比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2024-04-18 12:43:33 2024-04-18 12:44:37 64 秒

魔盾分数

4.325

可疑的

文件详细信息

文件名 CSZP.exe
文件大小 8798987 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 bba0b7803894e98f54e8914b76c041d0
SHA1 a165fe98e2659cc5231f6a3334ded0e72bcfdf4f
SHA256 92243b1bad79ebbf070041a7c3fa91ac127387bf7265118c989da1fcc5b88711
SHA512 604cde0554ae09eb688dbddff9b7c0821984367461c6222aa8b00b650e1b4b6f0d84704cb847f53d0eda1621542c97a936e87e0afd96652de0f0152e29284c3c
CRC32 50F8A073
Ssdeep 196608:VqHL2V76+DXLZy7YM30Lzajk/1q3+dgSXpLa8Y0W8/LaghH0u:0HL2V76m70Gzajaq3+d9XxaIW8tUu
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x14000afb0
声明校验值 0x0087242c
实际校验值 0x0087242c
最低操作系统版本要求 5.2
编译时间 2024-04-04 09:53:40
载入哈希 a6cec5b1a631d592d80900ab7e1de8df
图标
图标精确哈希值 99f8909119f22355b3423d4cad169539
图标相似性哈希值 c5a2ab820da81f9db77abd76bbd9764e

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00028720 0x00028800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.48
.rdata 0x0002a000 0x00012a9e 0x00012c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.82
.data 0x0003d000 0x000103e8 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.81
.pdata 0x0004e000 0x000020c4 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.33
_RDATA 0x00051000 0x0000015c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.76
.rsrc 0x00052000 0x0000f498 0x0000f600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.56
.reloc 0x00062000 0x00000758 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.24

覆盖

偏移量 0x0004e800
大小 0x00815b0b

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00060a3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.39 GLS_BINARY_LSB_FIRST
RT_ICON 0x00060a3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.39 GLS_BINARY_LSB_FIRST
RT_ICON 0x00060a3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.39 GLS_BINARY_LSB_FIRST
RT_ICON 0x00060a3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.39 GLS_BINARY_LSB_FIRST
RT_ICON 0x00060a3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.39 GLS_BINARY_LSB_FIRST
RT_ICON 0x00060a3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.39 GLS_BINARY_LSB_FIRST
RT_ICON 0x00060a3c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 6.39 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x00060ea4 0x00000068 LANG_NEUTRAL SUBLANG_NEUTRAL 2.72 MS Windows icon resource - 7 icons, 48x48
RT_MANIFEST 0x00060f0c 0x00000589 LANG_NEUTRAL SUBLANG_NEUTRAL 5.30 XML 1.0 document, ASCII text, with CRLF line terminators

导入

库: USER32.dll:
0x14002a388 CreateWindowExW
0x14002a390 MessageBoxW
0x14002a398 MessageBoxA
0x14002a3a0 SystemParametersInfoW
0x14002a3a8 DestroyIcon
0x14002a3b0 SetWindowLongPtrW
0x14002a3b8 GetWindowLongPtrW
0x14002a3c0 GetClientRect
0x14002a3c8 InvalidateRect
0x14002a3d0 ReleaseDC
0x14002a3d8 GetDC
0x14002a3e0 DrawTextW
0x14002a3e8 GetDialogBaseUnits
0x14002a3f0 EndDialog
0x14002a3f8 DialogBoxIndirectParamW
0x14002a400 MoveWindow
0x14002a408 SendMessageW
库: COMCTL32.dll:
0x14002a028 None
库: KERNEL32.dll:
0x14002a058 IsValidCodePage
0x14002a060 GetStringTypeW
0x14002a068 GetFileAttributesExW
0x14002a070 HeapReAlloc
0x14002a078 FlushFileBuffers
0x14002a080 GetCurrentDirectoryW
0x14002a088 GetACP
0x14002a090 GetOEMCP
0x14002a098 GetModuleHandleW
0x14002a0a0 MulDiv
0x14002a0a8 GetLastError
0x14002a0b0 SetDllDirectoryW
0x14002a0b8 GetModuleFileNameW
0x14002a0c0 GetProcAddress
0x14002a0c8 GetCommandLineW
0x14002a0d0 GetEnvironmentVariableW
0x14002a0d8 GetCPInfo
0x14002a0e8 CreateDirectoryW
0x14002a0f0 GetTempPathW
0x14002a0f8 WaitForSingleObject
0x14002a100 Sleep
0x14002a108 GetExitCodeProcess
0x14002a110 CreateProcessW
0x14002a118 GetStartupInfoW
0x14002a120 FreeLibrary
0x14002a128 LoadLibraryExW
0x14002a130 SetConsoleCtrlHandler
0x14002a138 FindClose
0x14002a140 FindFirstFileExW
0x14002a148 CloseHandle
0x14002a150 GetCurrentProcess
0x14002a158 LocalFree
0x14002a160 FormatMessageW
0x14002a168 MultiByteToWideChar
0x14002a170 WideCharToMultiByte
0x14002a178 GetEnvironmentStringsW
0x14002a180 FreeEnvironmentStringsW
0x14002a188 GetProcessHeap
0x14002a190 GetTimeZoneInformation
0x14002a198 HeapSize
0x14002a1a0 WriteConsoleW
0x14002a1a8 SetEndOfFile
0x14002a1b0 SetEnvironmentVariableW
0x14002a1b8 RtlUnwindEx
0x14002a1c0 RtlCaptureContext
0x14002a1c8 RtlLookupFunctionEntry
0x14002a1d0 RtlVirtualUnwind
0x14002a1d8 UnhandledExceptionFilter
0x14002a1e8 TerminateProcess
0x14002a1f8 QueryPerformanceCounter
0x14002a200 GetCurrentProcessId
0x14002a208 GetCurrentThreadId
0x14002a210 GetSystemTimeAsFileTime
0x14002a218 InitializeSListHead
0x14002a220 IsDebuggerPresent
0x14002a228 SetLastError
0x14002a230 EnterCriticalSection
0x14002a238 LeaveCriticalSection
0x14002a240 DeleteCriticalSection
0x14002a250 TlsAlloc
0x14002a258 TlsGetValue
0x14002a260 TlsSetValue
0x14002a268 TlsFree
0x14002a270 EncodePointer
0x14002a278 RaiseException
0x14002a280 RtlPcToFileHeader
0x14002a288 GetCommandLineA
0x14002a290 CreateFileW
0x14002a298 GetDriveTypeW
0x14002a2a8 GetFileType
0x14002a2b0 PeekNamedPipe
0x14002a2c0 FileTimeToSystemTime
0x14002a2c8 GetFullPathNameW
0x14002a2d0 RemoveDirectoryW
0x14002a2d8 FindNextFileW
0x14002a2e0 SetStdHandle
0x14002a2e8 DeleteFileW
0x14002a2f0 ReadFile
0x14002a2f8 GetStdHandle
0x14002a300 WriteFile
0x14002a308 ExitProcess
0x14002a310 GetModuleHandleExW
0x14002a318 HeapFree
0x14002a320 GetConsoleMode
0x14002a328 ReadConsoleW
0x14002a330 SetFilePointerEx
0x14002a338 GetConsoleOutputCP
0x14002a340 GetFileSizeEx
0x14002a348 HeapAlloc
0x14002a350 FlsAlloc
0x14002a358 FlsGetValue
0x14002a360 FlsSetValue
0x14002a368 FlsFree
0x14002a370 CompareStringW
0x14002a378 LCMapStringW
库: ADVAPI32.dll:
0x14002a000 OpenProcessToken
0x14002a008 GetTokenInformation
0x14002a018 ConvertSidToStringSidW
库: GDI32.dll:
0x14002a038 SelectObject
0x14002a040 DeleteObject
0x14002a048 CreateFontIndirectW
.text
`.rdata
@.data
.pdata
@_RDATA
@.rsrc
@.reloc
D$ P%
没有防病毒引擎扫描信息!

进程树

CSZP.exe, PID: 2664, 上一级进程 PID: 2332
CSZP.exe, PID: 2844, 上一级进程 PID: 2664
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 72.246.244.137 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 72.246.244.137 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 23.756 seconds )

  • 11.776 Suricata
  • 4.927 BehaviorAnalysis
  • 3.428 Static
  • 2.018 TargetInfo
  • 1.252 NetworkAnalysis
  • 0.313 peid
  • 0.016 config_decoder
  • 0.012 AnalysisInfo
  • 0.012 Strings
  • 0.002 Memory

Signatures ( 4.677 seconds )

  • 1.382 proprietary_url_bl
  • 0.276 reads_self
  • 0.265 api_spamming
  • 0.217 mimics_filetime
  • 0.212 stealth_timeout
  • 0.184 stealth_decoy_document
  • 0.184 virus
  • 0.174 bootkit
  • 0.164 stealth_file
  • 0.154 antivm_generic_disk
  • 0.112 proprietary_malicious_write_executeable_under_temp_to_regrun
  • 0.11 proprietary_anomaly_massive_file_ops
  • 0.103 antiav_detectfile
  • 0.102 proprietary_anomaly_write_exe_and_obsfucate_extension
  • 0.065 proprietary_anomaly_write_exe_and_dll_under_winroot_run
  • 0.065 ransomware_extensions
  • 0.06 hancitor_behavior
  • 0.053 infostealer_bitcoin
  • 0.051 infostealer_browser
  • 0.049 rat_luminosity
  • 0.047 ipc_namedpipe
  • 0.043 sets_autoconfig_url
  • 0.042 ransomware_message
  • 0.039 proprietary_anomaly_terminated_process
  • 0.039 securityxploded_modules
  • 0.039 ransomware_files
  • 0.031 infostealer_ftp
  • 0.031 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.028 antivm_vbox_files
  • 0.024 disables_spdy
  • 0.024 disables_wfp
  • 0.021 infostealer_browser_password
  • 0.021 antiav_detectreg
  • 0.021 infostealer_im
  • 0.017 office_dl_write_exe
  • 0.015 antidbg_devices
  • 0.014 office_write_exe
  • 0.014 TrickBotTaskDelete
  • 0.013 infostealer_mail
  • 0.011 anomaly_persistence_autorun
  • 0.01 rat_nanocore
  • 0.01 deletes_self
  • 0.01 rat_pcclient
  • 0.009 removes_zoneid_ads
  • 0.009 network_tor
  • 0.008 proprietary_domain_bl
  • 0.007 tinba_behavior
  • 0.007 betabot_behavior
  • 0.007 sniffer_winpcap
  • 0.006 geodo_banking_trojan
  • 0.006 stealth_web_history
  • 0.005 kazybot_behavior
  • 0.005 kibex_behavior
  • 0.005 antivm_vmware_files
  • 0.005 codelux_behavior
  • 0.004 hawkeye_behavior
  • 0.004 antianalysis_detectreg
  • 0.003 shifu_behavior
  • 0.003 antianalysis_detectfile
  • 0.003 malicous_targeted_flame
  • 0.003 network_http
  • 0.002 cerber_behavior
  • 0.002 spreading_autoruninf
  • 0.002 modifies_hostfile
  • 0.002 antivm_vpc_files
  • 0.002 banker_cridex
  • 0.002 disables_browser_warn
  • 0.002 network_tor_service
  • 0.001 ursnif_behavior
  • 0.001 antisandbox_fortinet_files
  • 0.001 antisandbox_sunbelt_files
  • 0.001 antisandbox_threattrack_files
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_devices
  • 0.001 antivm_xen_keys
  • 0.001 bitcoin_opencl
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http
  • 0.001 ransomware_radamant
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt
  • 0.001 stealth_modify_security_center_warnings

Reporting ( 0.723 seconds )

  • 0.656 ReportHTMLSummary
  • 0.067 Malheur
Task ID 744079
Mongo ID 6620a58b7e769a7c1916e764
Cuckoo release 1.4-Maldun