魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-04-21 18:13:09 2021-04-21 18:15:13 124 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2021-04-21 18:13:09 2021-04-21 18:15:14
魔盾分数

6.2

恶意的

文件详细信息

文件名 rundl132.exe
文件大小 95232 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 8A6B0E83
MD5 3111643527f87ccea80a15425b9ffa8e
SHA1 1ccb64b5299075004fdaa4a9acf69be99cf872d1
SHA256 9b9bd76277aac2b8befd3a565621fd486c21e5f8df1c8787d3b7afb22c03314e
SHA512 5e0b818e1a751d53f2ba225d5323e291df593c610b5c9e9d0ee0f8723d50da26c1562f6434be03088862beec41919a6a47e826a1339da2a0b4bb54407c17b338
Ssdeep 1536:B7qnkAQtSaoGo5n4iLG0/WM6HNHSaYqezhIjx22uC+yRaXrLiBN:oCSjGoLpWM678hIjxZu4RuHiB
PEiD 无匹配
Yara
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • Borland (Detects Borland program)
  • Petite21 ()
  • ThreadControl__Context ()
  • inject_thread (Detected code injection function with CreateRemoteThread in a remote process)
  • network_tcp_socket (Detected network communications over RAW socket)
  • network_dns (Detected network communications use DNS)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal VirusTotal查询失败

特征

魔盾安全Yara规则检测结果 - 安全告警
Warning: Detected code injection function with CreateRemoteThread in a remote process
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
检测到网络活动但没有显示在API日志中
ip: 23.15.196.176
domain: acroipm.adobe.com
异常的二进制特征
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year
anomaly: Entrypoint of binary is located outside of any mapped sections
样本在系统主机文件中写入数据

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.15.196.139
A 23.15.196.176

TCP连接

IP地址 端口
23.15.196.176 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00410cbb
声明校验值 0x00000000
实际校验值 0x0001d80f
最低操作系统版本要求 4.0
编译时间 1992-06-20 06:22:17
载入哈希 8548db8f60c204814dcfae0b498b2735
图标
图标精确哈希值 9f59aa39e1721a192d99c61685716308
图标相似性哈希值 bdabe8b1903fb02e0ae634c11bd247a3

版本信息

LegalCopyright:
InternalName:
FileVersion: 1.0.0.0
CompanyName:
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 1.0.0.0
FileDescription:
OriginalFilename:
Translation: 0x0804 0x03a8

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
CODE 0x00001000 0x0000fc70 0x0000fe00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.76
DATA 0x00011000 0x00000210 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.37
BSS 0x00012000 0x0000d23d 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00020000 0x00000d68 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.75
.tls 0x00021000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x00022000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x00023000 0x00000b30 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.00
.rsrc 0x00024000 0x000050e8 0x00005200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.40

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
DLL 0x000241f4 0x00003ec9 LANG_NEUTRAL SUBLANG_NEUTRAL 7.24 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Petite compressed
RT_ICON 0x000280c0 0x000002e8 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.23 data
RT_RCDATA 0x000283b8 0x000000e0 LANG_NEUTRAL SUBLANG_NEUTRAL 4.98 data
RT_RCDATA 0x000283b8 0x000000e0 LANG_NEUTRAL SUBLANG_NEUTRAL 4.98 data
RT_GROUP_ICON 0x00028498 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.92 MS Windows icon resource - 1 icon, 32x32
RT_VERSION 0x000284ac 0x00000274 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.07 data

导入

库 KERNEL32.DLL:
0x4201bc - WriteProcessMemory
0x4201c0 - WriteFile
0x4201c4 - WinExec
0x4201c8 - VirtualFreeEx
0x4201cc - VirtualAllocEx
0x4201d0 - UpdateResourceA
0x4201d4 - TerminateProcess
0x4201d8 - SuspendThread
0x4201dc - Sleep
0x4201e0 - SizeofResource
0x4201e4 - SetThreadContext
0x4201e8 - SetLastError
0x4201ec - SetFileTime
0x4201f0 - SetFilePointer
0x4201f4 - SetFileAttributesA
0x4201f8 - SetEndOfFile
0x4201fc - ResumeThread
0x420200 - ReadFile
0x420204 - OpenProcess
0x420208 - OpenFileMappingA
0x42020c - MoveFileA
0x420210 - MapViewOfFile
0x420214 - LockResource
0x420218 - LoadResource
0x42021c - LoadLibraryExA
0x420220 - LoadLibraryA
0x420224 - IsBadReadPtr
0x420228 - GlobalFree
0x42022c - GlobalAlloc
0x420230 - GetWindowsDirectoryA
0x420234 - GetVersionExA
0x420238 - GetUserDefaultLangID
0x42023c - GetThreadContext
0x420240 - GetTempPathA
0x420244 - GetTempFileNameA
0x420248 - GetSystemDirectoryA
0x42024c - GetProcAddress
0x420250 - GetModuleHandleA
0x420254 - GetLocalTime
0x420258 - GetFileTime
0x42025c - GetFileSize
0x420260 - GetFileAttributesA
0x420264 - GetDriveTypeA
0x420268 - GetCurrentProcessId
0x42026c - GetCurrentProcess
0x420270 - GetComputerNameA
0x420274 - GetACP
0x420278 - FreeResource
0x42027c - FreeLibrary
0x420280 - FindResourceA
0x420284 - FindNextFileA
0x420288 - FindFirstFileA
0x42028c - FindClose
0x420290 - FileTimeToLocalFileTime
0x420294 - FileTimeToDosDateTime
0x420298 - ExitProcess
0x42029c - EndUpdateResourceA
0x4202a0 - DuplicateHandle
0x4202a4 - DeleteFileA
0x4202a8 - CreateThread
0x4202ac - CreateProcessA
0x4202b0 - CreateFileMappingA
0x4202b4 - CreateFileA
0x4202b8 - CreateDirectoryA
0x4202bc - CopyFileA
0x4202c0 - CompareStringA
0x4202c4 - CloseHandle
0x4202c8 - BeginUpdateResourceA
库 KERNEL32.DLL:
0x420194 - TlsSetValue
0x420198 - TlsGetValue
0x42019c - LocalAlloc
0x4201a0 - GetModuleHandleA
库 KERNEL32.DLL:
0x420104 - DeleteCriticalSection
0x420108 - LeaveCriticalSection
0x42010c - EnterCriticalSection
0x420110 - InitializeCriticalSection
0x420114 - VirtualFree
0x420118 - VirtualAlloc
0x42011c - LocalFree
0x420120 - LocalAlloc
0x420124 - GetVersion
0x420128 - GetCurrentThreadId
0x42012c - MultiByteToWideChar
0x420130 - GetThreadLocale
0x420134 - GetStartupInfoA
0x420138 - GetModuleFileNameA
0x42013c - GetLocaleInfoA
0x420140 - GetCommandLineA
0x420144 - FreeLibrary
0x420148 - ExitProcess
0x42014c - WriteFile
0x420150 - UnhandledExceptionFilter
0x420154 - RtlUnwind
0x420158 - RaiseException
0x42015c - GetStdHandle
库 advapi32.dll:
0x4201a8 - RegSetValueExA
0x4201ac - RegCreateKeyExA
0x4201b0 - RegCloseKey
0x4201b4 - FreeSid
库 advapi32.dll:
0x420174 - RegQueryValueExA
0x420178 - RegOpenKeyExA
0x42017c - RegCloseKey
库 mpr.dll:
0x4202d0 - WNetOpenEnumA
0x4202d4 - WNetEnumResourceA
0x4202d8 - WNetCloseEnum
0x4202dc - WNetCancelConnectionA
0x4202e0 - WNetCancelConnection2A
0x4202e4 - WNetAddConnection2A
库 oleaut32.dll:
0x420184 - SysFreeString
0x420188 - SysReAllocStringLen
0x42018c - SysAllocStringLen
库 user32.dll:
0x420164 - GetKeyboardType
0x420168 - MessageBoxA
0x42016c - CharNextA
库 user32.dll:
0x4202fc - CreateWindowExA
0x420300 - UpdateWindow
0x420304 - TranslateMessage
0x420308 - SendMessageA
0x42030c - RegisterClassA
0x420310 - PostThreadMessageA
0x420314 - PostMessageA
0x420318 - PeekMessageA
0x42031c - LoadCursorA
0x420320 - GetWindowTextA
0x420324 - GetMessageA
0x420328 - FindWindowExA
0x42032c - FindWindowA
0x420330 - DispatchMessageA
0x420334 - DefWindowProcA
库 version.dll:
0x4202ec - VerQueryValueA
0x4202f0 - GetFileVersionInfoSizeA
0x4202f4 - GetFileVersionInfoA
库 winmm.dll:
0x420354 - waveOutSetVolume
0x420358 - waveOutGetVolume
库 wsock32.dll:
0x42033c - WSACleanup
0x420340 - WSAStartup
0x420344 - gethostname
0x420348 - gethostbyname
0x42034c - inet_ntoa

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundl132.exe PID: 2488, 上一级进程 PID: 2164

访问的文件
  • C:\gamevir.txt
  • C:\Windows\System32\drivers\etc\hosts
读取的文件
  • C:\Windows\System32\drivers\etc\hosts
修改的文件
  • C:\Windows\System32\drivers\etc\hosts
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • advapi32.dll.LookupAccountNameA
  • advapi32.dll.GetSidIdentifierAuthority
  • advapi32.dll.GetSidSubAuthorityCount
  • advapi32.dll.GetSidSubAuthority
  • advapi32.dll.AllocateAndInitializeSid
  • netapi32.dll.NetScheduleJobAdd
  • netapi32.dll.NetRemoteTOD