比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2024-04-26 10:30:33 2024-04-26 10:31:52 79 秒

魔盾分数

8.075

危险的

文件详细信息

文件名 ntoskrnl.exe
文件大小 540160 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 83fdc0b805b82f0d2b7770d3ff1dae23
SHA1 dcbb6de18d1ad11ecf9f19e65d17a644ea26bc85
SHA256 8639798464c288a81814e3966742e82c34f8f7ed37eab1fc711485e77a81fc5c
SHA512 e321d8b8af2f93e278845c93e00c33030e3568eeada7981dfee12c4a5ff3f3f097cd4dbac522844b320d258c49cff80d342c3944e01f1b504bf9abc1c6c1f9b6
CRC32 BC0735A2
Ssdeep 12288:M0dNLlIYQuZLVs4lu6R6W5AMdx2PgutcoW9b/:ddtaY/y4lu06W5AMaPgLo6
Yara 登录查看Yara规则
找不到该样本 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00403022
声明校验值 0x00000000
实际校验值 0x00084404
最低操作系统版本要求 4.0
编译时间 2039-07-21 02:19:55
载入哈希 2f727a975c44a2925ace416e4a5ad2d8

版本信息

Translation
LegalCopyright
Assembly Version
InternalName
FileVersion
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00002000 0x00001028 0x00001200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.13
.rsrc 0x00004000 0x000005ac 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.05
.reloc 0x00006000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.08
.enigma1 0x00008000 0x00002000 0x00036000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.82
.enigma2 0x0000a000 0x0004c000 0x0004c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.89

导入

库: kernel32.dll:
0x448178 VirtualFree
0x44817c VirtualAlloc
0x448180 LocalFree
0x448184 LocalAlloc
0x448188 GetTickCount
0x448190 GetVersion
0x448194 GetCurrentThreadId
0x4481a0 VirtualQuery
0x4481a4 WideCharToMultiByte
0x4481a8 MultiByteToWideChar
0x4481ac lstrlenA
0x4481b0 lstrcpynA
0x4481b4 LoadLibraryExA
0x4481b8 GetThreadLocale
0x4481bc GetStartupInfoA
0x4481c0 GetProcAddress
0x4481c4 GetModuleHandleA
0x4481c8 GetModuleFileNameA
0x4481cc GetLocaleInfoA
0x4481d0 GetCommandLineA
0x4481d4 FreeLibrary
0x4481d8 FindFirstFileA
0x4481dc FindClose
0x4481e0 ExitProcess
0x4481e4 ExitThread
0x4481e8 WriteFile
0x4481f0 RtlUnwind
0x4481f4 RaiseException
0x4481f8 GetStdHandle
库: user32.dll:
0x448200 GetKeyboardType
0x448204 LoadStringA
0x448208 MessageBoxA
0x44820c CharNextA
库: advapi32.dll:
0x448214 RegQueryValueExA
0x448218 RegOpenKeyExA
0x44821c RegCloseKey
库: oleaut32.dll:
0x448224 SysFreeString
0x448228 SysReAllocStringLen
0x44822c SysAllocStringLen
库: kernel32.dll:
0x448234 TlsSetValue
0x448238 TlsGetValue
0x44823c TlsFree
0x448240 TlsAlloc
0x448244 LocalFree
0x448248 LocalAlloc
库: advapi32.dll:
0x448250 RegOpenKeyA
库: kernel32.dll:
0x448258 WriteProcessMemory
0x44825c WriteFile
0x448260 WideCharToMultiByte
0x448264 WaitForSingleObject
0x448268 VirtualQuery
0x44826c VirtualProtectEx
0x448270 VirtualProtect
0x448274 VirtualFree
0x448278 VirtualAllocEx
0x44827c VirtualAlloc
0x448284 SizeofResource
0x448288 SetThreadContext
0x44828c SetLastError
0x448290 SetFilePointer
0x448294 SetFileAttributesW
0x448298 SetFileAttributesA
0x44829c SetEvent
0x4482a0 SetErrorMode
0x4482a4 SetEndOfFile
0x4482b0 ResetEvent
0x4482b4 RemoveDirectoryW
0x4482b8 RemoveDirectoryA
0x4482bc ReadProcessMemory
0x4482c0 ReadFile
0x4482c4 RaiseException
0x4482c8 QueryDosDeviceW
0x4482d0 MultiByteToWideChar
0x4482d4 LockResource
0x4482d8 LoadResource
0x4482dc LoadLibraryW
0x4482e0 LoadLibraryA
0x4482e8 IsBadWritePtr
0x4482ec IsBadStringPtrW
0x4482f0 IsBadReadPtr
0x448300 GetVersionExA
0x448304 GetVersion
0x448308 GetThreadLocale
0x44830c GetThreadContext
0x448310 GetTempPathW
0x448314 GetTempPathA
0x448318 GetTempFileNameW
0x44831c GetTempFileNameA
0x448320 GetSystemDirectoryW
0x448324 GetSystemDirectoryA
0x448328 GetStringTypeExW
0x44832c GetStringTypeExA
0x448330 GetStdHandle
0x448334 GetProcAddress
0x448338 GetModuleHandleA
0x44833c GetModuleFileNameW
0x448340 GetModuleFileNameA
0x448348 GetLocaleInfoW
0x44834c GetLocaleInfoA
0x448350 GetLocalTime
0x448354 GetLastError
0x448358 GetFullPathNameW
0x44835c GetFullPathNameA
0x448360 GetFileSize
0x448364 GetFileAttributesW
0x448368 GetFileAttributesA
0x44836c GetDiskFreeSpaceA
0x448370 GetDateFormatA
0x448374 GetCurrentThreadId
0x448378 GetCurrentProcessId
0x44837c GetCurrentProcess
0x448388 GetCPInfo
0x44838c GetACP
0x448390 FreeResource
0x448394 FreeLibrary
0x448398 FormatMessageA
0x4483a0 FlushFileBuffers
0x4483a4 FindResourceW
0x4483a8 FindNextFileW
0x4483ac FindNextFileA
0x4483b0 FindFirstFileW
0x4483b4 FindFirstFileA
0x4483b8 FindClose
0x4483c4 ExitProcess
0x4483c8 EnumCalendarInfoA
0x4483d0 DeleteFileW
0x4483d4 DeleteFileA
0x4483dc CreateRemoteThread
0x4483e0 CreateFileW
0x4483e4 CreateFileA
0x4483e8 CreateEventA
0x4483ec CreateDirectoryW
0x4483f0 CreateDirectoryA
0x4483f4 CompareStringW
0x4483f8 CompareStringA
0x4483fc CloseHandle
库: user32.dll:
0x448404 MessageBoxW
0x448408 MessageBoxA
0x44840c LoadStringA
0x448410 GetSystemMetrics
0x448414 CharUpperBuffW
0x448418 CharUpperW
0x44841c CharLowerBuffW
0x448420 CharLowerW
0x448424 CharNextA
0x448428 CharLowerA
0x44842c CharUpperA
0x448430 CharToOemA
库: kernel32.dll:
0x448438 Sleep
库: kernel32.dll:
0x448440 QueryDosDeviceW
0x448444 GetModuleHandleA
0x448448 GetProcAddress
库: ole32.dll:
0x448454 CoUninitialize
0x448458 CoInitialize
库: oleaut32.dll:
0x448460 GetErrorInfo
0x448464 SysFreeString
库: oleaut32.dll:
0x44846c SafeArrayPtrOfIndex
0x448470 SafeArrayGetUBound
0x448474 SafeArrayGetLBound
0x448478 SafeArrayCreate
0x44847c VariantChangeType
0x448480 VariantCopy
0x448484 VariantClear
0x448488 VariantInit
库: ntdll.dll:
库: SHFolder.dll:
0x4484a4 SHGetFolderPathW
0x4484a8 SHGetFolderPathA
库: ntdll.dll:
库: shlwapi.dll:
0x4484b8 PathMatchSpecW
.text
`.rsrc
@.reloc
B.enigma1
.enigma2
v4.0.30319
#Strings
#GUID
#Blob
<Module>
System.IO
mscorlib
Synchronized
defaultInstance
RuntimeTypeHandle
GetTypeFromHandle
GetFileName
get_Culture
set_Culture
resourceCulture
ApplicationSettingsBase
EditorBrowsableState
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
value
ntoskrnl.exe
uploading
System.Runtime.Versioning
String
directoryPath
System.ComponentModel
uploading.dll
ntoskrnl
Program
System
resourceMan
GetExtension
System.Configuration
System.Globalization
System.Reflection
DirectoryNotFoundException
UnauthorizedAccessException
StringComparison
CultureInfo
get_ResourceManager
System.CodeDom.Compiler
.ctor
.cctor
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
a.Properties.Resources.resources
DebuggingModes
GetDirectories
ntoskrnl.exe.Properties
SearchFiles
GetFiles
GetLogicalDrives
Settings
Equals
Exists
Object
get_Default
get_Assembly
Directory
ntoskrnl
2024
$E5FA6145-235A-49A2-AAFB-B4C7ECA89F50
1.0.0.0
4.0.0.0
11.0.0.0
\ntoskrnl\obj\Debug\ntoskrnl.pdb
_CorExeMain
mscoree.dll
</assembly>
.rsrc
,l\<u
S3A<B^n
t:jtK
`aeC8
gc_[WSO
[suijishu]
OPTIONS
3456789+/
O(uckHr
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.DLL
ole32.dll
OLEAUT32.dll
oledlg.dll
USER32.dll
WINSPOOL.DRV
RegCloseKey
Escape
GetProcAddress
LoadLibraryA
VirtualProtect
OleRun
GetDC
OpenPrinterA
uploading.dll
uploading
SOFTWARE
ntoskrnl.Properties.Resources
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
ntoskrnl
FileVersion
1.0.0.0
InternalName
ntoskrnl.exe
LegalCopyright
2024
LegalTrademarks
OriginalFilename
ntoskrnl.exe
ProductName
ntoskrnl
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
%DEFAULT FOLDER%
uploading.dll
VS_VERSION_INFO
StringFileInfo
080404B0
FileVersion
1.0.0.0
FileDescription
ProductName
ProductVersion
1.0.0.0
LegalCopyright
Comments
(http://www.eyuyan.com)
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树

ntoskrnl.exe, PID: 2456, 上一级进程 PID: 2168
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 184.86.251.142 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 184.86.251.142 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 17.495 seconds )

  • 11.466 Suricata
  • 2.198 Static
  • 1.897 BehaviorAnalysis
  • 1.246 NetworkAnalysis
  • 0.363 TargetInfo
  • 0.298 peid
  • 0.012 AnalysisInfo
  • 0.012 Strings
  • 0.002 Memory
  • 0.001 config_decoder

Signatures ( 3.777 seconds )

  • 1.343 proprietary_url_bl
  • 0.483 antiav_detectfile
  • 0.345 infostealer_bitcoin
  • 0.196 antivm_vbox_files
  • 0.188 infostealer_ftp
  • 0.133 infostealer_im
  • 0.09 antidbg_devices
  • 0.086 api_spamming
  • 0.084 rat_pcclient
  • 0.081 infostealer_mail
  • 0.074 stealth_decoy_document
  • 0.072 network_tor
  • 0.072 stealth_timeout
  • 0.062 codelux_behavior
  • 0.04 sniffer_winpcap
  • 0.038 betabot_behavior
  • 0.037 antivm_vmware_files
  • 0.036 kazybot_behavior
  • 0.033 hawkeye_behavior
  • 0.028 kibex_behavior
  • 0.022 geodo_banking_trojan
  • 0.02 malicous_targeted_flame
  • 0.018 antivm_vpc_files
  • 0.017 banker_cridex
  • 0.017 network_tor_service
  • 0.016 antiav_detectreg
  • 0.015 antianalysis_detectfile
  • 0.013 shifu_behavior
  • 0.013 spreading_autoruninf
  • 0.011 antisandbox_sunbelt_files
  • 0.008 bitcoin_opencl
  • 0.008 proprietary_domain_bl
  • 0.007 antisandbox_fortinet_files
  • 0.007 antivm_vbox_devices
  • 0.006 antisandbox_threattrack_files
  • 0.005 anomaly_persistence_autorun
  • 0.004 antisandbox_cuckoo_files
  • 0.004 antisandbox_joe_anubis_files
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 anomaly_persistence_ads
  • 0.003 antianalysis_detectreg
  • 0.003 antivm_vmware_devices
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antiemu_wine_func
  • 0.002 infostealer_browser_password
  • 0.002 kovter_behavior
  • 0.002 disables_browser_warn
  • 0.001 rat_nanocore
  • 0.001 antivm_generic_services
  • 0.001 ursnif_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http
  • 0.001 rat_spynet

Reporting ( 0.646 seconds )

  • 0.535 ReportHTMLSummary
  • 0.111 Malheur
Task ID 744331
Mongo ID 662b125ddc327b93ad415e71
Cuckoo release 1.4-Maldun