恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp03-1	2024-04-29 11:19:20	2024-04-29 11:20:12	52 秒

魔盾分数

6.8

危险的

文件详细信息

文件名	tinyMediaManager.exe
文件大小	7933592 字节
文件类型	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	ad5054dcaf0ee010d049d99ca8c4dfef
SHA1	1f520890b4c1e5d94dfb94861c7d6ef9a394b796
SHA256	35d576c5f303efe00065bdd0b08e03c0220c2de45a7000c1580576d6e4ea254e
SHA512	e872210980f7f7745f14c2408c810d8993a4701fbd091f2f3fb0757a1eb8a730ebd6b168ae7087fc858e91d475aef3f3e5d977e9f058bfe7208d76bb094d78ba
CRC32	BF31FC54
Ssdeep	49152:L/D9OozXwVrb/T9vO90d7HjmAFd4A64nsfJERBy6uG2ve8NpeChLjdcdOefqkZRk:LHAtG/e86C5f3uxoH18HEgGEp6M27
Yara	登录查看Yara规则
	找不到该样本提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	172.64.149.23	美国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
crt.sectigo.com	A 104.18.38.233 A 172.64.149.23 CNAME crt.comodoca.com.cdn.cloudflare.net

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x004014d0
声明校验值	0x007a0dfd
实际校验值	0x007a0dfd
最低操作系统版本要求	6.1
编译时间	2023-12-21 01:00:00
载入哈希	a54424fc32ced0ce7693a91f2f65da90
图标
图标精确哈希值	08a212e85c778e34fd339f24cdb57a6e
图标相似性哈希值	8c75071323ad14c808f486a544922201
导出DLL库名称	a.out.exe

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
None	None	否	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

证书链	Certificate Chain 1
发行给	Sectigo Public Code Signing Root R46
发行人	Sectigo Public Code Signing Root R46
有效期	Thu Mar 22 075959 2046
SHA1 哈希	ccbbf9e1485af63ce47abf8e9e648c2504fc319d

证书链	Certificate Chain 2
发行给	Sectigo Public Code Signing CA R36
发行人	Sectigo Public Code Signing Root R46
有效期	Sat Mar 22 075959 2036
SHA1 哈希	0bc5e76773d2e44fc9903d4dfefe451553bbec4a

证书链	Certificate Chain 3
发行给	Manuel Ronald Laggner, MSc
发行人	Sectigo Public Code Signing CA R36
有效期	Wed Sep 24 075959 2025
SHA1 哈希	7795b6e66b2f21ef56cad01845ac05a8fe31d0f9

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00395a60	0x00395c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_32BYTES	6.12
.data	0x00397000	0x0005ff28	0x00060000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_32BYTES	6.03
.rdata	0x003f7000	0x00362ba0	0x00362c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_32BYTES	5.62
.pdata	0x0075a000	0x00001278	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_4BYTES	5.28
.xdata	0x0075c000	0x00001218	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_4BYTES	3.31
.bss	0x0075e000	0x00061da8	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_32BYTES	0.00
.edata	0x007c0000	0x0000004e	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_4BYTES	0.85
.idata	0x007c1000	0x00000df0	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_4BYTES	4.47
.CRT	0x007c2000	0x00000068	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_8BYTES	0.28
.tls	0x007c3000	0x00000068	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_32BYTES	0.21
.rsrc	0x007c4000	0x000250a8	0x00025200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE\|IMAGE_SCN_ALIGN_4BYTES	5.40
.reloc	0x007ea000	0x0000e9bc	0x0000ea00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_ALIGN_4BYTES	5.43

覆盖

偏移量	0x00790400
大小	0x00000a98

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x007e8090	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	GLS_BINARY_LSB_FIRST
RT_ICON	0x007e8090	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	GLS_BINARY_LSB_FIRST
RT_ICON	0x007e8090	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	GLS_BINARY_LSB_FIRST
RT_ICON	0x007e8090	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	GLS_BINARY_LSB_FIRST
RT_ICON	0x007e8090	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	GLS_BINARY_LSB_FIRST
RT_ICON	0x007e8090	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x007e84f8	0x0000005a	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.83	MS Windows icon resource - 6 icons, 256x256
RT_VERSION	0x007e8558	0x00000358	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.27	data
RT_MANIFEST	0x007e88b0	0x000007f1	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.03	XML 1.0 document, ASCII text

导入

库: KERNEL32.dll:

• 0xbc132c AddVectoredExceptionHandler

• 0xbc1334 CloseHandle

• 0xbc133c CreateEventA

• 0xbc1344 CreateFileA

• 0xbc134c CreateIoCompletionPort

• 0xbc1354 CreateThread

• 0xbc135c CreateWaitableTimerExW

• 0xbc1364 DeleteCriticalSection

• 0xbc136c DuplicateHandle

• 0xbc1374 EnterCriticalSection

• 0xbc137c ExitProcess

• 0xbc1384 FreeEnvironmentStringsW

• 0xbc138c GetConsoleMode

• 0xbc1394 GetCurrentProcess

• 0xbc139c GetCurrentProcessId

• 0xbc13a4 GetCurrentThreadId

• 0xbc13ac GetEnvironmentStringsW

• 0xbc13b4 GetLastError

• 0xbc13bc GetModuleHandleA

• 0xbc13c4 GetProcAddress

• 0xbc13cc GetProcessAffinityMask

• 0xbc13d4 GetQueuedCompletionStatusEx

• 0xbc13dc GetStartupInfoA

• 0xbc13e4 GetStdHandle

• 0xbc13ec GetSystemDirectoryA

• 0xbc13f4 GetSystemInfo

• 0xbc13fc GetSystemTimeAsFileTime

• 0xbc1404 GetThreadContext

• 0xbc140c GetTickCount

• 0xbc1414 InitializeCriticalSection

• 0xbc141c LeaveCriticalSection

• 0xbc1424 LoadLibraryA

• 0xbc142c LoadLibraryW

• 0xbc1434 PostQueuedCompletionStatus

• 0xbc143c QueryPerformanceCounter

• 0xbc1444 ResumeThread

• 0xbc144c RtlAddFunctionTable

• 0xbc1454 RtlCaptureContext

• 0xbc145c RtlLookupFunctionEntry

• 0xbc1464 RtlVirtualUnwind

• 0xbc146c SetConsoleCtrlHandler

• 0xbc1474 SetErrorMode

• 0xbc147c SetEvent

• 0xbc1484 SetProcessPriorityBoost

• 0xbc148c SetThreadContext

• 0xbc1494 SetUnhandledExceptionFilter

• 0xbc149c SetWaitableTimer

• 0xbc14a4 Sleep

• 0xbc14ac SuspendThread

• 0xbc14b4 SwitchToThread

• 0xbc14bc TerminateProcess

• 0xbc14c4 TlsGetValue

• 0xbc14cc UnhandledExceptionFilter

• 0xbc14d4 VirtualAlloc

• 0xbc14dc VirtualFree

• 0xbc14e4 VirtualProtect

• 0xbc14ec VirtualQuery

• 0xbc14f4 WaitForMultipleObjects

• 0xbc14fc WaitForSingleObject

• 0xbc1504 WriteConsoleW

• 0xbc150c WriteFile

• 0xbc1514 __C_specific_handler

库: msvcrt.dll:

• 0xbc1524 __dllonexit

• 0xbc152c __getmainargs

• 0xbc1534 __initenv

• 0xbc153c __iob_func

• 0xbc1544 __lconv_init

• 0xbc154c __set_app_type

• 0xbc1554 __setusermatherr

• 0xbc155c _acmdln

• 0xbc1564 _amsg_exit

• 0xbc156c _beginthread

• 0xbc1574 _cexit

• 0xbc157c _errno

• 0xbc1584 _fmode

• 0xbc158c _initterm

• 0xbc1594 _lock

• 0xbc159c _onexit

• 0xbc15a4 _unlock

• 0xbc15ac abort

• 0xbc15b4 calloc

• 0xbc15bc exit

• 0xbc15c4 fprintf

• 0xbc15cc free

• 0xbc15d4 fwrite

• 0xbc15dc malloc

• 0xbc15e4 memcpy

• 0xbc15ec realloc

• 0xbc15f4 signal

• 0xbc15fc strlen

• 0xbc1604 strncmp

• 0xbc160c vfprintf

导出

序列	地址	名称
1	0xbbfd80	_cgo_dummy_export

.text
``.data
.rdata
`@.pdata
0@.xdata
0@.bss
.edata
0@.idata
.rsrc
.reloc
T$XH=
H+=#Zt

没有防病毒引擎扫描信息!

进程树

tinyMediaManager.exe id: 2696

搜索
tinyMediaManager.exe (2696)

tinyMediaManager.exe, PID: 2696, 上一级进程 PID: 2268

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	172.64.149.23	美国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49159	172.64.149.23 crt.sectigo.com	80
192.168.122.201	49158	23.205.155.11	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
crt.sectigo.com	A 104.18.38.233 A 172.64.149.23 CNAME crt.comodoca.com.cdn.cloudflare.net

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49159	172.64.149.23 crt.sectigo.com	80
192.168.122.201	49158	23.205.155.11	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	56270	192.168.122.1	53
192.168.122.201	59401	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt	GET /SectigoPublicCodeSigningCAR36.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crt.sectigo.com
URL专业沙箱检测 -> http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c	GET /SectigoPublicCodeSigningRootR46.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crt.sectigo.com

URI

HTTP数据

URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt

GET /SectigoPublicCodeSigningCAR36.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.sectigo.com

URL专业沙箱检测 -> http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c

GET /SectigoPublicCodeSigningRootR46.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.sectigo.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 28.611 seconds )

11.541 Suricata
8.313 NetworkAnalysis
5.949 Static
1.971 TargetInfo
0.419 BehaviorAnalysis
0.366 peid
0.021 config_decoder
0.017 AnalysisInfo
0.012 Strings
0.002 Memory

Signatures ( 37.441 seconds )

35.723 network_http
1.437 proprietary_url_bl
0.044 antiav_detectreg
0.024 api_spamming
0.019 stealth_timeout
0.018 stealth_decoy_document
0.011 proprietary_domain_bl
0.01 anomaly_persistence_autorun
0.01 infostealer_ftp
0.009 antianalysis_detectreg
0.008 mimics_filetime
0.008 reads_self
0.007 virus
0.006 bootkit
0.006 stealth_file
0.006 antivm_generic_disk
0.006 antiav_detectfile
0.006 infostealer_im
0.005 hancitor_behavior
0.005 geodo_banking_trojan
0.004 proprietary_anomaly_massive_file_ops
0.004 infostealer_bitcoin
0.004 infostealer_mail
0.004 ransomware_extensions
0.004 ransomware_files
0.003 shifu_behavior
0.003 antivm_vbox_files
0.003 disables_browser_warn
0.002 tinba_behavior
0.002 rat_nanocore
0.002 anomaly_persistence_bootexecute
0.002 creates_nullvalue
0.002 browser_security
0.002 modify_proxy
0.002 network_torgateway
0.001 antiemu_wine_func
0.001 proprietary_anomaly_write_exe_and_obsfucate_extension
0.001 proprietary_malicious_write_executeable_under_temp_to_regrun
0.001 injection_createremotethread
0.001 anomaly_reset_winsock
0.001 antivm_generic_services
0.001 betabot_behavior
0.001 creates_largekey
0.001 ursnif_behavior
0.001 kibex_behavior
0.001 antivm_generic_scsi
0.001 nymaim_behavior
0.001 cerber_behavior
0.001 injection_runpe
0.001 kovter_behavior
0.001 antianalysis_detectfile
0.001 antivm_generic_diskreg
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 darkcomet_regkeys
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_bad_drop
0.001 network_cnc_http
0.001 recon_fingerprint
0.001 stealth_modify_uac_prompt

Reporting ( 0.736 seconds )

0.651 ReportHTMLSummary
0.085 Malheur


Task ID	744443
Mongo ID	662f125d7e769a05bc3db38e
Cuckoo release	1.4-Maldun