比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2022-09-24 15:10:15 2022-09-24 15:10:48 33 秒

魔盾分数

3.475

可疑的

文件详细信息

文件名 SecurityLaunchCLR.dll
文件大小 309760 字节
文件类型 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 352f989b53cf3509d8c21f83e9900a84
SHA1 cf8d0cb3700f612e31f96db5fbafb12e4d5d3cd5
SHA256 1a3998c65661e55c6b5290e7a59bfb6b4d2a59371e4eaa488ebd1cdd95f9e970
SHA512 8e0b472125c573613472f1f3a9a8a3213f0052f08d312874765eef002ee5d87be5e6c53e940cb3fe1827d61b247cba4aed371e7a128363b43976ae13903eeab8
CRC32 AA4FEA21
Ssdeep 6144:fj0ppLQ84fcM9xLbhNStBWy3ubxW2Gt7:7YyFrSFu
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x10000000
入口地址 0x10019e83
声明校验值 0x0004c807
实际校验值 0x0004c807
最低操作系统版本要求 6.0
编译时间 2019-02-18 17:49:50
载入哈希 ab6436867c08472060c8065f660ca43d
图标
图标精确哈希值 9db58d4913256d2b52c5163864b9f7a7
图标相似性哈希值 c3ca946d749a15ad18efd3e5d7b0d8f5

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000192a8 0x00019400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.39
.rdata 0x0001b000 0x000259ec 0x00025a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.12
.data 0x00041000 0x00005464 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.09
.rsrc 0x00047000 0x0000a638 0x0000a800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.36
.reloc 0x00052000 0x000010d4 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.51
.text 0x00054000 0x0000000e 0x00000200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.16

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_ICON 0x00050f68 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.76 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x000513d0 0x00000084 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.79 MS Windows icon resource - 9 icons, 256x256
RT_VERSION 0x00051454 0x0000005c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.26 data
RT_MANIFEST 0x000514b0 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US 4.91 XML 1.0 document text

导入

库: VCRUNTIME140.dll:
0x1001b0e0 memmove
0x1001b0e4 _purecall
0x1001b0e8 memcpy
0x1001b0ec __std_terminate
0x1001b0f0 memset
0x1001b0f8 _CxxThrowException
0x1001b104 __FrameUnwindFilter
0x1001b108 __std_exception_copy
0x1001b10c __CxxFrameHandler3
库: api-ms-win-crt-runtime-l1-1-0.dll:
0x1001b148 _configure_narrow_argv
0x1001b158 _execute_onexit_table
0x1001b15c _crt_atexit
0x1001b160 _initterm
0x1001b164 perror
0x1001b168 _initterm_e
0x1001b16c abort
0x1001b170 _crt_at_quick_exit
0x1001b174 _cexit
0x1001b178 terminate
0x1001b17c _seh_filter_dll
库: api-ms-win-crt-heap-l1-1-0.dll:
0x1001b12c free
0x1001b130 malloc
0x1001b134 calloc
0x1001b138 realloc
0x1001b13c _callnewh
库: KERNEL32.dll:
0x1001b018 FindClose
0x1001b01c FindNextFileW
0x1001b020 CopyFileW
0x1001b024 SetLastError
0x1001b028 GetLastError
0x1001b02c Process32FirstW
0x1001b030 GetFileAttributesW
0x1001b034 Sleep
0x1001b038 GetModuleFileNameW
0x1001b03c MultiByteToWideChar
0x1001b040 GetProcAddress
0x1001b044 CreateEventW
0x1001b048 WaitForSingleObjectEx
0x1001b050 Process32NextW
0x1001b054 OpenProcess
0x1001b058 CreateDirectoryW
0x1001b060 GetCurrentProcessId
0x1001b064 GetCurrentThreadId
0x1001b070 InitializeSListHead
0x1001b074 IsDebuggerPresent
0x1001b080 GetStartupInfoW
0x1001b088 GetModuleHandleW
0x1001b08c GetCurrentProcess
0x1001b090 TerminateProcess
0x1001b094 ResetEvent
0x1001b098 SetEvent
0x1001b09c CloseHandle
0x1001b0a0 EnterCriticalSection
0x1001b0a4 LeaveCriticalSection
0x1001b0ac DeleteCriticalSection
0x1001b0b0 FindFirstFileW
库: USER32.dll:
0x1001b0d8 wsprintfW
库: ADVAPI32.dll:
0x1001b000 OpenServiceW
0x1001b004 OpenSCManagerW
0x1001b008 QueryServiceStatus
0x1001b00c StartServiceW
0x1001b010 CloseServiceHandle
库: MSVCP140.dll:
库: api-ms-win-crt-stdio-l1-1-0.dll:
0x1001b184 fseek
0x1001b18c fread
0x1001b190 feof
0x1001b194 fclose
0x1001b198 ferror
0x1001b19c _wfopen_s
库: api-ms-win-crt-string-l1-1-0.dll:
0x1001b1a4 towlower
0x1001b1a8 strtok_s
库: api-ms-win-crt-filesystem-l1-1-0.dll:
0x1001b124 _wstat64
库: SHLWAPI.dll:
0x1001b0d0 PathFileExistsW
库: VERSION.dll:
0x1001b114 VerQueryValueW
0x1001b118 GetFileVersionInfoW
库: mscoree.dll:
0x1001b1b0 _CorDllMain

装载信息

名称 SecurityLaunchCLR
版本 1.0.6988.32095

装载参考

名称 版本
mscorlib 4.0.0.0

自定义属性

类型 名称
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute \xe7\x89\x88\xe6\x9d\x83\xe6\x89\x80\xe6\x9c\x89(c) 20
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute SecurityLaunchC
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute SecurityLaunchC
TypeRef [mscorlib]System.Reflection.AssemblyProductAttribute SecurityLaunchC
TypeRef [mscorlib]System.Reflection.AssemblyTitleAttribute SecurityLaunchC
TypeRef [mscorlib]System.Reflection.AssemblyCopyrightAttribute \xe7\x89\x88\xe6\x9d\x83\xe6\x89\x80\xe6\x9c\x89(c) 20
TypeRef [mscorlib]System.Reflection.AssemblyVersionAttribute 1.0

类型参考

装载 类型名称
mscorlib System.AppDomain
mscorlib System.CLSCompliantAttribute
mscorlib System.Collections.IEnumerator
mscorlib System.Collections.Stack
mscorlib System.Delegate
mscorlib System.Diagnostics.DebuggerStepThroughAttribute
mscorlib System.Enum
mscorlib System.EventArgs
mscorlib System.EventHandler
mscorlib System.Exception
mscorlib System.GC
mscorlib System.Guid
mscorlib System.IDisposable
mscorlib System.Int32
mscorlib System.IntPtr
mscorlib System.ModuleHandle
mscorlib System.Object
mscorlib System.OutOfMemoryException
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyCultureAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Reflection.AssemblyVersionAttribute
mscorlib System.Reflection.Module
mscorlib System.Runtime.CompilerServices.AssemblyAttributesGoHere
mscorlib System.Runtime.CompilerServices.AssemblyAttributesGoHereSM
mscorlib System.Runtime.CompilerServices.CallConvCdecl
mscorlib System.Runtime.CompilerServices.CallConvStdcall
mscorlib System.Runtime.CompilerServices.CallConvThiscall
mscorlib System.Runtime.CompilerServices.CompilerMarshalOverride
mscorlib System.Runtime.CompilerServices.DecoratedNameAttribute
mscorlib System.Runtime.CompilerServices.FixedAddressValueTypeAttribute
mscorlib System.Runtime.CompilerServices.IsBoxed
mscorlib System.Runtime.CompilerServices.IsConst
mscorlib System.Runtime.CompilerServices.IsCopyConstructed
mscorlib System.Runtime.CompilerServices.IsImplicitlyDereferenced
mscorlib System.Runtime.CompilerServices.IsLong
mscorlib System.Runtime.CompilerServices.IsSignUnspecifiedByte
mscorlib System.Runtime.CompilerServices.IsUdtReturn
mscorlib System.Runtime.CompilerServices.IsVolatile
mscorlib System.Runtime.CompilerServices.NativeCppClassAttribute
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Runtime.CompilerServices.SuppressMergeCheckAttribute
mscorlib System.Runtime.CompilerServices.UnsafeValueTypeAttribute
mscorlib System.Runtime.ConstrainedExecution.Cer
mscorlib System.Runtime.ConstrainedExecution.Consistency
mscorlib System.Runtime.ConstrainedExecution.PrePrepareMethodAttribute
mscorlib System.Runtime.ConstrainedExecution.ReliabilityContractAttribute
mscorlib System.Runtime.ExceptionServices.HandleProcessCorruptedStateExceptionsAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GCHandle
mscorlib System.Runtime.InteropServices.Marshal
mscorlib System.Runtime.InteropServices.MarshalAsAttribute
mscorlib System.Runtime.InteropServices.RuntimeEnvironment
mscorlib System.Runtime.InteropServices.UnmanagedType
mscorlib System.Runtime.Serialization.SerializationInfo
mscorlib System.Runtime.Serialization.StreamingContext
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.RuntimeMethodHandle
mscorlib System.RuntimeTypeHandle
mscorlib System.Security.Permissions.SecurityAction
mscorlib System.Security.Permissions.SecurityPermissionAttribute
mscorlib System.Security.SecurityCriticalAttribute
mscorlib System.Security.SecurityRuleSet
mscorlib System.Security.SecurityRulesAttribute
mscorlib System.Security.SecuritySafeCriticalAttribute
mscorlib System.Security.SuppressUnmanagedCodeSecurityAttribute
mscorlib System.String
mscorlib System.Threading.Interlocked
mscorlib System.Threading.Monitor
mscorlib System.Threading.Mutex
mscorlib System.Threading.WaitHandle
mscorlib System.Type
mscorlib System.ValueType
.text
`.rdata
@.data
.rsrc
@.reloc
B.text
bYO[*;
invalid string position
string too long
Read error
FilesInfos
FileName
Unknown exception
bad allocation
bad array new length
InitializeConditionVariable
SleepConditionVariableCS
WakeAllConditionVariable
IsWow64Process
string too long
invalid string position
?!.,TENOR@#${[;@
?!.,@#${TENOR[;@
Read error
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
v4.0.30319
#Strings
#GUID
#Blob
AntiCrack.dat
api-ms-win-core-synch-l1-2-0.dll
kernel32.dll
kernel32
%d.%d.%d.%d
没有防病毒引擎扫描信息!

进程树

rundll32.exe, PID: 2512, 上一级进程 PID: 2196
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 104.88.193.211 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 104.88.193.211 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 15.344 seconds )

  • 11.421 Suricata
  • 1.106 VirusTotal
  • 1.05 NetworkAnalysis
  • 0.864 Static
  • 0.323 peid
  • 0.313 TargetInfo
  • 0.171 static_dotnet
  • 0.071 BehaviorAnalysis
  • 0.012 Strings
  • 0.011 AnalysisInfo
  • 0.002 Memory

Signatures ( 1.509 seconds )

  • 1.395 md_url_bl
  • 0.019 antiav_detectreg
  • 0.01 md_domain_bl
  • 0.008 infostealer_ftp
  • 0.006 antiav_detectfile
  • 0.006 infostealer_im
  • 0.005 anomaly_persistence_autorun
  • 0.004 api_spamming
  • 0.004 antianalysis_detectreg
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 stealth_decoy_document
  • 0.003 stealth_timeout
  • 0.003 infostealer_mail
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 betabot_behavior
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 rat_nanocore
  • 0.001 kibex_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.498 seconds )

  • 0.497 ReportHTMLSummary
  • 0.001 Malheur
Task ID 710616
Mongo ID 632ead937e769a059de15a15
Cuckoo release 1.4-Maldun