魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-07-05 23:48:54 2020-07-05 23:49:51 57 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2020-07-05 23:48:59 2020-07-05 23:49:53
魔盾分数

2.0

正常的

文件详细信息

文件名 version.dll
文件大小 107008 字节
文件类型 PE32+ executable (DLL) (GUI) x86-64, for MS Windows
CRC32 EF41F0EE
MD5 03e710788b9e710e21bbc20ddadff3d4
SHA1 ba4efd4565b1d26b461010d2825f7441bbf51775
SHA256 2bfe3473afc151ed060612696f5a43f022af0a6d434affdc39d028f5e2f5dfcd
SHA512 589c2b83533bd75e5f35b3673933d18eeaf2329f97253dff68f3d77e1150a4dd09b266ea94954b53869d81b2c70386b953f1a22d9203a22d1f82b15a18ad1252
Ssdeep 3072:HEE9/Tp6s0ZlgTs/NNLo0vKdtV9eAscS1fxaTZYJ/ZxClckVPxiTyKiNTBs/3ZJk:Hnx0DgTCrBCdD9ea
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • ThreadControl__Context ()
  • anti_dbg (Detected self protection if being debugged)
  • win_files_operation (Affect private profile)
  • IsPE64 (Detected a 64bit PE sample)
  • IsDLL (Detect a DLL sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasRichSignature (Detected Rich Signature)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2020-05-13 12:41:35
扫描结果: 0/69

特征

创建RWX内存
魔盾安全Yara检测结果 - 普通
尝试阻止沙箱线程以防止恶意行为被记录

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x180000000
入口地址 0x1800074b0
声明校验值 0x00000000
实际校验值 0x00020010
最低操作系统版本要求 6.0
编译时间 2019-03-11 16:39:20
载入哈希 827b5480936cc786f8bd12d8ef3fe8a9
导出DLL库名称 \x31\x31\x31\x31\x31\x31\x31\x34\x31\x31\x31

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0001075d 0x00010800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.26
.rdata 0x00012000 0x0000538a 0x00005400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.87
.data 0x00018000 0x000044d8 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.90
.pdata 0x0001d000 0x000011b8 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.02
_RDATA 0x0001f000 0x000006f0 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.94
.reloc 0x00020000 0x000005b8 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 4.09

导入

库 VERSION.dll:
0x1800122d0 - VerQueryValueA
0x1800122d8 - GetFileVersionInfoA
0x1800122e0 - GetFileVersionInfoSizeA
库 KERNEL32.dll:
0x180012000 - FlushFileBuffers
0x180012008 - WriteConsoleW
0x180012010 - SetStdHandle
0x180012018 - DisableThreadLibraryCalls
0x180012020 - GetModuleHandleW
0x180012028 - GetSystemDirectoryW
0x180012030 - LoadLibraryW
0x180012038 - GetProcAddress
0x180012040 - GetSystemTimeAsFileTime
0x180012048 - GetModuleFileNameA
0x180012050 - VirtualProtect
0x180012058 - GetStringTypeW
0x180012060 - FlushInstructionCache
0x180012068 - HeapCreate
0x180012070 - HeapDestroy
0x180012078 - HeapAlloc
0x180012080 - HeapReAlloc
0x180012088 - HeapFree
0x180012090 - GetCurrentProcess
0x180012098 - GetCurrentProcessId
0x1800120a0 - GetCurrentThreadId
0x1800120a8 - OpenThread
0x1800120b0 - GetThreadContext
0x1800120b8 - SetThreadContext
0x1800120c0 - SuspendThread
0x1800120c8 - ResumeThread
0x1800120d0 - Sleep
0x1800120d8 - CloseHandle
0x1800120e0 - CreateToolhelp32Snapshot
0x1800120e8 - Thread32First
0x1800120f0 - Thread32Next
0x1800120f8 - VirtualAlloc
0x180012100 - VirtualFree
0x180012108 - VirtualQuery
0x180012110 - GetSystemInfo
0x180012118 - RtlUnwindEx
0x180012120 - GetLastError
0x180012128 - GetCommandLineA
0x180012130 - IsDebuggerPresent
0x180012138 - RaiseException
0x180012140 - LoadLibraryExW
0x180012148 - MultiByteToWideChar
0x180012150 - WideCharToMultiByte
0x180012158 - IsProcessorFeaturePresent
0x180012160 - EncodePointer
0x180012168 - DecodePointer
0x180012170 - ExitProcess
0x180012178 - GetModuleHandleExW
0x180012180 - CreateFileW
0x180012188 - GetStdHandle
0x180012190 - WriteFile
0x180012198 - GetModuleFileNameW
0x1800121a0 - GetProcessHeap
0x1800121a8 - SetLastError
0x1800121b0 - GetFileType
0x1800121b8 - InitializeCriticalSectionAndSpinCount
0x1800121c0 - DeleteCriticalSection
0x1800121c8 - InitOnceExecuteOnce
0x1800121d0 - GetStartupInfoW
0x1800121d8 - QueryPerformanceCounter
0x1800121e0 - GetTickCount64
0x1800121e8 - GetEnvironmentStringsW
0x1800121f0 - FreeEnvironmentStringsW
0x1800121f8 - RtlCaptureContext
0x180012200 - RtlLookupFunctionEntry
0x180012208 - RtlVirtualUnwind
0x180012210 - UnhandledExceptionFilter
0x180012218 - SetUnhandledExceptionFilter
0x180012220 - FlsAlloc
0x180012228 - FlsGetValue
0x180012230 - FlsSetValue
0x180012238 - FlsFree
0x180012240 - TerminateProcess
0x180012248 - FreeLibrary
0x180012250 - EnterCriticalSection
0x180012258 - LeaveCriticalSection
0x180012260 - IsValidCodePage
0x180012268 - GetACP
0x180012270 - GetOEMCP
0x180012278 - GetCPInfo
0x180012280 - OutputDebugStringW
0x180012288 - GetConsoleCP
0x180012290 - GetConsoleMode
0x180012298 - SetFilePointerEx
0x1800122a0 - HeapSize
0x1800122a8 - LCMapStringEx
库 USER32.dll:
0x1800122b8 - MessageBoxA
0x1800122c0 - CharUpperA

导出

序列 地址 名称
1 0x180001280 GetFileVersionInfoA
2 0x180001290 GetFileVersionInfoByHandle
3 0x1800012a0 GetFileVersionInfoExA
4 0x1800012b0 GetFileVersionInfoExW
5 0x1800012c0 GetFileVersionInfoSizeA
6 0x1800012d0 GetFileVersionInfoSizeExW
7 0x1800012e0 GetFileVersionInfoSizeW
8 0x1800012f0 GetFileVersionInfoW
9 0x180001300 VerFindFileA
10 0x180001310 VerFindFileW
11 0x180001320 VerInstallFileA
12 0x180001330 VerInstallFileW
13 0x180001340 VerLanguageNameA
14 0x180001350 VerLanguageNameW
15 0x180001360 VerQueryValueA
16 0x180001370 VerQueryValueW
17 0x180001280 pGetFileVersionInfoA
18 0x180001290 pGetFileVersionInfoByHandle
19 0x1800012a0 pGetFileVersionInfoExA
20 0x1800012b0 pGetFileVersionInfoExW
21 0x1800012c0 pGetFileVersionInfoSizeA
22 0x1800012d0 pGetFileVersionInfoSizeExW
23 0x1800012e0 pGetFileVersionInfoSizeW
24 0x1800012f0 pGetFileVersionInfoW
25 0x180001300 pVerFindFileA
26 0x180001310 pVerFindFileW
27 0x180001320 pVerInstallFileA
28 0x180001330 pVerInstallFileW
29 0x180001340 pVerLanguageNameA
30 0x180001350 pVerLanguageNameW
31 0x180001360 pVerQueryValueA
32 0x180001370 pVerQueryValueW

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 2704, 上一级进程 PID: 2332

访问的文件
  • C:\Users\test\AppData\Local\Temp\version.dll
  • C:\Users\test\AppData\Local\Temp\version.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\version.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\version.dll.2.Manifest
  • C:\Windows\sysnative\rundll32.exe
  • C:\Windows\sysnative\.DLL
  • C:\Windows\system\.DLL
  • C:\Windows\.DLL
  • C:\Users\test\AppData\Local\Temp\.DLL
  • C:\ProgramData\Oracle\Java\javapath\.DLL
  • C:\Windows\sysnative\wbem\.DLL
  • C:\Windows\sysnative\WindowsPowerShell\v1.0\.DLL
  • C:\Program Files (x86)\WinRAR\.DLL
读取的文件
  • C:\Users\test\AppData\Local\Temp\version.dll
  • C:\Users\test\AppData\Local\Temp\version.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\version.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\version.dll.2.Manifest
  • C:\Windows\sysnative\rundll32.exe
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • version.dll.GetFileVersionInfoA
  • version.dll.GetFileVersionInfoByHandle
  • version.dll.GetFileVersionInfoExW
  • version.dll.GetFileVersionInfoSizeA
  • version.dll.GetFileVersionInfoSizeExW
  • version.dll.GetFileVersionInfoSizeW
  • version.dll.GetFileVersionInfoW
  • version.dll.VerFindFileA
  • version.dll.VerFindFileW
  • version.dll.VerInstallFileA
  • version.dll.VerInstallFileW
  • version.dll.VerLanguageNameA
  • version.dll.VerLanguageNameW
  • version.dll.VerQueryValueA
  • version.dll.VerQueryValueW
  • version.dll.#1