00011000 0x000065e6 0x00006600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.98
.data 0x00018000 0x00003944 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.55
.rsrc 0x0001c000 0x000003e8 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.30
.reloc 0x0001d000 0x000012b0 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.41

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x0001c060 0x00000388 LANG_ENGLISH SUBLANG_ENGLISH_US 3.49 data

导入

库: KERNEL32.dll:
0x10011044 EnterCriticalSection
0x10011048 LeaveCriticalSection
0x10011050 DeleteCriticalSection
0x10011054 CreateThread
0x10011058 VirtualProtect
0x1001105c VirtualAlloc
0x10011060 LoadLibraryA
0x10011064 GetCurrentProcessId
0x10011068 GetTickCount
0x1001106c SetLastError
0x10011070 WaitForSingleObject
0x10011074 Sleep
0x10011078 FreeConsole
0x1001107c DecodePointer
0x10011080 GetCurrentProcess
0x10011084 GetLastError
0x10011088 ReleaseMutex
0x1001108c CreateMutexA
0x10011090 CloseHandle
0x10011094 CreateFileA
0x10011098 WriteFile
0x1001109c GetFileSizeEx
0x100110a0 ReadFile
0x100110a4 LocalFree
0x100110a8 LocalAlloc
0x100110ac GetCurrentThreadId
0x100110b0 GetProcAddress
0x100110b4 CreateFileW
0x100110b8 WriteConsoleW
0x100110c4 TerminateProcess
0x100110cc IsDebuggerPresent
0x100110d0 GetStartupInfoW
0x100110d4 GetModuleHandleW
0x100110e0 InitializeSListHead
0x100110e4 EncodePointer
0x100110e8 GetModuleFileNameW
0x100110ec RaiseException
0x100110f0 InterlockedFlushSList
0x100110f4 RtlUnwind
0x100110fc TlsAlloc
0x10011100 TlsGetValue
0x10011104 TlsSetValue
0x10011108 TlsFree
0x1001110c FreeLibrary
0x10011110 LoadLibraryExW
0x10011114 WideCharToMultiByte
0x10011118 ExitProcess
0x1001111c GetModuleHandleExW
0x10011120 MultiByteToWideChar
0x10011124 HeapFree
0x10011128 HeapAlloc
0x1001112c LCMapStringW
0x10011130 GetStdHandle
0x10011134 GetFileType
0x10011138 GetACP
0x1001113c IsValidCodePage
0x10011140 GetOEMCP
0x10011144 GetCPInfo
0x10011148 GetEnvironmentStringsW
0x10011150 GetProcessHeap
0x10011154 GetCommandLineA
0x10011158 GetCommandLineW
0x1001115c GetStringTypeW
0x10011160 FlushFileBuffers
0x10011164 GetConsoleCP
0x10011168 GetConsoleMode
0x1001116c SetStdHandle
0x10011170 HeapSize
0x10011174 HeapReAlloc
0x10011178 SetFilePointerEx
库: ADVAPI32.dll:
0x10011000 SystemFunction036
0x10011004 RegCreateKeyA
0x10011008 RegOpenKeyA
0x1001100c SetServiceStatus
0x10011014 RegCloseKey
0x10011018 RegQueryValueExA
0x1001101c RegCreateKeyExA
0x10011020 RegSetValueExA
0x10011024 CryptAcquireContextW
0x10011028 CryptVerifySignatureW
0x1001102c CryptCreateHash
0x10011030 CryptHashData
0x10011034 CryptDestroyHash
0x10011038 CryptImportKey
0x1001103c CryptReleaseContext

导出

序列 地址 名称
1 0x10005670 ServiceMain
.text
`.rdata
@.data
.rsrc
@.reloc
L$ RUPj
SVWUj
Unknown exception
bad allocation
bad array new length
inflate 1.1.4 Copyright 1995-2002 Mark Adler
bad exception
Main Invoked.
Main Returned.
EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
CorExitProcess
GetCurrentPackageId
LCMapStringEx
LocaleNameToLCID
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
log10
log10
BC .=
"B <1=
#.X'=
?tanh
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location Awareness
LastBackup
SYSTEM\CurrentControlSet\Services\
{F147EC-C7F5-F89
InvokeMainViaCRT
"Main Invoked."
FileName
ExitMainViaCRT
"Main Returned."
FileName
Microsoft.CRTProvider
.text
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.rsrc$01
.rsrc$02
core32
ServiceMain
GetCurrentThreadId
LocalAlloc
LocalFree
ReadFile
GetFileSizeEx
WriteFile
CreateFileA
CloseHandle
CreateMutexA
ReleaseMutex
GetLastError
GetCurrentProcess
GetCurrentProcessId
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
CreateThread
VirtualProtect
VirtualAlloc
LoadLibraryA
GetProcAddress
GetTickCount
SetLastError
WaitForSingleObject
Sleep
FreeConsole
KERNEL32.dll
CryptReleaseContext
CryptImportKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptVerifySignatureW
CryptAcquireContextW
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegCloseKey
RegisterServiceCtrlHandlerA
SetServiceStatus
RegOpenKeyA
RegCreateKeyA
ADVAPI32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
EncodePointer
GetModuleFileNameW
RaiseException
InterlockedFlushSList
RtlUnwind
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
WideCharToMultiByte
ExitProcess
GetModuleHandleExW
MultiByteToWideChar
HeapFree
HeapAlloc
LCMapStringW
GetStdHandle
GetFileType
GetACP
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetCommandLineA
GetCommandLineW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
HeapSize
HeapReAlloc
SetFilePointerEx
WriteConsoleW
CreateFileW
DecodePointer
SystemFunction036
1.1.4
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
SecureProtocolEvent
C:\Windows\system32\SecureProtocolEvent.dll
C:\Windows\system32\rdpyts.xsl
Secure Protocol Event
Enables a common interface and object model for the Secure Protocol Event to access management information about system update, network protocols, devices and applications. If this service is stopped, most Kernel-based software will not function properly. If this service is disabled, any services that depend on it will fail to start.
.?AVtype_info@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVbad_array_new_length@std@@
.?AVbad_exception@std@@
.?AV?$ListStore@PAD@@
.?AVPluginProvider@@
.?AVPluginBase@@
.?AV?$ListStore@PAUStringParam@@@@
.?AV?$ListStore@PAUZipMemChain@@@@
.?AV?$ListStore@PAUPluginReLoad@@@@
=+>0>4>8><>
>$?1?>?K?b?
>'>E>S>
? ?$?(?,?
; ;$;(;,;0;4;8;<;@;D;P;T;X;\;`;d;h;l;
advapi32
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
mscoree.dll
api-ms-win-appmodel-runtime-l1-1-1
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l2-1-1
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
ja-JP
zh-CN
ko-KR
zh-TW
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Microsoft Corporation
FileDescription
Windows Core Module
FileVersion
6.3.9600.16384
InternalName
Windows Core Module
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
Windows Core Module
ProductName
Operating System
ProductVersion
6.3.9600.16384
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树


rundll32.exe, PID: 2368, 上一级进程 PID: 2236

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49160 23.211.14.185 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.211.14.171
A 23.211.14.185

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49160 23.211.14.185 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 14.471 seconds )

  • 11.481 Suricata
  • 1.071 VirusTotal
  • 0.75 NetworkAnalysis
  • 0.507 Static
  • 0.345 peid
  • 0.258 TargetInfo
  • 0.032 BehaviorAnalysis
  • 0.015 AnalysisInfo
  • 0.01 Strings
  • 0.002 Memory

Signatures ( 1.435 seconds )

  • 1.339 md_url_bl
  • 0.012 antiav_detectreg
  • 0.011 md_domain_bl
  • 0.007 infostealer_ftp
  • 0.006 antiav_detectfile
  • 0.005 anomaly_persistence_autorun
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 api_spamming
  • 0.003 infostealer_im
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.002 network_torgateway
  • 0.001 antivm_vbox_libs
  • 0.001 stealth_decoy_document
  • 0.001 rat_nanocore
  • 0.001 injection_createremotethread
  • 0.001 injection_explorer
  • 0.001 betabot_behavior
  • 0.001 antivm_generic_disk
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 hancitor_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.571 seconds )

  • 0.57 ReportHTMLSummary
  • 0.001 Malheur
Task ID 592495
Mongo ID 5fc458c07e769a09e1a51c2b
Cuckoo release 1.4-Maldun