分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-hpdapp01-1 | 2019-10-14 21:03:36 | 2019-10-14 21:04:31 | 55 秒 |
魔盾分数
3.25
可疑的
文件详细信息
| 文件名 | csrss.exe |
|---|---|
| 文件大小 | 10657792 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 1a9eb05d42806188107452e4a92320b3 |
| SHA1 | ce4548dbcf2b5581f7de9f6b31107878e0791dd3 |
| SHA256 | a5e91d5de28c261d94aa485fa6bafc78e8adcfebd20d73a5a00988ff577dfaf4 |
| SHA512 | 4070a68ea0bd7d80ac3cee4aca1a451936b1b04d68c9e312f1802f3f05b3160a45550728f021095e8c15f2726a131079409dc8e9cf92ca4fd6e81c2eebf6d40b |
| CRC32 | 5C5D2362 |
| Ssdeep | 196608:Clwz7/x0h9/CQb7slSnhxX7XZ2PCtbjOAPfn:YI7/x0WQvuSnh946hjjPfn |
| Yara | 登录查看Yara规则 |
| 样本下载 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00e1309d |
| 声明校验值 | 0x00a2c268 |
| 实际校验值 | 0x00a2c268 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2019-10-13 23:50:44 |
| 载入哈希 | ffd9a45356e9644bee987e6c6ec15351 |
版本信息
| Translation | |
|---|---|
| InternalName | |
| FileVersion | |
| CompanyName | |
| ProductName | |
| ProductVersion | |
| OriginalFilename |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00942000 | 0x00942000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 6.37 |
| .sedata | 0x00943000 | 0x000d2000 | 0x000d2000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.74 |
| .idata | 0x00a15000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.52 |
| .rsrc | 0x00a16000 | 0x00011000 | 0x00011000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.11 |
| .sedata | 0x00a27000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.98 |
覆盖
| 偏移量 | 0x00a28000 |
| 大小 | 0x00002000 |
导入
库: MSVBVM60.DLL:
• 0x401000 _CIcos
• 0x401004 _adj_fptan
• 0x401008 __vbaAryMove
• 0x40100c __vbaFreeVar
• 0x401010 __vbaLateIdCall
• 0x401014 __vbaFreeVarList
• 0x401018 _adj_fdiv_m64
• 0x40101c _adj_fprem1
• 0x401020 __vbaCopyBytes
• 0x401024 __vbaSetSystemError
• 0x401028 __vbaHresultCheckObj
• 0x40102c _adj_fdiv_m32
• 0x401030 __vbaAryDestruct
• 0x401034 __vbaExitProc
• 0x401038 __vbaOnError
• 0x40103c __vbaObjSet
• 0x401040 _adj_fdiv_m16i
• 0x401044 _adj_fdivr_m16i
• 0x401048 _CIsin
• 0x40104c __vbaChkstk
• 0x401050 __vbaFileClose
• 0x401054 EVENT_SINK_AddRef
• 0x401058 __vbaGenerateBoundsError
• 0x40105c __vbaPutOwner3
• 0x401060 __vbaI2I4
• 0x401064 DllFunctionCall
• 0x401068 _adj_fpatan
• 0x40106c EVENT_SINK_Release
• 0x401070 _CIsqrt
• 0x401074 EVENT_SINK_QueryInterface
• 0x401078 __vbaExceptHandler
• 0x40107c __vbaStrToUnicode
• 0x401080 _adj_fprem
• 0x401084 _adj_fdivr_m64
• 0x401088 __vbaFPException
• 0x40108c None
• 0x401090 _CIlog
• 0x401094 __vbaFileOpen
• 0x401098 __vbaVar2Vec
• 0x40109c __vbaNew2
• 0x4010a0 None
• 0x4010a4 _adj_fdiv_m32i
• 0x4010a8 _adj_fdivr_m32i
• 0x4010ac __vbaStrCopy
• 0x4010b0 __vbaI4Str
• 0x4010b4 __vbaFreeStrList
• 0x4010b8 _adj_fdivr_m32
• 0x4010bc _adj_fdiv_r
• 0x4010c0 None
• 0x4010c4 __vbaI4Var
• 0x4010c8 __vbaVarAdd
• 0x4010cc __vbaStrToAnsi
• 0x4010d0 __vbaVarCopy
• 0x4010d4 _CIatan
• 0x4010d8 _allmul
• 0x4010dc __vbaLenVarB
• 0x4010e0 _CItan
• 0x4010e4 _CIexp
• 0x4010e8 __vbaFreeStr
• 0x4010ec __vbaFreeObj
库: MSVCRT.dll:
• 0xe15602 strncpy
库: IPHLPAPI.DLL:
• 0xe1560e GetInterfaceInfo
库: PSAPI.DLL:
• 0xe1561a GetMappedFileNameW
库: KERNEL32.dll:
• 0xe15626 GetModuleFileNameW
库: USER32.dll:
• 0xe15632 GetWindow
库: ADVAPI32.dll:
• 0xe1563e RegDeleteKeyA
库: SHELL32.dll:
• 0xe1564a SHGetFolderPathW
.text
.sedata
.idata
.rsrc
.sedata
Form1
wwwwwwwwwwwwwwwwwwwwp
wwwwwwwwwwwwwwwwwwwwp
wwwwwwwwwwwwwx
xwwwwwx
wwxxww
""""""""""""""""""""""""""""""""""""""""""
"555555555555555555555555555555555555555555"
"5eeeeeeeee[eZ[ZZZZZZZZZZZQZQZQZQZQQQQQQQe5"
"5eeeeeaa[eZZaaZZZZZQZQZQQQZQQQQQQQQQQQQQe5"
"5eeeee<<<<;eZaZZZZZZQZQQZQQQZQQQQQQQQQQQe5"
([aa[ZZZQWWZZQZQZQQQQQQQQQQQQQe5"
ZZa[ZZW`W`ZZQQZQQQZQZQQQQQQQQe5"
aaa[W'&&&#&&&&&&&#&#&&&QQQQQe5"
6aaea%&&#&&&##&#&######QQQQQe5"
aaZZ_ZZZZZQZQQQQQQQQQQQQQQQe5"
*aaaaZZZQZZQZZQ[QQ[QQQQQQQQe5"
BaaaZZZZZQWZQQ[ZQQQZQQQQQQe5"
Haa[ZZZQ`ZQ`ZQQW[QQQQQQQQe5"
aaaZWW`WWWZQ`Q[QQQQQQQQQe5"
a%%&&'&&&&&&&&#&&&&QQQQQe5"
eeeea%%&#&#&&&&#&#&&###QZQQQe5"
7eeaeaa[`WeZZZQZQQQQQQQQQQZQe5"
eeaeaaeaeZZZZQZ[[ZQWWWWQQQQe5"
*aeaaaaaZZZZZZQZQZWWQWQ[QQZe5"
Ceeaeaa[`WWW``Q`Q`ZQ[QQZQQe5"
HeeaaaeaeeW`[`[[Q[Q[ZQQQQe5"
e%%%%&&#&%&&&&&&&&&QQ[QQe5"
!e%''%%%'%'&&&&&&&&&Q[QZQe5"
aeeaeeeeeeeeZeZZZZQZQQQQ[QQWeA"
=eeeeeeeeeZeZZZZZZZQ[[ZQZQWZeA"
eeeeeeaaaeZeZWWWZZZQ[ZQQ`QQeA"
+eeeeeeaaaeZ`ee[ZZW`ZQ[ZQ[ZeA"
DeeeaeeeaaeZaZ`Z``ZZZQ[ZQQeA"
Maeeaeeaaaaaa[[ZZZQ`WQ[Q`eA"
eeeeeeaeaeaaa[[Z[`Z`ZQ`ZeA"
!eeeeeeaeaaaaaa[[ZZZQ`QWQeA"
"AeeeeeeeeeeeeeeeeeeeeaeaaaaaaaaZZZQ`Z[ZQeA"
"A::::::::::::::::::::::::::::::::::::::::A"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
""""""""""""""""""""""""""""""""""""""""""
K00000000000000003530000000007
0{{{{{u{uuuuuuuuuukuukkukkkkv0
0{{{y{uyyuuuuukukkkkkkkkkkkkv0
0{{{{QO;Swwuukukukukkkkkkkkks0
:{uwuuukukukukkkkkkks0
hxxuuupwkkkkkukkkkkv0
kkkkv0
Jxxuuuukxukukkkkkkv0
!ixxwuukwkukukukkus0
-{uxuupxukkkkkukks0
#{F>xxxwswkxukxukkkks0
kkkus0
v{{{yxwswukxkukukkx0
={y{y{wxuwwukkwkkus0
Z{{uv{uswuuswkskkx0
Bv)*{y{yvwwuukwkxkwkx0
/////////swkws0
<{{{{{{{y{uxsxwukwk{0
a{{{{y{yxxwwwuukwus0
"{{{{{{{y{uswukwkkx0
?{{{{y{yxxwuuwuwus0
5{{{{{{{{{.,{{{{{{{y{uuswukxs0
5NNNNNNNNNMMNNNLLNNNNNNLLLLLL0
0000000000000000000000000000K
C}VPq
Form1
WebBrowser1
SHDocVwCtl.WebBrowser
Text1
Label1
By:yw QQ: 1685151106 Beauty version 5.0.2
Label2
vb6chs.dll
xA7?H<
ReadyState
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
Form1
Module1
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
WebBrowser1
RC:\Windows\SysWOW64\ieframe.oca
SHDocVwCtl
Text1
Label1
Label2
user32
FindWindowA
GetWindowThreadProcessId
clk.dll
FreeHook
EnableHook
kernel32
GetCurrentProcessId
RtlMoveMemory
CreateFileMappingA
OpenFileMappingA
MapViewOfFile
UnmapViewOfFile
CloseHandle
VBA6.DLL
__vbaAryDestruct
__vbaLateIdCall
__vbaVarCopy
__vbaI4Var
__vbaFreeObj
__vbaFreeStrList
__vbaSetSystemError
__vbaObjSet
__vbaStrToAnsi
__vbaFileClose
__vbaPutOwner3
__vbaI2I4
__vbaFileOpen
__vbaFreeVar
__vbaHresultCheckObj
__vbaNew2
__vbaVar2Vec
__vbaAryMove
UserControl
advapi32.dll
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueA
GetCurrentProcess
VirtualAllocEx
VirtualFreeEx
OpenProcess
TerminateProcess
WriteProcessMemory
GetModuleHandleA
GetProcAddress
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
EnablePrivilege
KillProcess
__vbaI4Str
__vbaGenerateBoundsError
__vbaCopyBytes
__vbaExitProc
__vbaFreeStr
__vbaStrToUnicode
__vbaFreeVarList
__vbaLenVarB
__vbaVarAdd
__vbaOnError
__vbaStrCopy
dwProcessId
pszLibFile
ProcessID
9=@dA
NPhh2A
UhVPA
http:///
1.vbp
SeDebugPrivilege
C:\Windows\wok.dll
EXPdll
C:\Windows\clk.dll
caidanDll
Kernel32
LoadLibraryA
GetModuleHandleA
FreeLibrary
shearememory535200701
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 50.284 seconds )
- 28.634 Static
- 15.583 Suricata
- 2.146 VirusTotal
- 2.141 TargetInfo
- 0.764 BehaviorAnalysis
- 0.46 peid
- 0.357 NetworkAnalysis
- 0.139 AnalysisInfo
- 0.042 config_decoder
- 0.015 Strings
- 0.003 Memory
Signatures ( 0.344 seconds )
- 0.034 api_spamming
- 0.032 kovter_behavior
- 0.029 antiemu_wine_func
- 0.027 infostealer_browser_password
- 0.027 stealth_timeout
- 0.027 antiav_detectreg
- 0.022 stealth_decoy_document
- 0.019 md_url_bl
- 0.016 md_domain_bl
- 0.011 infostealer_ftp
- 0.007 anomaly_persistence_autorun
- 0.007 antiav_detectfile
- 0.007 infostealer_im
- 0.007 ransomware_files
- 0.006 antianalysis_detectreg
- 0.006 ransomware_extensions
- 0.005 infostealer_bitcoin
- 0.004 infostealer_mail
- 0.003 tinba_behavior
- 0.003 antivm_vbox_files
- 0.003 geodo_banking_trojan
- 0.003 disables_browser_warn
- 0.002 rat_nanocore
- 0.002 betabot_behavior
- 0.002 cerber_behavior
- 0.002 browser_security
- 0.002 modify_proxy
- 0.002 md_bad_drop
- 0.001 network_tor
- 0.001 antiav_avast_libs
- 0.001 mimics_filetime
- 0.001 reads_self
- 0.001 ursnif_behavior
- 0.001 antisandbox_sunbelt_libs
- 0.001 kibex_behavior
- 0.001 shifu_behavior
- 0.001 antianalysis_detectfile
- 0.001 antidbg_devices
- 0.001 antivm_generic_diskreg
- 0.001 antivm_parallels_keys
- 0.001 antivm_xen_keys
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_addon
- 0.001 disables_system_restore
- 0.001 disables_windows_defender
- 0.001 darkcomet_regkeys
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 office_security
- 0.001 rat_spynet
- 0.001 recon_fingerprint
- 0.001 stealth_hiddenreg
- 0.001 stealth_hide_notifications
- 0.001 stealth_modify_uac_prompt
Reporting ( 0.938 seconds )
- 0.93 ReportHTMLSummary
- 0.008 Malheur
| Task ID | 395702 |
|---|---|
| Mongo ID | 5da4729d2f8f2e6c3481178e |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号