恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-hpdapp01-1	2018-03-23 22:25:32	2018-03-23 22:27:59	147 秒

魔盾分数

4.8

可疑的

文件详细信息

文件名	SystemSettingsBroker.exe
文件大小	196096 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	c5b116baf00021a5c818e16c377a7c52
SHA1	d540ef03f7d71425d7ce2c7fbbcfb5f68061db54
SHA256	bf1c6a7696393ebb43f91f60efa7a793a9b7e5e71782c2ba3acafe3ea935ad83
SHA512	2cee7aea7320c92b738ee71721ea74cf2acab421f86eb5efebf2692b3383dc706d024e923e68e74322562f46f761f6230e4b210309ef65066a328fbaa98111f1
CRC32	6DD91731
Ssdeep	3072:LHTXh1+sOsOHrHT/gd+RbJEj0z7g5h0gL41XxEvfXBsJy7BcJL29xGwVBIZ:LHT33KP4gbJzT6+Jylc0eB
Yara	登录查看Yara规则
	样本下载提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x004274e8
声明校验值	0x00000000
实际校验值	0x00030955
最低操作系统版本要求	4.0
编译时间	2013-02-05 07:06:48
载入哈希	a47a07f9e013e4d3faa72b51f29d500d

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00025f14	0x00026000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.54
.itext	0x00027000	0x000007d8	0x00000800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.10
.data	0x00028000	0x00000f1c	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.96
.bss	0x00029000	0x00005ad4	0x00000000	IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.idata	0x0002f000	0x00001238	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.75
.tls	0x00031000	0x0000000c	0x00000000	IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rdata	0x00032000	0x00000018	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	0.21
.reloc	0x00033000	0x00002d2c	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	0.00
.rsrc	0x00036000	0x00006bc0	0x00006c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.77

导入

库: oleaut32.dll:

• 0x42f3f0 SysFreeString

• 0x42f3f4 SysReAllocStringLen

• 0x42f3f8 SysAllocStringLen

库: advapi32.dll:

• 0x42f400 RegQueryValueExA

• 0x42f404 RegOpenKeyExA

• 0x42f408 RegCloseKey

库: user32.dll:

• 0x42f410 GetKeyboardType

• 0x42f414 DestroyWindow

• 0x42f418 LoadStringA

• 0x42f41c MessageBoxA

• 0x42f420 CharNextA

库: kernel32.dll:

• 0x42f428 GetACP

• 0x42f42c Sleep

• 0x42f430 VirtualFree

• 0x42f434 VirtualAlloc

• 0x42f438 GetCurrentThreadId

• 0x42f43c InterlockedDecrement

• 0x42f440 InterlockedIncrement

• 0x42f444 VirtualQuery

• 0x42f448 WideCharToMultiByte

• 0x42f44c MultiByteToWideChar

• 0x42f450 lstrlenA

• 0x42f454 lstrcpynA

• 0x42f458 LoadLibraryExA

• 0x42f45c GetThreadLocale

• 0x42f460 GetStartupInfoA

• 0x42f464 GetProcAddress

• 0x42f468 GetModuleHandleA

• 0x42f46c GetModuleFileNameA

• 0x42f470 GetLocaleInfoA

• 0x42f474 GetCommandLineA

• 0x42f478 FreeLibrary

• 0x42f47c FindFirstFileA

• 0x42f480 FindClose

• 0x42f484 ExitProcess

• 0x42f488 CompareStringA

• 0x42f48c WriteFile

• 0x42f490 UnhandledExceptionFilter

• 0x42f494 RtlUnwind

• 0x42f498 RaiseException

• 0x42f49c GetStdHandle

库: kernel32.dll:

• 0x42f4a4 TlsSetValue

• 0x42f4a8 TlsGetValue

• 0x42f4ac LocalAlloc

• 0x42f4b0 GetModuleHandleA

库: user32.dll:

• 0x42f4b8 CreateWindowExA

• 0x42f4bc UnregisterClassA

• 0x42f4c0 TranslateMessage

• 0x42f4c4 SetWindowLongA

• 0x42f4c8 SetTimer

• 0x42f4cc RegisterClassA

• 0x42f4d0 PostThreadMessageA

• 0x42f4d4 PeekMessageA

• 0x42f4d8 MessageBoxA

• 0x42f4dc LoadStringA

• 0x42f4e0 KillTimer

• 0x42f4e4 GetWindowLongA

• 0x42f4e8 GetSystemMetrics

• 0x42f4ec GetClassInfoA

• 0x42f4f0 DispatchMessageA

• 0x42f4f4 DestroyWindow

• 0x42f4f8 DefWindowProcA

• 0x42f4fc CharNextA

• 0x42f500 CharUpperBuffA

• 0x42f504 CharToOemA

库: version.dll:

• 0x42f50c VerQueryValueA

• 0x42f510 GetFileVersionInfoSizeA

• 0x42f514 GetFileVersionInfoA

库: kernel32.dll:

• 0x42f51c WriteFile

• 0x42f520 WaitForSingleObject

• 0x42f524 VirtualQuery

• 0x42f528 VirtualAlloc

• 0x42f52c SizeofResource

• 0x42f530 SetFilePointer

• 0x42f534 SetEvent

• 0x42f538 SetErrorMode

• 0x42f53c SetEndOfFile

• 0x42f540 ResetEvent

• 0x42f544 ReadFile

• 0x42f548 MultiByteToWideChar

• 0x42f54c LockResource

• 0x42f550 LoadResource

• 0x42f554 LoadLibraryA

• 0x42f558 LeaveCriticalSection

• 0x42f55c InitializeCriticalSection

• 0x42f560 GetVersionExA

• 0x42f564 GetUserDefaultLCID

• 0x42f568 GetTickCount

• 0x42f56c GetThreadLocale

• 0x42f570 GetSystemDefaultLCID

• 0x42f574 GetStdHandle

• 0x42f578 GetShortPathNameA

• 0x42f57c GetProcAddress

• 0x42f580 GetModuleHandleA

• 0x42f584 GetModuleFileNameA

• 0x42f588 GetLocaleInfoA

• 0x42f58c GetLocalTime

• 0x42f590 GetLastError

• 0x42f594 GetFullPathNameA

• 0x42f598 GetDiskFreeSpaceA

• 0x42f59c GetDateFormatA

• 0x42f5a0 GetCurrentThreadId

• 0x42f5a4 GetCPInfo

• 0x42f5a8 FreeResource

• 0x42f5ac InterlockedIncrement

• 0x42f5b0 InterlockedExchange

• 0x42f5b4 InterlockedDecrement

• 0x42f5b8 FreeLibrary

• 0x42f5bc FormatMessageA

• 0x42f5c0 FindResourceA

• 0x42f5c4 FindFirstFileA

• 0x42f5c8 FindClose

• 0x42f5cc EnumCalendarInfoA

• 0x42f5d0 EnterCriticalSection

• 0x42f5d4 DeleteCriticalSection

• 0x42f5d8 CreateFileA

• 0x42f5dc CreateEventA

• 0x42f5e0 CompareStringA

• 0x42f5e4 CloseHandle

库: advapi32.dll:

• 0x42f5ec RegSetValueExA

• 0x42f5f0 RegDeleteKeyA

• 0x42f5f4 RegCreateKeyExA

• 0x42f5f8 RegCloseKey

库: oleaut32.dll:

• 0x42f600 CreateErrorInfo

• 0x42f604 GetErrorInfo

• 0x42f608 SetErrorInfo

• 0x42f60c DispGetIDsOfNames

• 0x42f610 RegisterTypeLib

• 0x42f614 LoadTypeLibEx

• 0x42f618 SafeArrayGetElement

• 0x42f61c SafeArrayGetLBound

• 0x42f620 SafeArrayGetUBound

• 0x42f624 SysFreeString

库: ole32.dll:

• 0x42f62c CreateBindCtx

• 0x42f630 CoTaskMemFree

• 0x42f634 CLSIDFromProgID

• 0x42f638 StringFromCLSID

• 0x42f63c CoCreateInstance

• 0x42f640 CoLockObjectExternal

• 0x42f644 CoDisconnectObject

• 0x42f648 CoRevokeClassObject

• 0x42f64c CoRegisterClassObject

• 0x42f650 CoUninitialize

• 0x42f654 CoInitialize

• 0x42f658 IsEqualGUID

库: kernel32.dll:

• 0x42f660 Sleep

库: ole32.dll:

• 0x42f668 IsEqualGUID

库: oleaut32.dll:

• 0x42f670 SafeArrayPtrOfIndex

• 0x42f674 SafeArrayGetUBound

• 0x42f678 SafeArrayGetLBound

• 0x42f67c SafeArrayCreate

• 0x42f680 VariantChangeType

• 0x42f684 VariantCopyInd

• 0x42f688 VariantCopy

• 0x42f68c VariantClear

• 0x42f690 VariantInit

库: URLMON.DLL:

• 0x42f698 MkParseDisplayNameEx

.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
System
IInterface
 2004, 2005 Pierre le Riche / Professional Software Development
An unexpected memory leak has occurred. 
 bytes: 
Unknown
String
The sizes of unexpected leaked medium and large blocks are: 
Unexpected Memory Leak
Uhq2@
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Uh';@
Uh??@
PhLA@
PhzD@
PhvF@
UhaG@
tCh<b@
kernel32.dll
GetLongPathNameA
UhUc@
Software\Borland\Locales
Software\Borland\Delphi\Locales
Uh$f@
tagEXCEPINFO 
EZeroDivide y@
EInvalidPointer,z@
False
AM/PM
D$LPj
WUWSj
m/d/yy
mmmm d, yyyy
 AMPM
AMPM 
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
Variants
Uh0'A
Uhb(A
Uh$.A
UhB/A
Uh]5A
UhB;A
Uhh=A
Uh8>A
UhS?A
UhYAA
UhpDA
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
String
Array 
ByRef 
Uh{SA
False
Uh0XA
Uh7YA
EComponentError\aA
Classes
Classes
TStringList$dA
Classes
TCustomMemoryStream(gA
Uh[oA
Uh*pA
UhzpA
UhmwA
Uh3yA
Strings
Uha{A
UhE}A
Uh}~A
Owner
False
ulj@h
TPUtilWindow
Apartment
Neutral
CLSID\
ThreadingModel
\Clsid
\ProgID
CLSID\
%d.%d
\Version
\TypeLib
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
CoCreateInstanceEx
CoInitializeEx
CoAddRefServerProcess
CoReleaseServerProcess
CoResumeClassObjects
CoSuspendClassObjects
VBScript
JScript

没有防病毒引擎扫描信息!

进程树

SystemSettingsBroker.exe id: 572

搜索
SystemSettingsBroker.exe (572)

SystemSettingsBroker.exe, PID: 572, 上一级进程 PID: 1236

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

文件名	Win32system.vbs
相关文件	C:\Windows\Win32system.vbs C:\Windows\System32\Win32system.vbs
文件大小	196096 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	c5b116baf00021a5c818e16c377a7c52
SHA1	d540ef03f7d71425d7ce2c7fbbcfb5f68061db54
SHA256	bf1c6a7696393ebb43f91f60efa7a793a9b7e5e71782c2ba3acafe3ea935ad83
CRC32	6DD91731
Ssdeep	3072:LHTXh1+sOsOHrHT/gd+RbJEj0z7g5h0gL41XxEvfXBsJy7BcJL29xGwVBIZ:LHT33KP4gbJzT6+Jylc0eB
Yara	Look for RC6 magic constants in binary Look for Copy function Look for StrToInt function Borland Delphi 2.0 - 7.0 / 2005 - 2007 Rule to detect the no presence of any attachment Rule to detect the no presence of any image Rule to detect the no presence of any url Run a keylogger Affect system registries Affect private profile
	下载提交魔盾安全分析

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 18.638 seconds )

12.004 Suricata
1.745 Static
1.259 VirusTotal
1.229 Dropped
1.22 TargetInfo
0.428 peid
0.305 AnalysisInfo
0.241 NetworkAnalysis
0.148 BehaviorAnalysis
0.04 Debug
0.016 Strings
0.003 Memory

Signatures ( 0.38 seconds )

0.152 md_bad_drop
0.035 antiav_detectreg
0.022 md_url_bl
0.014 infostealer_ftp
0.012 md_domain_bl
0.01 persistence_autorun
0.009 infostealer_im
0.008 antiav_detectfile
0.008 ransomware_files
0.007 antianalysis_detectreg
0.007 ransomware_extensions
0.006 stealth_timeout
0.006 infostealer_bitcoin
0.005 api_spamming
0.005 disables_browser_warn
0.005 infostealer_mail
0.004 decoy_document
0.004 antivm_vbox_files
0.003 tinba_behavior
0.003 geodo_banking_trojan
0.003 browser_security
0.002 rat_nanocore
0.002 reads_self
0.002 betabot_behavior
0.002 mimics_filetime
0.002 kibex_behavior
0.002 cerber_behavior
0.002 antivm_parallels_keys
0.002 antivm_xen_keys
0.002 modify_proxy
0.002 modify_uac_prompt
0.001 antiemu_wine_func
0.001 network_tor
0.001 bootkit
0.001 infostealer_browser
0.001 antivm_generic_services
0.001 stealth_file
0.001 antivm_generic_scsi
0.001 shifu_behavior
0.001 antivm_generic_disk
0.001 infostealer_browser_password
0.001 ursnif_behavior
0.001 antidbg_windows
0.001 vawtrak_behavior
0.001 virus
0.001 kovter_behavior
0.001 antianalysis_detectfile
0.001 antidbg_devices
0.001 antivm_generic_diskreg
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 darkcomet_regkeys
0.001 disables_system_restore
0.001 disables_windows_defender
0.001 modify_security_center_warnings
0.001 office_security
0.001 rat_pcclient
0.001 rat_spynet
0.001 recon_fingerprint
0.001 stealth_hiddenreg
0.001 stealth_hide_notifications

Reporting ( 1.088 seconds )

0.727 ReportHTMLSummary
0.361 Malheur


Task ID	141248
Mongo ID	5ab50f092e063313ec143441
Cuckoo release	1.4-Maldun