魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2020-02-19 05:40:56 | 2020-02-19 05:43:14 | 138 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2020-02-19 05:40:59 | 2020-02-19 05:43:15 |
| 魔盾分数 |
|---|
2.8可疑的 |
文件详细信息
| 文件名 | tmp.bat |
|---|---|
| 文件大小 | 39 字节 |
| 文件类型 | ASCII text, with no line terminators |
| CRC32 | FB18CF9C |
| MD5 | 1c1ac5fd1ea331b3c2936416ece6656e |
| SHA1 | b0869fbefafd676931bebf637bcfa483fbf065c4 |
| SHA256 | 1d032c23d105f8d3c4f8ff2744090dc178fe8ab933fd5cbdef858add8f2f2fed |
| SHA512 | 88fb3d17f2e8f829040fdd093934a3b1179d9aaec7df04d87056dc7dd08ad6c173ce7cfbf6e65b1f46a26258c405346824bf15499f33eac899547024154433a5 |
| Ssdeep | 3:pF4m1aHF5RcMX:pF4IaHNci |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2020-02-18 21:39:40 扫描结果: 1/58 |
特征
异常的多次调用CMD
Command: cmd /c mkdir ""c:\users\public\tmpdir""
文件已被至少一个VirusTotal上的反病毒引擎检测为病毒
Tencent: Win32.Trojan.Agent.Auto
运行截图
网络分析
静态分析
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
- cmd /c mkdir ""C:\Users\Public\tmpdir""
创建的服务
无信息
启动的服务
无信息
进程
cmd.exe PID: 2712, 上一级进程 PID: 2332
cmd.exe PID: 2804, 上一级进程 PID: 2712
cmd.exe PID: 2892, 上一级进程 PID: 2804
访问的文件
- C:\Users\test\AppData\Local\Temp
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\
- C:\Users\test\AppData\Local\Temp\tmp.bat
- C:\Users\test\AppData\Local\Temp\cmd.*
- C:\Users\test\AppData\Local\Temp\cmd
- C:\ProgramData\Oracle\Java\javapath\cmd.*
- C:\ProgramData\Oracle\Java\javapath\cmd
- C:\Windows\System32\cmd.*
- C:\Windows\System32\cmd.COM
- C:\Windows\System32\cmd.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Users\Public\tmpdir
读取的文件
- C:\Users\test\AppData\Local\Temp\tmp.bat
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.SetThreadUILanguage
- kernel32.dll.CopyFileExW
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.SetConsoleInputExeNameW
- advapi32.dll.SaferIdentifyLevel
- advapi32.dll.SaferComputeTokenFromLevel
- advapi32.dll.SaferCloseLevel
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle