比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-2 2021-04-08 23:34:03 2021-04-08 23:36:09 126 秒

魔盾分数

0.4665

正常的

文件详细信息

文件名 svchost.exe
文件大小 53248 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2db244826671998acbeee87f6b234a18
SHA1 7019210ed30128ca7e332c200b8fa0b0f628f59c
SHA256 fb848cfe672a23bd84a0ec35fd35407cd1587386cceb407501c5a7cd1e31233d
SHA512 f490e0b141a53da4c52a0dfdd2ee2f947a0355d40d7e49dfa3538be7b4ab7c33a207f51f189a9e58f74d72c2a96bb7b5bff7e88b8c586ddd24baf2903c475e60
CRC32 B1A10589
Ssdeep 1536:IcG6yPzKSHJs/sSY+A37feaCMJDmYsLIb4PvYqHB/AdGW:ITGSHJs/sSDADeak7dJHB/AdGW
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 23.223.195.201
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.223.195.194
raw.githubusercontent.com A 185.199.109.133
A 185.199.111.133
A 185.199.110.133
A 185.199.108.133

摘要

登录查看详细行为信息

PE 信息

初始地址 0x01000000
入口地址 0x0100114c
声明校验值 0x00017375
实际校验值 0x000122c0
最低操作系统版本要求 5.1
PDB路径 svchost.pdb
编译时间 2008-04-14 03:15:12
载入哈希 7a06bdb902da41a74668875a6c42864b

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00002c00 0x00002c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.56
.data 0x00004000 0x00000210 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.62
.rsrc 0x00005000 0x00009c2a 0x00009e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.79

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x00005060 0x000003a8 LANG_ENGLISH SUBLANG_ENGLISH_US 3.57 data

导入

库: ADVAPI32.dll:
0x1001000 RegQueryValueExW
0x1001008 SetEntriesInAclW
0x1001018 GetTokenInformation
0x100101c OpenProcessToken
0x1001020 OpenThreadToken
0x1001024 SetServiceStatus
0x100102c RegCloseKey
0x1001030 RegOpenKeyExW
库: KERNEL32.dll:
0x100103c HeapFree
0x1001040 GetLastError
0x1001044 WideCharToMultiByte
0x1001048 lstrlenW
0x100104c LocalFree
0x1001050 GetCurrentProcess
0x1001054 GetCurrentThread
0x1001058 GetProcAddress
0x100105c LoadLibraryExW
0x1001060 LeaveCriticalSection
0x1001064 HeapAlloc
0x1001068 EnterCriticalSection
0x100106c LCMapStringW
0x1001070 FreeLibrary
0x1001074 lstrcpyW
0x100107c lstrcmpiW
0x1001080 ExitProcess
0x1001084 GetCommandLineW
0x100108c GetProcessHeap
0x1001090 SetErrorMode
0x10010a0 LoadLibraryA
0x10010a8 GetTickCount
0x10010ac GetCurrentThreadId
0x10010b0 GetCurrentProcessId
0x10010b8 TerminateProcess
0x10010c0 LocalAlloc
0x10010c4 lstrcmpW
0x10010c8 DelayLoadFailureHook
库: ntdll.dll:
0x10010d0 NtQuerySecurityObject
0x10010d4 RtlFreeHeap
0x10010d8 NtOpenKey
0x10010dc wcscat
0x10010e0 wcscpy
0x10010e4 RtlAllocateHeap
0x10010ec RtlInitUnicodeString
0x10010f0 RtlInitializeSid
0x10010f4 RtlLengthRequiredSid
0x10010f8 RtlSubAuthoritySid
0x10010fc NtClose
0x100110c RtlGetAce
0x1001110 RtlImageNtHeader
0x1001114 wcslen
0x100111c RtlCopySid
库: RPCRT4.dll:
0x1001130 RpcServerUnregisterIf
0x1001134 RpcServerListen
0x100113c RpcServerRegisterIf
0x1001140 I_RpcMapWin32Status
.text
.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
F;5`@
QRPhh2
NETAPI32.dll
ole32.dll
Netbios
CoInitializeEx
CoInitializeSecurity
ADVAPI32.dll
KERNEL32.dll
ntdll.dll
RPCRT4.dll
RegQueryValueExW
SetSecurityDescriptorDacl
SetEntriesInAclW
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetTokenInformation
OpenProcessToken
OpenThreadToken
SetServiceStatus
RegisterServiceCtrlHandlerW
RegCloseKey
RegOpenKeyExW
StartServiceCtrlDispatcherW
HeapFree
GetLastError
WideCharToMultiByte
lstrlenW
LocalFree
GetCurrentProcess
GetCurrentThread
GetProcAddress
LoadLibraryExW
LeaveCriticalSection
HeapAlloc
EnterCriticalSection
LCMapStringW
FreeLibrary
lstrcpyW
ExpandEnvironmentStringsW
lstrcmpiW
ExitProcess
GetCommandLineW
InitializeCriticalSection
GetProcessHeap
SetErrorMode
SetUnhandledExceptionFilter
RegisterWaitForSingleObject
InterlockedCompareExchange
LoadLibraryA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
LocalAlloc
lstrcmpW
DelayLoadFailureHook
NtQuerySecurityObject
RtlFreeHeap
NtOpenKey
wcscat
wcscpy
RtlAllocateHeap
RtlCompareUnicodeString
RtlInitUnicodeString
RtlInitializeSid
RtlLengthRequiredSid
RtlSubAuthoritySid
NtClose
RtlSubAuthorityCountSid
RtlGetDaclSecurityDescriptor
RtlQueryInformationAcl
RtlGetAce
RtlImageNtHeader
wcslen
RtlUnhandledExceptionFilter
RtlCopySid
RpcServerUnregisterIfEx
RpcMgmtWaitServerListen
RpcMgmtSetServerStackSize
RpcServerUnregisterIf
RpcServerListen
RpcServerUseProtseqEpW
RpcServerRegisterIf
I_RpcMapWin32Status
RpcMgmtStopServerListening
svchost.pdb
'p1\\
\2EUG
-(JEj
ServiceDllUnloadOnStop
eventlog
ncacn_np
\PIPE\
DefaultRpcStackSize
AuthenticationCapabilities
ImpersonationLevel
AuthenticationLevel
CoInitializeSecurityParam
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Generic Host Process for Win32 Services
FileVersion
5.1.2600.5512 (xpsp.080413-2111)
InternalName
svchost.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
svchost.exe
ProductName
Operating System
ProductVersion
5.1.2600.5512
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树

svchost.exe, PID: 2580, 上一级进程 PID: 2228
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49161 185.199.109.133 raw.githubusercontent.com 443
192.168.122.202 49160 23.223.195.201 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53
192.168.122.202 62960 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 23.223.195.201
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.223.195.194
raw.githubusercontent.com A 185.199.109.133
A 185.199.111.133
A 185.199.110.133
A 185.199.108.133

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49161 185.199.109.133 raw.githubusercontent.com 443
192.168.122.202 49160 23.223.195.201 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53
192.168.122.202 62960 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 15.814 seconds )

  • 10.621 Suricata
  • 1.764 NetworkAnalysis
  • 1.488 VirusTotal
  • 0.952 BehaviorAnalysis
  • 0.361 Static
  • 0.306 peid
  • 0.269 TargetInfo
  • 0.047 AnalysisInfo
  • 0.004 Strings
  • 0.002 Memory

Signatures ( 1.953 seconds )

  • 1.372 md_url_bl
  • 0.078 antiav_detectreg
  • 0.054 api_spamming
  • 0.042 stealth_timeout
  • 0.041 stealth_decoy_document
  • 0.032 infostealer_ftp
  • 0.019 infostealer_im
  • 0.017 antiav_detectfile
  • 0.016 antianalysis_detectreg
  • 0.015 mimics_filetime
  • 0.014 reads_self
  • 0.014 shifu_behavior
  • 0.013 antivm_generic_disk
  • 0.013 virus
  • 0.013 md_domain_bl
  • 0.012 stealth_file
  • 0.011 bootkit
  • 0.011 anomaly_persistence_autorun
  • 0.011 infostealer_bitcoin
  • 0.011 infostealer_mail
  • 0.01 hancitor_behavior
  • 0.007 betabot_behavior
  • 0.007 antivm_vbox_files
  • 0.007 geodo_banking_trojan
  • 0.005 kibex_behavior
  • 0.005 antivm_generic_scsi
  • 0.004 antiemu_wine_func
  • 0.004 infostealer_browser_password
  • 0.004 kovter_behavior
  • 0.004 antivm_xen_keys
  • 0.004 darkcomet_regkeys
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 maldun_anomaly_massive_file_ops
  • 0.003 injection_createremotethread
  • 0.003 antivm_generic_diskreg
  • 0.003 antivm_parallels_keys
  • 0.003 network_http
  • 0.003 recon_fingerprint
  • 0.002 tinba_behavior
  • 0.002 network_tor
  • 0.002 rat_nanocore
  • 0.002 antivm_generic_services
  • 0.002 anormaly_invoke_kills
  • 0.002 injection_runpe
  • 0.002 antidbg_devices
  • 0.002 antisandbox_productid
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.002 rat_pcclient
  • 0.001 hawkeye_behavior
  • 0.001 antivm_vbox_libs
  • 0.001 antiav_avast_libs
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 exec_crash
  • 0.001 encrypted_ioc
  • 0.001 cerber_behavior
  • 0.001 bypass_firewall
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_acpi
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 codelux_behavior
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 packer_armadillo_regkey
  • 0.001 recon_programs
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.679 seconds )

  • 0.571 ReportHTMLSummary
  • 0.108 Malheur
Task ID 628816
Mongo ID 606f23077e769a06aceb2ba2
Cuckoo release 1.4-Maldun