分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2021-04-21 16:35:11 2021-04-21 16:35:43 32 秒

魔盾分数

2.25

可疑的

文件详细信息

文件名 1.dll
文件大小 111104 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 92033b0fe6be293b6a6cb419ecc3e301
SHA1 d53c0ac399b516b165602d4d5c965cd71f568211
SHA256 70b3979acc4acd980e3fc76d1cbf0a8640ad84509056d20e3b30dec63f6b6f26
SHA512 7bfd2c6e96c8896104d0e1310ca793aa9596dded6abde7c13197e200dd251ee3cfded12c4df52328cbb2483bc20c3a0c88937c1f596dd9150cb8c1271d39d073
CRC32 1FB53441
Ssdeep 3072:qQtxAfv0wnM7MYg/C3u+fG7n+Q8ozL7AhAl8Ld:qSevr06/Iu+fG7n+QZB8Ld
Yara 登录查看Yara规则
样本下载 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 23.218.94.163
CNAME a1983.dscd.akamai.net
A 23.218.94.155

摘要

登录查看详细行为信息

PE 信息

初始地址 0x10000000
入口地址 0x10006114
声明校验值 0x00000000
实际校验值 0x0002a988
最低操作系统版本要求 6.0
编译时间 2021-04-21 16:34:11
载入哈希 3c3c3af2a7e071ac49326382418d5957

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0001218b 0x00012200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.68
.rdata 0x00014000 0x000068d0 0x00006a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.90
.data 0x0001b000 0x00001538 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.66
.rsrc 0x0001d000 0x000000f8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.52
.reloc 0x0001e000 0x0000148c 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.41

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MANIFEST 0x0001d060 0x00000091 LANG_ENGLISH SUBLANG_ENGLISH_US 4.89 XML 1.0 document text

导入

库: KERNEL32.dll:
0x10014030 LocalAlloc
0x10014034 LocalFree
0x10014038 GetStartupInfoW
0x1001403c GetSystemDirectoryW
0x10014044 DeleteCriticalSection
0x10014048 EnterCriticalSection
0x1001404c VirtualFree
0x10014050 GetNativeSystemInfo
0x10014054 lstrlenW
0x10014058 GetLastError
0x1001405c QueryDosDeviceW
0x10014060 GetCurrentProcessId
0x10014064 GetCurrentThreadId
0x10014068 DecodePointer
0x1001406c VirtualAlloc
0x10014070 lstrcpyW
0x10014074 GlobalMemoryStatusEx
0x10014078 Sleep
0x1001407c SetEvent
0x10014080 CancelIo
0x10014084 CreateThread
0x10014088 ResetEvent
0x1001408c CloseHandle
0x10014090 CreateEventW
0x10014094 LeaveCriticalSection
0x10014098 LoadLibraryW
0x1001409c WriteConsoleW
0x100140a0 CreateFileW
0x100140a4 SetFilePointerEx
0x100140a8 GetConsoleMode
0x100140ac GetConsoleCP
0x100140b0 WriteFile
0x100140b4 FlushFileBuffers
0x100140b8 SetStdHandle
0x100140bc HeapReAlloc
0x100140c0 HeapSize
0x100140c8 IsDebuggerPresent
0x100140d4 GetModuleHandleW
0x100140e0 InitializeSListHead
0x100140e4 GetCurrentProcess
0x100140e8 TerminateProcess
0x100140ec RtlUnwind
0x100140f0 InterlockedFlushSList
0x100140f4 SetLastError
0x100140f8 EncodePointer
0x10014100 TlsAlloc
0x10014104 TlsGetValue
0x10014108 TlsSetValue
0x1001410c TlsFree
0x10014110 FreeLibrary
0x10014114 GetProcAddress
0x10014118 LoadLibraryExW
0x1001411c RaiseException
0x10014120 ExitProcess
0x10014124 GetModuleHandleExW
0x10014128 GetModuleFileNameW
0x1001412c HeapAlloc
0x10014130 HeapFree
0x10014134 FindClose
0x10014138 FindFirstFileExW
0x1001413c FindNextFileW
0x10014140 IsValidCodePage
0x10014144 GetACP
0x10014148 GetOEMCP
0x1001414c GetCPInfo
0x10014150 GetCommandLineA
0x10014154 GetCommandLineW
0x10014158 MultiByteToWideChar
0x1001415c WideCharToMultiByte
0x10014160 GetEnvironmentStringsW
0x10014168 LCMapStringW
0x1001416c GetProcessHeap
0x10014170 GetStdHandle
0x10014174 GetFileType
0x10014178 GetStringTypeW
0x1001417c VirtualQuery
库: ADVAPI32.dll:
0x10014000 UnlockServiceDatabase
0x10014004 ChangeServiceConfigW
0x10014008 LockServiceDatabase
0x1001400c DeleteService
0x10014010 ControlService
0x10014014 StartServiceW
0x10014018 QueryServiceConfigW
0x1001401c OpenServiceW
0x10014020 EnumServicesStatusW
0x10014024 CloseServiceHandle
0x10014028 OpenSCManagerW
库: WS2_32.dll:
0x10014184 send
0x10014188 recv
0x1001418c select
0x10014190 closesocket
0x10014194 WSAIoctl
0x10014198 getsockname
0x1001419c connect
0x100141a0 inet_addr
0x100141a4 htons
0x100141a8 socket
0x100141ac WSACleanup
0x100141b0 WSAStartup
0x100141b4 setsockopt

.text
`.rdata
@.data
.rsrc
@.reloc
D$$Pj
L$4Qh
SVWUj
Unknown exception
bad exception
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CorExitProcess
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
AreFileApisANSI
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
log10
log10
BC .=
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
GetDiskFreeSpac
TerminateThread
GetWindowThread
DisconnectNamed
InternalGetWind
LookupPrivilege
GetComputerName
NtQuerySystemIn
CachedGetUserFr
capGetDriverDes
TerminateProces
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.rsrc$01
.rsrc$02
LoadLibraryW
CreateEventW
CloseHandle
ResetEvent
CreateThread
CancelIo
SetEvent
Sleep
GlobalMemoryStatusEx
lstrcpyW
VirtualAlloc
VirtualFree
LocalAlloc
LocalFree
GetStartupInfoW
GetSystemDirectoryW
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetNativeSystemInfo
lstrlenW
GetLastError
QueryDosDeviceW
GetCurrentProcessId
GetCurrentThreadId
KERNEL32.dll
OpenSCManagerW
CloseServiceHandle
EnumServicesStatusW
OpenServiceW
QueryServiceConfigW
StartServiceW
ControlService
DeleteService
LockServiceDatabase
ChangeServiceConfigW
UnlockServiceDatabase
ADVAPI32.dll
WSAIoctl
WS2_32.dll
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetModuleHandleW
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
GetCurrentProcess
TerminateProcess
RtlUnwind
InterlockedFlushSList
SetLastError
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RaiseException
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleCP
GetConsoleMode
SetFilePointerEx
CreateFileW
WriteConsoleW
DecodePointer
VirtualQuery
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
MRemote
.?AVtype_info@@
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVCApi@@
.?AVCClientSocket@@
.?AVCManager@@
.?AVCKernelManager@@
.?AVCProcessManager@@
.?AVCServerManager@@
.?AVCShellManager@@
.?AVCWindowManager@@
.?AVCBuffer@@
? ?$?(?,?0?4?8?
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
ja-JP
zh-CN
ko-KR
zh-TW
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
没有防病毒引擎扫描信息!

进程树


rundll32.exe, PID: 2464, 上一级进程 PID: 2152

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 1.116.71.241 8000
192.168.122.201 49162 23.218.94.163 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 23.218.94.163
CNAME a1983.dscd.akamai.net
A 23.218.94.155

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 1.116.71.241 8000
192.168.122.201 49162 23.218.94.163 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 13.862 seconds )

  • 10.659 Suricata
  • 1.152 VirusTotal
  • 0.748 NetworkAnalysis
  • 0.549 Static
  • 0.33 peid
  • 0.267 TargetInfo
  • 0.133 BehaviorAnalysis
  • 0.011 Strings
  • 0.009 AnalysisInfo
  • 0.004 Memory

Signatures ( 1.443 seconds )

  • 1.316 md_url_bl
  • 0.019 antiav_detectreg
  • 0.01 md_domain_bl
  • 0.008 infostealer_ftp
  • 0.007 api_spamming
  • 0.006 stealth_timeout
  • 0.005 stealth_decoy_document
  • 0.005 anomaly_persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_im
  • 0.004 antianalysis_detectreg
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_files
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_mail
  • 0.003 network_http
  • 0.003 ransomware_extensions
  • 0.002 tinba_behavior
  • 0.002 mimics_filetime
  • 0.002 reads_self
  • 0.002 shifu_behavior
  • 0.002 virus
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 stealth_file
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_disk
  • 0.001 cerber_behavior
  • 0.001 hancitor_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.499 seconds )

  • 0.456 ReportHTMLSummary
  • 0.043 Malheur
Task ID 631802
Mongo ID 607fe3f97e769a0f72493a96
Cuckoo release 1.4-Maldun