分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-4 2024-11-30 14:03:06 2024-11-30 14:03:47 41 秒

魔盾分数

9.875

危险的

文件详细信息

文件名 mscms.dll
文件大小 464896 字节
文件类型 PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 d4fc911b73e46f3cdaa5a421c9256f7b
SHA1 2df0a249ef8ab5702078b786fa9ec010a7ceb22a
SHA256 c9d6dedc09d01404a836645d5fe632e61b585d6b897c5b48229b430b07f2267b
SHA512 c14e1d149685773786a97470fa0ad388f6b709e28f208bd592e925073bd89257c5bf4a4727dcb8ec99afe0b7bdb1b0856864a1fee7f7ac121735536a71b62624
CRC32 B2F2DD30
Ssdeep 6144:5KiGIJOGVyw2D28iXh94inJNnlrDwcj0vvS9GXUNd+IJZ0I:nGIcwyw2D28iXh94in4nS9GX6p0
Yara 登录查看Yara规则
找不到该样本 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

登录查看详细行为信息

PE 信息

初始地址 0x180000000
入口地址 0x180010ca0
声明校验值 0x00000000
实际校验值 0x00072a00
最低操作系统版本要求 6.0
编译时间 2024-11-30 12:18:26
载入哈希 99242edad1925457006599f9740e4783

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00053647 0x00053800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.81
.rdata 0x00055000 0x00015b18 0x00015c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.62
.data 0x0006b000 0x00002894 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.10
.pdata 0x0006e000 0x00003c84 0x00003e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.51
.detourc 0x00072000 0x00002210 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.63
.detourd 0x00075000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.12
.rsrc 0x00076000 0x000000f8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.53
.reloc 0x00077000 0x00000b00 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.29

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MANIFEST 0x00076060 0x00000091 LANG_ENGLISH SUBLANG_ENGLISH_US 4.89 XML 1.0 document text

导入

库: KERNEL32.dll:
0x180055008 CloseHandle
0x180055010 CreateThread
0x180055018 GetModuleHandleW
0x180055020 GetProcAddress
0x180055028 GetModuleHandleA
0x180055030 IsBadReadPtr
0x180055038 GetCurrentThread
0x180055040 Sleep
0x180055048 GetTickCount64
0x180055050 VirtualProtect
0x180055058 CreateFileW
0x180055060 GetConsoleMode
0x180055068 GetConsoleOutputCP
0x180055070 FlushFileBuffers
0x180055078 SetStdHandle
0x180055080 SetFilePointerEx
0x180055088 GetFileSizeEx
0x180055090 GetStringTypeW
0x180055098 WriteConsoleW
0x1800550a0 OutputDebugStringW
0x1800550a8 WriteFile
0x1800550b0 HeapQueryInformation
0x1800550b8 HeapReAlloc
0x1800550c0 HeapFree
0x1800550c8 GetLastError
0x1800550d0 GetCurrentProcess
0x1800550d8 GetCurrentThreadId
0x1800550e0 SuspendThread
0x1800550e8 ResumeThread
0x1800550f0 GetThreadContext
0x1800550f8 SetThreadContext
0x180055100 FlushInstructionCache
0x180055108 VirtualAlloc
0x180055110 VirtualFree
0x180055118 VirtualQuery
0x180055120 SetLastError
0x180055128 FreeLibrary
0x180055130 LoadLibraryExW
0x180055138 RtlCaptureContext
0x180055140 RtlLookupFunctionEntry
0x180055148 RtlVirtualUnwind
0x180055150 UnhandledExceptionFilter
0x180055160 TerminateProcess
0x180055170 IsDebuggerPresent
0x180055178 GetStartupInfoW
0x180055180 QueryPerformanceCounter
0x180055188 GetCurrentProcessId
0x180055190 GetSystemTimeAsFileTime
0x180055198 InitializeSListHead
0x1800551a0 RtlUnwindEx
0x1800551a8 RtlPcToFileHeader
0x1800551b0 RaiseException
0x1800551b8 InterlockedFlushSList
0x1800551c0 EncodePointer
0x1800551c8 EnterCriticalSection
0x1800551d0 LeaveCriticalSection
0x1800551d8 DeleteCriticalSection
0x1800551e8 TlsAlloc
0x1800551f0 TlsGetValue
0x1800551f8 TlsSetValue
0x180055200 TlsFree
0x180055208 ExitProcess
0x180055210 GetModuleHandleExW
0x180055218 GetModuleFileNameW
0x180055220 HeapAlloc
0x180055228 HeapSize
0x180055230 HeapValidate
0x180055238 GetSystemInfo
0x180055240 GetStdHandle
0x180055248 GetFileType
0x180055250 FlsAlloc
0x180055258 FlsGetValue
0x180055260 FlsSetValue
0x180055268 FlsFree
0x180055270 LCMapStringW
0x180055278 FindClose
0x180055280 FindFirstFileExW
0x180055288 FindNextFileW
0x180055290 IsValidCodePage
0x180055298 GetACP
0x1800552a0 GetOEMCP
0x1800552a8 GetCPInfo
0x1800552b0 GetCommandLineA
0x1800552b8 GetCommandLineW
0x1800552c0 MultiByteToWideChar
0x1800552c8 WideCharToMultiByte
0x1800552d0 GetEnvironmentStringsW
0x1800552d8 FreeEnvironmentStringsW
0x1800552e0 GetProcessHeap
库: USER32.dll:
0x1800552f0 GetAsyncKeyState
0x1800552f8 GetClientRect
0x180055300 GetCursorPos
0x180055308 ScreenToClient
0x180055310 FindWindowA
0x180055318 MessageBoxW
0x180055320 SendInput
库: d3d9.dll:
0x180055340 Direct3DCreate9
库: d3dx9_43.dll:
0x180055350 D3DXCreateLine
0x180055358 D3DXVec3Project
0x180055360 D3DXCreateFontA
库: WS2_32.dll:
0x180055330 sendto

.text
`.rdata
@.data
.pdata
.rsrc
@.reloc
D$ H-
D$xH-
D$ H-
D$ H-
D$8H-
D$@H-
D$@H-
D$@H%
D$0H%
D$(Hc
没有防病毒引擎扫描信息!

进程树


rundll32.exe, PID: 2572, 上一级进程 PID: 2240

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.204 49160 208.185.115.123 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.204 65509 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.204 49160 208.185.115.123 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.204 65509 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 15.218 seconds )

  • 11.864 Suricata
  • 1.423 NetworkAnalysis
  • 0.892 Static
  • 0.456 TargetInfo
  • 0.395 peid
  • 0.148 BehaviorAnalysis
  • 0.019 AnalysisInfo
  • 0.014 Strings
  • 0.006 Memory
  • 0.001 config_decoder

Signatures ( 1.837 seconds )

  • 1.701 proprietary_url_bl
  • 0.02 antiav_detectreg
  • 0.011 proprietary_domain_bl
  • 0.009 anomaly_persistence_autorun
  • 0.008 infostealer_ftp
  • 0.007 ransomware_files
  • 0.006 antiav_detectfile
  • 0.006 ransomware_extensions
  • 0.005 infostealer_im
  • 0.004 api_spamming
  • 0.004 antianalysis_detectreg
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 network_http
  • 0.003 stealth_decoy_document
  • 0.003 stealth_timeout
  • 0.003 infostealer_mail
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 cerber_behavior
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 proprietary_bad_drop
  • 0.001 hawkeye_behavior
  • 0.001 mimics_filetime
  • 0.001 anomaly_persistence_bootexecute
  • 0.001 reads_self
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_anomaly_mismatch_mime_extension
  • 0.001 network_cnc_http
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hiddenreg
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.811 seconds )

  • 0.8 ReportHTMLSummary
  • 0.011 Malheur
Task ID 764137
Mongo ID 674aaaee7e769a640442e959
Cuckoo release 1.4-Maldun