魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-04-09 01:14:49 2021-04-09 01:15:18 29 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-2 win7-sp1-x64-shaapp03-2 KVM 2021-04-09 01:14:50 2021-04-09 01:15:19
魔盾分数

1.4

正常的

文件详细信息

文件名 browsing_data_remover.exe
文件大小 350096 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
CRC32 DCBDA2E0
MD5 fd123e789e99dff0cf27421a495e2ece
SHA1 629ad539d4cc768aa32e7306bec2dfbe306367e5
SHA256 91a03c8c3ad7c143d312a76218471a7104df682e5a1b9c80fc1e16ce788d9ded
SHA512 d76cb002ec2b8b0a5f59ac6e05cd4ed8b5bc05d9a012dcdef06b93c8b1843fcbb2d90a1f5a6a654e92327b9b6ce10005785af51141ebf64ce8378283d3d49208
Ssdeep 6144:NALci/Iq5yeUGIXLfi4EV1izUQ8ns91wS8iqBbcGnFAOECsIPr:iwiP5yYI7fibi2PFXP
PEiD 无匹配
Yara
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • with_urls (Detected the presence of an or several urls)
  • IsPE32 (Detected a 32bit PE sample)
  • IsConsole (Detected a console program sample)
  • HasOverlay (Detected Overlay signature)
  • HasDigitalSignature (Detected Digital Signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • Check_OutputDebugStringA_iat (Detect in IAT OutputDebugstringA)
  • anti_dbg (Detected self protection if being debugged)
  • create_process (Detection function for creating a new process)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal查询失败

特征

样本的签名证书合法
魔盾安全Yara检测结果 - 普通
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检测到网络活动但没有显示在API日志中
ip: 96.7.129.34
domain: acroipm.adobe.com

运行截图

无运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com A 96.7.129.29
CNAME acroipm.adobe.com.edgesuite.net
A 96.7.129.34
CNAME a1983.dscd.akamai.net

TCP连接

IP地址 端口
96.7.129.34 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0041fe40
声明校验值 0x0006367d
实际校验值 0x0006367d
最低操作系统版本要求 5.1
PDB路径 D:\webapps\b\build\slave\repo\build\src\out\Release\browsing_data_remover.exe.pdb
编译时间 2017-12-11 17:04:35
载入哈希 4eba277eeb54cff81d28cb73860e0334
导出DLL库名称 browsing_data_remover.exe

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0003d16a 0x0003d200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.61
.rdata 0x0003f000 0x00010aac 0x00010c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.72
.data 0x00050000 0x00002b68 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.22
.gfids 0x00053000 0x0000032c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.34
.tls 0x00054000 0x00000002 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.reloc 0x00055000 0x00002a5c 0x00002c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.52

覆盖

偏移量: 0x00052400
大小: 0x00003390

导入

库 KERNEL32.dll:
0x43f000 - SetEnvironmentVariableA
0x43f004 - FreeEnvironmentStringsW
0x43f008 - GetEnvironmentStringsW
0x43f00c - GetOEMCP
0x43f010 - IsValidCodePage
0x43f014 - FindNextFileA
0x43f018 - FindFirstFileExA
0x43f01c - GetTickCount
0x43f020 - SetDllDirectoryW
0x43f024 - HeapAlloc
0x43f028 - HeapReAlloc
0x43f02c - HeapFree
0x43f030 - HeapSize
0x43f034 - GetCurrentDirectoryW
0x43f038 - CreateFileW
0x43f03c - DeleteFileW
0x43f040 - WriteFile
0x43f044 - OutputDebugStringA
0x43f048 - CloseHandle
0x43f04c - GetLastError
0x43f050 - SetLastError
0x43f054 - GetCurrentProcessId
0x43f058 - GetModuleFileNameW
0x43f05c - GetCommandLineW
0x43f060 - LocalFree
0x43f064 - GetModuleHandleW
0x43f068 - GetProcAddress
0x43f06c - FindClose
0x43f070 - FindFirstFileW
0x43f074 - FindFirstFileExW
0x43f078 - FindNextFileW
0x43f07c - GetFileAttributesW
0x43f080 - CreateDirectoryW
0x43f084 - ReadFile
0x43f088 - RemoveDirectoryW
0x43f08c - SetFileAttributesW
0x43f090 - GetCurrentProcess
0x43f094 - CopyFileW
0x43f098 - MoveFileExW
0x43f09c - WaitForSingleObject
0x43f0a0 - TerminateProcess
0x43f0a4 - GetExitCodeProcess
0x43f0a8 - OpenProcess
0x43f0ac - IsDebuggerPresent
0x43f0b0 - RaiseException
0x43f0b4 - Sleep
0x43f0b8 - GetCurrentThreadId
0x43f0bc - QueryPerformanceCounter
0x43f0c0 - QueryPerformanceFrequency
0x43f0c4 - GetSystemTimeAsFileTime
0x43f0c8 - GetVersionExW
0x43f0cc - GetNativeSystemInfo
0x43f0d0 - FlushFileBuffers
0x43f0d4 - SetFilePointerEx
0x43f0d8 - GetProcessId
0x43f0dc - GetModuleHandleExW
0x43f0e0 - EnterCriticalSection
0x43f0e4 - LeaveCriticalSection
0x43f0e8 - InitializeCriticalSectionAndSpinCount
0x43f0ec - TryEnterCriticalSection
0x43f0f0 - DeleteCriticalSection
0x43f0f4 - RtlCaptureStackBackTrace
0x43f0f8 - SetUnhandledExceptionFilter
0x43f0fc - TlsAlloc
0x43f100 - TlsGetValue
0x43f104 - TlsSetValue
0x43f108 - TlsFree
0x43f10c - ReadConsoleW
0x43f110 - GetDriveTypeW
0x43f114 - WriteConsoleW
0x43f118 - GetTimeZoneInformation
0x43f11c - EnumSystemLocalesW
0x43f120 - GetUserDefaultLCID
0x43f124 - IsValidLocale
0x43f128 - GetACP
0x43f12c - GetCommandLineA
0x43f130 - GetStdHandle
0x43f134 - GetModuleFileNameA
0x43f138 - ExitProcess
0x43f13c - GetFileType
0x43f140 - SetStdHandle
0x43f144 - GetFullPathNameW
0x43f148 - GetConsoleMode
0x43f14c - GetConsoleCP
0x43f150 - GetProcessHeap
0x43f154 - LoadLibraryExW
0x43f158 - IsProcessorFeaturePresent
0x43f15c - UnhandledExceptionFilter
0x43f160 - GetStartupInfoW
0x43f164 - InitializeSListHead
0x43f168 - WideCharToMultiByte
0x43f16c - MultiByteToWideChar
0x43f170 - EncodePointer
0x43f174 - DecodePointer
0x43f178 - CompareStringW
0x43f17c - LCMapStringW
0x43f180 - GetLocaleInfoW
0x43f184 - GetStringTypeW
0x43f188 - GetCPInfo
0x43f18c - RtlUnwind
0x43f190 - FreeLibrary
库 SHELL32.dll:
0x43f198 - CommandLineToArgvW
库 WINMM.dll:
0x43f1a0 - timeGetTime

导出

序列 地址 名称
1 0x412c50 GetHandleVerifier

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

browsing_data_remover.exe PID: 2556, 上一级进程 PID: 2216

访问的文件
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\Windows\system\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\Windows\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\Windows\System32\wbem\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-datetime-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\Windows\System32\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\Windows\system\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\Windows\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\Windows\System32\wbem\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-core-localization-obsolete-l1-2-0.DLL
  • C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Program Files (x86)\WinRAR\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
读取的文件
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
  • C:\Users\test\AppData\Local\Temp\ext-ms-win-kernel32-package-current-l1-1-0.DLL
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsGetValue
  • api-ms-win-core-localization-l1-2-1.dll.LCMapStringEx
  • kernel32.dll.FlsFree
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.InitOnceExecuteOnce
  • kernel32.dll.CreateEventExW
  • kernel32.dll.CreateSemaphoreW
  • kernel32.dll.CreateSemaphoreExW
  • kernel32.dll.CreateThreadpoolTimer
  • kernel32.dll.SetThreadpoolTimer
  • kernel32.dll.WaitForThreadpoolTimerCallbacks
  • kernel32.dll.CloseThreadpoolTimer
  • kernel32.dll.CreateThreadpoolWait
  • kernel32.dll.SetThreadpoolWait
  • kernel32.dll.CloseThreadpoolWait
  • kernel32.dll.FlushProcessWriteBuffers
  • kernel32.dll.FreeLibraryWhenCallbackReturns
  • kernel32.dll.GetCurrentProcessorNumber
  • kernel32.dll.CreateSymbolicLinkW
  • kernel32.dll.GetTickCount64
  • kernel32.dll.GetFileInformationByHandleEx
  • kernel32.dll.SetFileInformationByHandle
  • kernel32.dll.InitializeConditionVariable
  • kernel32.dll.WakeConditionVariable
  • kernel32.dll.WakeAllConditionVariable
  • kernel32.dll.SleepConditionVariableCS
  • kernel32.dll.InitializeSRWLock
  • kernel32.dll.AcquireSRWLockExclusive
  • kernel32.dll.TryAcquireSRWLockExclusive
  • kernel32.dll.ReleaseSRWLockExclusive
  • kernel32.dll.SleepConditionVariableSRW
  • kernel32.dll.CreateThreadpoolWork
  • kernel32.dll.SubmitThreadpoolWork
  • kernel32.dll.CloseThreadpoolWork
  • kernel32.dll.CompareStringEx
  • kernel32.dll.GetLocaleInfoEx
  • kernel32.dll.LCMapStringEx
  • kernel32.dll.AreFileApisANSI
  • kernelbase.dll.CompareStringEx
  • api-ms-win-core-localization-l1-2-1.dll.EnumSystemLocalesEx
  • kernel32.dll.GetDateFormatEx
  • api-ms-win-core-localization-l1-2-1.dll.GetLocaleInfoEx
  • kernel32.dll.GetTimeFormatEx
  • api-ms-win-core-localization-l1-2-1.dll.GetUserDefaultLocaleName
  • api-ms-win-core-localization-l1-2-1.dll.IsValidLocaleName
  • kernel32.dll.LCIDToLocaleName
  • api-ms-win-core-localization-l1-2-1.dll.LocaleNameToLCID
  • kernel32.dll.AcquireSRWLockShared
  • kernel32.dll.ReleaseSRWLockShared
  • ext-ms-win-kernel32-package-current-l1-1-0.dll.GetCurrentPackageId