分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-3 2018-12-11 18:11:32 2018-12-11 18:14:36 184 秒

魔盾分数

6.4

危险的

文件详细信息

文件名 O!2RHG9_Cfgf1Y2d.exe
文件大小 10109952 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3c2d965c92d795a5dbba795d4e5a50b9
SHA1 a743465685a8007dbb8f3962bcab8c5953713f33
SHA256 58f085ac4f359f32310ad4d8b853982b44158b3de285b0039c10cd088dde3e97
SHA512 d8d9625ea835262d98bbf0ec0d3e0245e3d145e3e3466154a4ce801dc7b2f5cb33011359924bd197e286af533303d74ce8f94c972c1411c3047d8b183c90f8b3
CRC32 2C93EEA0
Ssdeep 196608:YhkaWPHsvpik/TGXgaPPrfUMEFdR90XgwspWrNr9htz7kr2FVip8xqN1:qiPHshTSgaPPbkfj0X9CWrTnAEigqN1
Yara 无匹配
样本下载 提交误报

特征低危险等级 中危险等级 高危险等级

创建RWX内存
可能进行了时间有效期检查,检查本地时间后过早退出
发起了一些HTTP请求
url: http://host804194416.s313.pppf.com.cn/capi/init
url: http://43.226.43.29/capi/get_app?data=Y2JlN2Y2MGIwMzk2MjZkNWNiNDA2ZmMxZDM3OGM1OGFrWTlEZkRucXlIZldMYWN5TnJFRW41Y2ZYc2ZaaGV2NCtkWUxmSnRUVUVLdVIzZGhJSmNWZGVJUXZZSFdLOCtXWGtBUzBBYmVBSllHYWVGVWZyaklvWmZlRkRCUEhuaDdJZXhtS0hxYjFyU2tBMGRjTEE9PQ==
从磁盘上删除自身的原始二进制
魔盾wping.org 域名信誉系统
Neutral: host804194416.s313.pppf.com.cn
魔盾wping.org IP地址信誉系统
Greylist: 43.226.43.29
HTTP数据流中包含可疑的恶意软件数据
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://43.226.43.29/capi/get_app?data=Y2JlN2Y2MGIwMzk2MjZkNWNiNDA2ZmMxZDM3OGM1OGFrWTlEZkRucXlIZldMYWN5TnJFRW41Y2ZYc2ZaaGV2NCtkWUxmSnRUVUVLdVIzZGhJSmNWZGVJUXZZSFdLOCtXWGtBUzBBYmVBSllHYWVGVWZyaklvWmZlRkRCUEhuaDdJZXhtS0hxYjFyU2tBMGRjTEE9PQ==
尝试阻止沙箱线程以防止恶意行为被记录
检测到网络活动但没有显示在API日志中
country_name: China
ip: 43.226.43.29
inaddrarpa:
hostname: host804194416.s313.pppf.com.cn
score: 5
ip: 43.226.43.29
domain: host804194416.s313.pppf.com.cn

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
43.226.43.29 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
host804194416.s313.pppf.com.cn A 43.226.43.29

摘要

C:\Users\test\AppData\Local\Temp\O_2RHG9_Cfgf1Y2d.exe
C:\Users\test\AppData\Local\Temp\-'hr2!.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\MountPointManager
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\-'hr2!.exe
C:\Users\test\AppData\Local\Temp\O_2RHG9_Cfgf1Y2d.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\O_2RHG9_Cfgf1Y2d.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.LCMapStringEx
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.AreFileApisANSI
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCIDToLocaleName
kernel32.dll.LocaleNameToLCID
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
C:\Users\test\AppData\Local\Temp\-'hr2!.exe -startBR
没有信息显示.
.text
`.rdata
@.data
.vmp0
`.vmp1
`.reloc
@.rsrc
l;rhU
没有防病毒引擎扫描信息!

进程树


O_2RHG9_Cfgf1Y2d.exe, PID: 2436, 上一级进程 PID: 2280
-'hr2!.exe, PID: 2536, 上一级进程 PID: 2436

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
43.226.43.29 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.203 49161 43.226.43.29 host804194416.s313.pppf.com.cn 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.203 59558 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
host804194416.s313.pppf.com.cn A 43.226.43.29

TCP

源地址 源端口 目标地址 目标端口
192.168.122.203 49161 43.226.43.29 host804194416.s313.pppf.com.cn 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.203 59558 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://host804194416.s313.pppf.com.cn/capi/init
GET /capi/init HTTP/1.1
User-Agent: LolBaby
Host: host804194416.s313.pppf.com.cn

URL专业沙箱检测 -> http://43.226.43.29/capi/get_app?data=Y2JlN2Y2MGIwMzk2MjZkNWNiNDA2ZmMxZDM3OGM1OGFrWTlEZkRucXlIZldMYWN5TnJFRW41Y2ZYc2ZaaGV2NCtkWUxmSnRUVUVLdVIzZGhJSmNWZGVJUXZZSFdLOCtXWGtBUzBBYmVBSllHYWVGVWZyaklvWmZlRkRCUEhuaDdJZXhtS0hxYjFyU2tBMGRjTEE9PQ==
GET /capi/get_app?data=Y2JlN2Y2MGIwMzk2MjZkNWNiNDA2ZmMxZDM3OGM1OGFrWTlEZkRucXlIZldMYWN5TnJFRW41Y2ZYc2ZaaGV2NCtkWUxmSnRUVUVLdVIzZGhJSmNWZGVJUXZZSFdLOCtXWGtBUzBBYmVBSllHYWVGVWZyaklvWmZlRkRCUEhuaDdJZXhtS0hxYjFyU2tBMGRjTEE9PQ== HTTP/1.1
Length: 88
User-Agent:

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 25.112 seconds )

  • 11.948 Suricata
  • 10.256 NetworkAnalysis
  • 1.478 VirusTotal
  • 0.57 TargetInfo
  • 0.551 peid
  • 0.125 AnalysisInfo
  • 0.099 BehaviorAnalysis
  • 0.068 Debug
  • 0.014 Strings
  • 0.003 Memory

Signatures ( 2.348 seconds )

  • 1.973 md_url_bl
  • 0.214 md_bad_drop
  • 0.024 md_domain_bl
  • 0.018 antiav_detectreg
  • 0.008 anomaly_persistence_autorun
  • 0.008 infostealer_ftp
  • 0.008 network_http
  • 0.007 antiav_detectfile
  • 0.006 ransomware_files
  • 0.005 api_spamming
  • 0.005 geodo_banking_trojan
  • 0.005 infostealer_bitcoin
  • 0.005 infostealer_im
  • 0.005 ransomware_extensions
  • 0.004 stealth_decoy_document
  • 0.003 tinba_behavior
  • 0.003 stealth_timeout
  • 0.003 antivm_vbox_files
  • 0.003 disables_browser_warn
  • 0.003 infostealer_mail
  • 0.003 network_torgateway
  • 0.002 rat_nanocore
  • 0.002 cerber_behavior
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.001 antiemu_wine_func
  • 0.001 bootkit
  • 0.001 mimics_filetime
  • 0.001 stealth_file
  • 0.001 injection_createremotethread
  • 0.001 betabot_behavior
  • 0.001 reads_self
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 antivm_generic_disk
  • 0.001 infostealer_browser_password
  • 0.001 injection_runpe
  • 0.001 virus
  • 0.001 kovter_behavior
  • 0.001 hancitor_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 maldun_blacklist
  • 0.001 network_cnc_http
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.137 seconds )

  • 0.137 Malheur
Task ID 221683
Mongo ID 5c0f8e482e063315a94bedf3
Cuckoo release 1.4-Maldun