魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-04-08 23:25:46 2021-04-08 23:27:50 124 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2021-04-08 23:25:46 2021-04-08 23:27:51
魔盾分数

1.75

正常的

文件详细信息

文件名 dumprep.exe
文件大小 49152 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 E954E796
MD5 2a98556e2f872d326f5736692686b2f1
SHA1 06d73731d3367c77d61a52bba91a47205f8bc019
SHA256 7e870ae3d1dd7ac981b6890b9767ba8a7a7eb458ec6bc0d1fab82144caa0cbcd
SHA512 f4dd2f61b33472e044f9a7286003448de17ff03aa19c8baebfe1782917e2eac03a858b76288e707302737b64ed588830199432ef279c59c35f1ba569f1f6e2e7
Ssdeep 768:Zea1P85HDSgHykqpCSSDaXdF+lF7P7J5reaCn+9JO2shY8PLUpb6VPvYqBN6cNFX:Z7hkqwSY+A37feaCMJDmYsLIb4PvYqHJ
PEiD 无匹配
Yara
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • create_process (Detection function for creating a new process)
  • win_registry (Detected system registries modification function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal查询失败

特征

二进制文件可能包含加密或压缩数据
section: name: .rsrc, entropy: 7.79, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00009c00, virtual_size: 0x00009af3
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
A 23.218.94.163
CNAME a1983.dscd.akamai.net
A 23.218.94.155

TCP连接

IP地址 端口
23.218.94.155 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x01000000
入口地址 0x010010f8
声明校验值 0x00015719
实际校验值 0x0000dc96
最低操作系统版本要求 5.1
编译时间 2008-04-14 02:36:39
载入哈希 45d194ab8fcc01858a36ab42455003b5

版本信息

LegalCopyright: \xc2 Microsoft Corporation. All rights reserved.
InternalName: DUMPREP.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
CompanyName: Microsoft Corporation
ProductName: Microsoft\xc2 Windows\xc2 Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Windows Error Reporting Dump Reporting Tool
OriginalFilename: DUMPREP.EXE
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00001d3a 0x00001e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.57
.data 0x00003000 0x000000a4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.80
.rsrc 0x00004000 0x00009af3 0x00009c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.79

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x00004060 0x000003b0 LANG_ENGLISH SUBLANG_ENGLISH_US 3.61 data

导入

库 msvcrt.dll:
0x10010a4 - _controlfp
0x10010a8 - __set_app_type
0x10010ac - __p__fmode
0x10010b0 - __p__commode
0x10010b4 - _adjust_fdiv
0x10010b8 - __setusermatherr
0x10010bc - _initterm
0x10010c0 - __wgetmainargs
0x10010c4 - __winitenv
0x10010c8 - exit
0x10010cc - _cexit
0x10010d0 - _XcptFilter
0x10010d4 - _exit
0x10010d8 - _c_exit
0x10010dc - _wtol
0x10010e0 - wcscat
0x10010e4 - _except_handler3
0x10010e8 - wcslen
0x10010ec - wcsncpy
0x10010f0 - wcscmp
库 ADVAPI32.dll:
0x1001000 - RegQueryInfoKeyW
0x1001004 - RegDeleteValueW
0x1001008 - RegEnumValueW
0x100100c - RegOpenKeyExW
0x1001010 - RegCloseKey
0x1001014 - RegQueryValueExW
库 KERNEL32.dll:
0x100101c - GetTickCount
0x1001020 - QueryPerformanceCounter
0x1001024 - SetErrorMode
0x1001028 - SetUnhandledExceptionFilter
0x100102c - OpenProcess
0x1001030 - GetCurrentProcess
0x1001034 - DuplicateHandle
0x1001038 - GetCurrentThreadId
0x100103c - OpenEventW
0x1001040 - GetSystemDirectoryW
0x1001044 - LoadLibraryExW
0x1001048 - GetModuleFileNameW
0x100104c - CreateProcessW
0x1001050 - FreeLibrary
0x1001054 - UnmapViewOfFile
0x1001058 - GetProcAddress
0x100105c - GetCurrentProcessId
0x1001060 - GetSystemTimeAsFileTime
0x1001064 - TerminateProcess
0x1001068 - UnhandledExceptionFilter
0x100106c - GetModuleHandleA
0x1001070 - MapViewOfFile
0x1001074 - HeapFree
0x1001078 - HeapAlloc
0x100107c - GetProcessHeap
0x1001080 - DeleteFileW
0x1001084 - SetLastError
0x1001088 - ReleaseMutex
0x100108c - CloseHandle
0x1001090 - GetLastError
0x1001094 - CreateFileW
0x1001098 - WaitForSingleObject
0x100109c - OpenMutexW

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息