魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2020-10-27 15:13:19 | 2020-10-27 15:15:26 | 127 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2020-10-27 15:13:20 | 2020-10-27 15:15:27 |
| 魔盾分数 |
|---|
8.3恶意的 |
文件详细信息
| 文件名 | MAS_1.4_AIO_CRC32_9A7B5B05.cmd |
|---|---|
| 文件大小 | 2367008 字节 |
| 文件类型 | ASCII text, with CRLF line terminators |
| CRC32 | 9A7B5B05 |
| MD5 | 35f17dcf189ff654276cbd3777c474c5 |
| SHA1 | d0106953bb6026d874ca5f09fdec59e57b483b36 |
| SHA256 | e44229e925d7bcb00773fba75910ea74f5470627a68431f157b24413faae94c5 |
| SHA512 | dfcccbe815da154d9059bed85dc1740b360a8196f7005e61655d0677e1341d930d60ed24f347dd65fbf97c0baca305303d75edd76be421d126db2ead3b6ba8aa |
| Ssdeep | 49152:g+ay1I0JxlXsyZ6tmDbR56nAfl5P/r/SI:rp/eyZ6tmDlTfbX |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2020-10-26 06:01:19 扫描结果: 0/60 |
特征
可能进行了时间有效期检查,检查本地时间后过早退出
检测到网络活动但没有显示在API日志中
ip: 23.218.94.155
domain: acroipm.adobe.com
魔盾安全Yara规则检测结果 - 高危
Informational: PowerShell Detected
Critical: A non-Windows executable contains win32 API functions names
Warning: Detected function to spread Malware via desktop or autorun files
Warning: Detected function for installing itself for autorun at Windows startup
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
运行截图
网络分析
域名解析
| 域名 | 响应 |
|---|---|
| acroipm.adobe.com |
CNAME acroipm.adobe.com.edgesuite.net
A 23.218.94.163 CNAME a1983.dscd.akamai.net A 23.218.94.155 |
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.218.94.155 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
- C:\Windows\system32\cmd.exe /c ver
- reg query HKU\S-1-5-19
- mode con cols=98 lines=30
创建的服务
无信息
启动的服务
无信息
进程
cmd.exe PID: 2448, 上一级进程 PID: 2312
cmd.exe PID: 2528, 上一级进程 PID: 2448
reg.exe PID: 2588, 上一级进程 PID: 2448
mode.com PID: 2652, 上一级进程 PID: 2448
choice.exe PID: 2720, 上一级进程 PID: 2448
访问的文件
- C:\Users\test\AppData\Local\Temp
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\
- C:\Users\test\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \Device\NamedPipe\
- \Device\NamedPipe
- C:\Windows\System32\cmd.exe
- C:\ProgramData\Oracle\Java\javapath\powershell.exe
- C:\Windows\System32\powershell.exe
- C:\Windows\powershell.exe
- C:\Windows\System32\wbem\powershell.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows
- C:\Windows\System32
- C:\Windows\System32\WindowsPowerShell
- C:\Windows\System32\WindowsPowerShell\v1.0
- \??\nul
- C:\Users\test\AppData\Local\Temp\reg.*
- C:\Users\test\AppData\Local\Temp\reg
- C:\ProgramData\Oracle\Java\javapath\reg.*
- C:\ProgramData\Oracle\Java\javapath\reg
- C:\Windows\System32\reg.*
- C:\Windows\System32\reg.COM
- C:\Windows\System32\reg.exe
- C:\Users\test\AppData\Local\Temp\mode.*
- C:\Users\test\AppData\Local\Temp\mode
- C:\ProgramData\Oracle\Java\javapath\mode.*
- C:\ProgramData\Oracle\Java\javapath\mode
- C:\Windows\System32\mode.*
- C:\Windows\System32\mode.com
- C:\Windows\Temp\_MAS\
- C:\Users\test\AppData\Local\Temp\
- C:\Users\test\AppData\Local\Temp\echo:
读取的文件
- C:\Users\test\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \Device\NamedPipe\
修改的文件
- \Device\NamedPipe
- \??\nul
删除的文件
无信息
注册表键
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_USERS\S-1-5-19
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.SetThreadUILanguage
- kernel32.dll.CopyFileExW
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.SetConsoleInputExeNameW
- advapi32.dll.SaferIdentifyLevel
- advapi32.dll.SaferComputeTokenFromLevel
- advapi32.dll.SaferCloseLevel
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle