分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2022-05-13 00:12:43 2022-05-13 00:13:40 57 秒

魔盾分数

4.325

可疑的

文件详细信息

文件名 1.exe
文件大小 22240321 字节
文件类型 PE32+ executable (console) x86-64, for MS Windows
MD5 4e75e084c3fe403e1346572b110bedbd
SHA1 2de11cd53a66acd7993a485f4cc6f5071baa63ab
SHA256 940b7f512566f13b3db475954ea5597196ef93a25c862f32145a8e3227164c9e
SHA512 80f36f791d54d61a9d2f83f9367a4b13598901b7a0712e75a02eaf9eb5cccf1e4e6280bb2fa974a872e2cb977aed9ece807864c9f07b87273d8bf948a3f14958
CRC32 C7BBA213
Ssdeep 393216:tZxlHOF7lAg8RVd97Pi4OLFR2wt+QVDtouxq/PmhuOOTMRmOHu2+ryjCmzg1d:tBICgSd97PilLFR39tVq/Pguzddj5mzi
Yara 登录查看Yara规则
找不到该样本 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x14000a170
声明校验值 0x0153eb52
最低操作系统版本要求 5.2
编译时间 2022-04-27 14:52:41
载入哈希 0bbecc8e9f9f17b0ea9cc3899b15e5cf

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000283b0 0x00028400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.49
.rdata 0x0002a000 0x00011b0a 0x00011c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.74
.data 0x0003c000 0x000103f8 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.82
.pdata 0x0004d000 0x000020c4 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.30
_RDATA 0x00050000 0x000000f4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.99
.rsrc 0x00051000 0x0000f018 0x0000f200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.36
.reloc 0x00061000 0x00000760 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.23

覆盖

偏移量 0x00061760
大小 0x014d44e1

导入

库: KERNEL32.dll:
0x14002a028 GetCommandLineW
0x14002a030 GetEnvironmentVariableW
0x14002a038 SetEnvironmentVariableW
0x14002a048 CreateDirectoryW
0x14002a050 GetTempPathW
0x14002a058 WaitForSingleObject
0x14002a060 Sleep
0x14002a068 GetExitCodeProcess
0x14002a070 CreateProcessW
0x14002a078 FreeLibrary
0x14002a080 LoadLibraryExW
0x14002a088 FindClose
0x14002a090 FindFirstFileExW
0x14002a098 CloseHandle
0x14002a0a0 GetCurrentProcess
0x14002a0a8 LocalFree
0x14002a0b0 FormatMessageW
0x14002a0b8 MultiByteToWideChar
0x14002a0c0 WideCharToMultiByte
0x14002a0c8 SetEndOfFile
0x14002a0d0 GetProcAddress
0x14002a0d8 GetModuleFileNameW
0x14002a0e0 SetDllDirectoryW
0x14002a0e8 GetStartupInfoW
0x14002a0f0 GetLastError
0x14002a0f8 RtlCaptureContext
0x14002a100 RtlLookupFunctionEntry
0x14002a108 RtlVirtualUnwind
0x14002a110 UnhandledExceptionFilter
0x14002a120 TerminateProcess
0x14002a130 QueryPerformanceCounter
0x14002a138 GetCurrentProcessId
0x14002a140 GetCurrentThreadId
0x14002a148 GetSystemTimeAsFileTime
0x14002a150 InitializeSListHead
0x14002a158 IsDebuggerPresent
0x14002a160 GetModuleHandleW
0x14002a168 RtlUnwindEx
0x14002a170 SetLastError
0x14002a178 EnterCriticalSection
0x14002a180 LeaveCriticalSection
0x14002a188 DeleteCriticalSection
0x14002a198 TlsAlloc
0x14002a1a0 TlsGetValue
0x14002a1a8 TlsSetValue
0x14002a1b0 TlsFree
0x14002a1b8 EncodePointer
0x14002a1c0 RaiseException
0x14002a1c8 RtlPcToFileHeader
0x14002a1d0 GetCommandLineA
0x14002a1d8 CreateFileW
0x14002a1e0 GetDriveTypeW
0x14002a1f0 GetFileType
0x14002a1f8 PeekNamedPipe
0x14002a208 FileTimeToSystemTime
0x14002a210 GetFullPathNameW
0x14002a218 RemoveDirectoryW
0x14002a220 FindNextFileW
0x14002a228 SetStdHandle
0x14002a230 SetConsoleCtrlHandler
0x14002a238 DeleteFileW
0x14002a240 ReadFile
0x14002a248 GetStdHandle
0x14002a250 WriteFile
0x14002a258 ExitProcess
0x14002a260 GetModuleHandleExW
0x14002a268 HeapFree
0x14002a270 GetConsoleMode
0x14002a278 ReadConsoleW
0x14002a280 SetFilePointerEx
0x14002a288 GetConsoleOutputCP
0x14002a290 GetFileSizeEx
0x14002a298 HeapAlloc
0x14002a2a0 FlsAlloc
0x14002a2a8 FlsGetValue
0x14002a2b0 FlsSetValue
0x14002a2b8 FlsFree
0x14002a2c0 CompareStringW
0x14002a2c8 LCMapStringW
0x14002a2d0 GetCurrentDirectoryW
0x14002a2d8 FlushFileBuffers
0x14002a2e0 HeapReAlloc
0x14002a2e8 GetFileAttributesExW
0x14002a2f0 GetStringTypeW
0x14002a2f8 IsValidCodePage
0x14002a300 GetACP
0x14002a308 GetOEMCP
0x14002a310 GetCPInfo
0x14002a318 GetEnvironmentStringsW
0x14002a320 FreeEnvironmentStringsW
0x14002a328 GetProcessHeap
0x14002a330 GetTimeZoneInformation
0x14002a338 HeapSize
0x14002a340 WriteConsoleW
库: ADVAPI32.dll:
0x14002a000 ConvertSidToStringSidW
0x14002a008 GetTokenInformation
0x14002a010 OpenProcessToken

.text
`.rdata
@.data
.pdata
@_RDATA
@.rsrc
@.reloc
没有防病毒引擎扫描信息!

进程树


1.exe, PID: 2408, 上一级进程 PID: 2272
1.exe, PID: 3040, 上一级进程 PID: 2408

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 104.100.95.27 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 104.100.95.27 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 63.273 seconds )

  • 30.146 Static
  • 11.764 Suricata
  • 8.876 VirusTotal
  • 4.373 NetworkAnalysis
  • 4.2 TargetInfo
  • 2.378 AnalysisInfo
  • 1.085 BehaviorAnalysis
  • 0.386 peid
  • 0.052 config_decoder
  • 0.011 Strings
  • 0.002 Memory

Signatures ( 2.012 seconds )

  • 1.385 md_url_bl
  • 0.041 api_spamming
  • 0.034 virus
  • 0.032 bootkit
  • 0.032 stealth_timeout
  • 0.03 securityxploded_modules
  • 0.029 reads_self
  • 0.026 stealth_decoy_document
  • 0.026 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.025 sets_autoconfig_url
  • 0.025 ipc_namedpipe
  • 0.024 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.024 ransomware_message
  • 0.016 antiav_detectfile
  • 0.015 infostealer_browser
  • 0.015 disables_wfp
  • 0.014 disables_spdy
  • 0.014 mimics_filetime
  • 0.013 antiav_detectreg
  • 0.013 ransomware_extensions
  • 0.012 stealth_file
  • 0.011 office_dl_write_exe
  • 0.011 antivm_generic_disk
  • 0.011 infostealer_bitcoin
  • 0.009 office_write_exe
  • 0.009 maldun_anomaly_massive_file_ops
  • 0.009 infostealer_ftp
  • 0.009 md_domain_bl
  • 0.009 ransomware_files
  • 0.006 anomaly_persistence_autorun
  • 0.006 infostealer_browser_password
  • 0.006 antivm_vbox_files
  • 0.006 infostealer_im
  • 0.005 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.004 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.004 hancitor_behavior
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_mail
  • 0.003 maldun_anomaly_terminated_process
  • 0.003 rat_luminosity
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 network_tor
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antidbg_devices
  • 0.002 disables_browser_warn
  • 0.002 rat_pcclient
  • 0.001 removes_zoneid_ads
  • 0.001 hawkeye_behavior
  • 0.001 TrickBotTaskDelete
  • 0.001 kazybot_behavior
  • 0.001 deletes_self
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 codelux_behavior
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.525 seconds )

  • 0.513 ReportHTMLSummary
  • 0.012 Malheur
Task ID 690242
Mongo ID 627d3281dc327b2c0810d69b
Cuckoo release 1.4-Maldun