比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2021-09-22 15:09:30 2021-09-22 15:11:34 124 秒

魔盾分数

8.025

危险的

文件详细信息

文件名 services.exe
文件大小 2241536 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 1902c971c94f3e72ffe4d7b96e37bf1a
SHA1 938da96d696495a85ccf67b5605337de7bbadf85
SHA256 b07bf075827c99df2259bea650e9acba20c23b6a5b0952bcfc9149b848f27709
SHA512 201e59dc0d7327db05fb218b0de927bb3265dd6f54fe4c59d834c23303d1a786b5e4aab239e2a64d771c3ebf3ea726b4326249b08bfe716c03e857d625aaf406
CRC32 A785F724
Ssdeep 49152:OyW/jGnsDn5ADJ7xtRvgh9ilOTU6pqy4CKDpm/EISHbep:WADdoiYNd4ysH
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.123.71.146 美国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 104.123.71.146
CNAME a1983.dscd.akamai.net
A 104.123.71.144

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x1400356fc
声明校验值 0x00000000
实际校验值 0x00225cf3
最低操作系统版本要求 6.0
PDB路径 D:\Project\miner\xmr-stak-2.4.2\project\bin\Release_SlowSlow\xmr-stak.pdb
编译时间 2021-07-31 04:47:25
载入哈希 3e6fde31d4be40441f7c76092859d580

版本信息

ProductVersion
ProductName
FileVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00096a7e 0x00096c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.50
.rdata 0x00098000 0x000241ba 0x00024200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.76
.data 0x000bd000 0x00004de4 0x00003200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.58
.pdata 0x000c2000 0x000077f4 0x00007800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.97
.gfids 0x000ca000 0x000001f0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.11
.rsrc 0x000cb000 0x0015cb20 0x0015cc00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.62
.reloc 0x00228000 0x000008ec 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.17

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
BIN 0x000cb2f0 0x0015c090 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 6.62 PE32+ executable (native) x86-64, for MS Windows
RT_VERSION 0x000cb0f0 0x000001fc LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.47 data
RT_MANIFEST 0x00227380 0x0000079a LANG_ENGLISH SUBLANG_ENGLISH_US 5.15 XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

导入

库: WSOCK32.dll:
0x1400986f0 htons
0x1400986f8 bind
0x140098700 inet_ntoa
0x140098708 recv
0x140098710 setsockopt
0x140098718 socket
0x140098720 gethostbyname
0x140098728 WSAStartup
0x140098730 WSACleanup
0x140098738 WSAGetLastError
0x140098740 send
0x140098748 ntohs
0x140098750 connect
0x140098758 closesocket
0x140098760 ioctlsocket
库: KERNEL32.dll:
0x140098118 LeaveCriticalSection
0x140098120 DeleteCriticalSection
0x140098128 GetProcessId
0x140098130 OpenProcess
0x140098138 GetTickCount
0x140098140 GetVersionExA
0x140098148 FreeLibrary
0x140098150 GetModuleHandleA
0x140098158 GetProcAddress
0x140098160 LoadLibraryA
0x140098168 SetCurrentDirectoryA
0x140098170 GetCommandLineA
0x140098178 GetFileSize
0x140098180 ReadFile
0x140098188 SetFilePointer
0x140098190 OutputDebugStringA
0x140098198 DeviceIoControl
0x1400981a0 GetProcessTimes
0x1400981a8 GetSystemTimeAsFileTime
0x1400981b0 GetSystemInfo
0x1400981b8 MapViewOfFile
0x1400981c0 UnmapViewOfFile
0x1400981c8 GetLargePageMinimum
0x1400981d0 LoadResource
0x1400981d8 LockResource
0x1400981e0 SizeofResource
0x1400981e8 GlobalAlloc
0x1400981f0 GlobalFree
0x1400981f8 LocalAlloc
0x140098200 CreateFileMappingA
0x140098208 OpenFileMappingA
0x140098210 FindResourceA
0x140098218 WideCharToMultiByte
0x140098220 CreateToolhelp32Snapshot
0x140098228 Process32First
0x140098230 Process32Next
0x140098238 K32GetModuleFileNameExA
0x140098240 FindClose
0x140098248 FindFirstFileA
0x140098250 FindNextFileA
0x140098258 GetFileAttributesA
0x140098260 WriteFile
0x140098268 EnterCriticalSection
0x140098270 GetFullPathNameA
0x140098278 WaitForSingleObject
0x140098280 CreateEventA
0x140098288 CopyFileA
0x140098290 GetCurrentDirectoryA
0x140098298 CreateDirectoryA
0x1400982a0 LocalFileTimeToFileTime
0x1400982a8 SetFileTime
0x1400982b0 SystemTimeToFileTime
0x1400982b8 GlobalMemoryStatusEx
0x1400982c8 FileTimeToSystemTime
0x1400982d0 SetEnvironmentVariableA
0x1400982d8 FreeEnvironmentStringsW
0x1400982e0 GetEnvironmentStringsW
0x1400982e8 GetCommandLineW
0x1400982f0 GetCPInfo
0x1400982f8 GetOEMCP
0x140098300 IsValidCodePage
0x140098308 FindNextFileW
0x140098310 FindFirstFileExW
0x140098318 FindFirstFileExA
0x140098320 GetTimeZoneInformation
0x140098328 FlushFileBuffers
0x140098330 ReadConsoleW
0x140098338 GetConsoleMode
0x140098340 GetConsoleCP
0x140098348 GetFileType
0x140098350 EnumSystemLocalesW
0x140098358 GetUserDefaultLCID
0x140098360 IsValidLocale
0x140098368 EncodePointer
0x140098370 SetLastError
0x140098378 InterlockedFlushSList
0x140098388 RtlUnwindEx
0x1400983a0 QueryPerformanceCounter
0x1400983a8 GetLocalTime
0x1400983b0 GetCurrentThreadId
0x1400983b8 GetCurrentProcessId
0x1400983c0 GetCurrentProcess
0x1400983d0 RaiseException
0x1400983d8 CloseHandle
0x1400983e0 CreateFileA
0x1400983e8 MultiByteToWideChar
0x1400983f0 MoveFileA
0x1400983f8 LocalFree
0x140098400 GetLastError
0x140098408 SetFileAttributesA
0x140098410 DeleteFileA
0x140098418 GetComputerNameA
0x140098420 Sleep
0x140098428 SetEnvironmentVariableW
0x140098430 GetProcessHeap
0x140098438 SetConsoleCtrlHandler
0x140098440 OutputDebugStringW
0x140098448 WaitForSingleObjectEx
0x140098450 SetStdHandle
0x140098458 CreateFileW
0x140098460 SetFilePointerEx
0x140098468 WriteConsoleW
0x140098470 HeapSize
0x140098478 GetLocaleInfoW
0x140098480 LCMapStringW
0x140098488 CompareStringW
0x140098490 GetTimeFormatW
0x140098498 HeapReAlloc
0x1400984a0 SetEndOfFile
0x1400984b0 TlsAlloc
0x1400984b8 TlsGetValue
0x1400984c0 TerminateProcess
0x1400984c8 GetDateFormatW
0x1400984d0 GetStringTypeW
0x1400984d8 GetCurrentThread
0x1400984e0 HeapAlloc
0x1400984e8 HeapFree
0x1400984f0 GetACP
0x1400984f8 GetStdHandle
0x140098500 GetModuleFileNameW
0x140098508 GetModuleFileNameA
0x140098510 ExitProcess
0x140098518 GetModuleHandleExW
0x140098520 FreeLibraryAndExitThread
0x140098528 ResumeThread
0x140098530 ExitThread
0x140098538 CreateThread
0x140098540 LoadLibraryExW
0x140098548 TlsFree
0x140098550 RtlCaptureContext
0x140098558 RtlLookupFunctionEntry
0x140098560 RtlVirtualUnwind
0x140098568 IsDebuggerPresent
0x140098570 UnhandledExceptionFilter
0x140098578 GetStartupInfoW
0x140098588 GetModuleHandleW
0x140098590 InitializeSListHead
0x140098598 RtlPcToFileHeader
0x1400985a0 TlsSetValue
库: USER32.dll:
0x140098620 FindWindowExA
0x140098628 GetForegroundWindow
0x140098630 GetWindowTextA
0x140098638 GetWindowThreadProcessId
0x140098640 GetWindowRect
0x140098648 GetClassNameA
0x140098650 wsprintfA
0x140098658 GetDesktopWindow
库: SHELL32.dll:
0x1400985f8 SHCreateDirectoryExA
0x140098600 SHGetSpecialFolderPathA
库: ole32.dll:
0x140098780 CoSetProxyBlanket
0x140098788 CoInitializeSecurity
0x140098790 CLSIDFromString
0x140098798 CoInitialize
0x1400987a0 CoCreateInstance
0x1400987a8 CoUninitialize
库: OLEAUT32.dll:
0x1400985b0 VariantClear
0x1400985b8 VariantInit
0x1400985c0 SysFreeString
0x1400985c8 SysAllocString
0x1400985d0 GetErrorInfo
0x1400985d8 VariantChangeType
0x1400985e0 SetErrorInfo
0x1400985e8 CreateErrorInfo
库: ADVAPI32.dll:
0x140098008 GetNamedSecurityInfoA
0x140098010 SetNamedSecurityInfoA
0x140098020 OpenProcessToken
0x140098028 AdjustTokenPrivileges
0x140098030 RegSetValueExW
0x140098038 RegFlushKey
0x140098040 StartServiceA
0x140098048 QueryServiceStatus
0x140098050 QueryServiceConfigA
0x140098058 OpenServiceA
0x140098060 OpenSCManagerA
0x140098068 DeleteService
0x140098070 CreateServiceA
0x140098078 ControlService
0x140098080 CloseServiceHandle
0x140098088 ChangeServiceConfigA
0x140098090 RegSetValueExA
0x140098098 RegCreateKeyExA
0x1400980a0 RegQueryValueExA
0x1400980a8 RegOpenKeyExA
0x1400980b0 RegCloseKey
0x1400980c8 SetServiceStatus
0x1400980d8 SetEntriesInAclA
库: dbghelp.dll:
0x140098770 MiniDumpWriteDump
库: WINMM.dll:
0x1400986e0 timeKillEvent
库: CFGMGR32.dll:
库: IPHLPAPI.DLL:
0x1400980f8 GetIpForwardTable
0x140098100 GetIpNetTable
0x140098108 GetAdaptersInfo
库: WININET.dll:
0x140098688 FindNextUrlCacheEntryA
0x140098690 DeleteUrlCacheEntry
0x140098698 InternetOpenA
0x1400986a0 FindFirstUrlCacheEntryA
0x1400986a8 HttpSendRequestA
0x1400986b0 HttpAddRequestHeadersA
0x1400986b8 HttpOpenRequestA
0x1400986c0 InternetReadFile
0x1400986c8 InternetConnectA
0x1400986d0 InternetCloseHandle
库: VERSION.dll:
0x140098668 GetFileVersionInfoSizeA
0x140098670 VerQueryValueA
0x140098678 GetFileVersionInfoA
库: SHLWAPI.dll:
0x140098610 PathFileExistsA
.text
`.rdata
@.data
.pdata
@.gfids
@.rsrc
@.reloc
}PMcE
没有防病毒引擎扫描信息!

进程树

services.exe, PID: 2464, 上一级进程 PID: 2172
services.exe, PID: 432, 上一级进程 PID: 344
AcroRd32.exe, PID: 816, 上一级进程 PID: 304
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
104.123.71.146 美国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49162 104.123.71.146 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 104.123.71.146
CNAME a1983.dscd.akamai.net
A 104.123.71.144

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49162 104.123.71.146 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 16.85 seconds )

  • 11.083 Suricata
  • 2.575 NetworkAnalysis
  • 1.808 Static
  • 0.617 TargetInfo
  • 0.446 BehaviorAnalysis
  • 0.292 peid
  • 0.011 AnalysisInfo
  • 0.011 Strings
  • 0.005 config_decoder
  • 0.002 Memory

Signatures ( 1.623 seconds )

  • 1.324 md_url_bl
  • 0.052 antiav_detectreg
  • 0.02 api_spamming
  • 0.02 infostealer_ftp
  • 0.016 hawkeye_behavior
  • 0.015 stealth_decoy_document
  • 0.015 stealth_timeout
  • 0.013 md_domain_bl
  • 0.011 infostealer_im
  • 0.01 antianalysis_detectreg
  • 0.008 antiav_detectfile
  • 0.007 shifu_behavior
  • 0.006 mimics_filetime
  • 0.006 reads_self
  • 0.006 infostealer_mail
  • 0.005 bootkit
  • 0.005 stealth_file
  • 0.005 anomaly_persistence_autorun
  • 0.005 geodo_banking_trojan
  • 0.004 virus
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 infostealer_browser
  • 0.003 kibex_behavior
  • 0.003 antivm_generic_disk
  • 0.003 hancitor_behavior
  • 0.003 antivm_vbox_files
  • 0.003 antivm_xen_keys
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 betabot_behavior
  • 0.002 antivm_generic_diskreg
  • 0.002 antivm_parallels_keys
  • 0.002 disables_browser_warn
  • 0.002 darkcomet_regkeys
  • 0.002 network_torgateway
  • 0.002 recon_fingerprint
  • 0.001 rat_nanocore
  • 0.001 injection_createremotethread
  • 0.001 sets_autoconfig_url
  • 0.001 ipc_namedpipe
  • 0.001 antivm_generic_scsi
  • 0.001 infostealer_browser_password
  • 0.001 cerber_behavior
  • 0.001 antidbg_devices
  • 0.001 antisandbox_productid
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vpc_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.616 seconds )

  • 0.535 ReportHTMLSummary
  • 0.081 Malheur
Task ID 656460
Mongo ID 614ad7457e769a4de5ef26fe
Cuckoo release 1.4-Maldun