魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2021-04-21 21:39:56 | 2021-04-21 21:41:59 | 123 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2021-04-21 21:39:56 | 2021-04-21 21:42:01 |
| 魔盾分数 |
|---|
3.2665可疑的 |
文件详细信息
| 文件名 | qax.exe |
|---|---|
| 文件大小 | 478192 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 4BFBB1CB |
| MD5 | 8b8d8b4ea3dea4dad5f182848b97ff80 |
| SHA1 | 4ebab33b6276e2529bf3659594dd8a6edcb9bffd |
| SHA256 | ecafaf3cc5a8b689df587cb1b4004b9238576f7847c7f8db1cd4132468e376c1 |
| SHA512 | bf28028a1b35dd7a8ea712c03e186eb003fc5520227c405fc4408c3b4998cdbff8070cc5ad67824ab431d7a139695576a2cb03d34c23b16027fa19a4771c908d |
| Ssdeep | 6144:Nqc0BiuNhcTvpjGZ4bBRmetOOAIklrYu/XbT6iiHnHFKaZ5CUm+8olv6JA:Ac0BE9Cc/OjIklrYOrWiiv5CLgiJA |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
通过进程尝试延迟分析任务
Process: qax.exe tried to sleep 97 seconds, actually delayed analysis time by 0 seconds
创建RWX内存
魔盾安全Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: .data, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0005f400, virtual_size: 0x0005f55c
一个进程将本机信息传递到一个远程主机
Beacon: qax.exe: /login?file=XSG45hU_R-IUsMybW-NxniSmatbGNztA6T3piTF4eMFiixsnCj50kTYpQDEBOcKpR4YyYBPC162sZQ0ye6ZzB5MjfCEI24b471lxjxxy8_BnLCmks-uqa1x1Ywx3pX8EyIox1zHM1f43Jg14SiyxquC3zwDTiaH-bcO6-z1rrWE.php&test1=test2
Beacon: qax.exe: /config?file=XSG45hU_R-IUsMybW-NxniSmatbGNztA6T3piTF4eMFiixsnCj50kTYpQDEBOcKpR4YyYBPC162sZQ0ye6ZzB5MjfCEI24b471lxjxxy8_BnLCmks-uqa1x1Ywx3pX8EyIox1zHM1f43Jg14SiyxquC3zwDTiaH-bcO6-z1rrWE.php&test1=test2
Beacon: qax.exe: /admin?file=XSG45hU_R-IUsMybW-NxniSmatbGNztA6T3piTF4eMFiixsnCj50kTYpQDEBOcKpR4YyYBPC162sZQ0ye6ZzB5MjfCEI24b471lxjxxy8_BnLCmks-uqa1x1Ywx3pX8EyIox1zHM1f43Jg14SiyxquC3zwDTiaH-bcO6-z1rrWE.php&test1=test2
运行截图
网络分析
域名解析
| 域名 | 响应 |
|---|---|
| acroipm.adobe.com |
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net A 104.75.169.10 A 104.75.169.8 |
TCP连接
| IP地址 | 端口 |
|---|---|
| 101.72.205.199 | 443 |
| 101.72.205.199 | 443 |
| 104.75.169.10 | 80 |
| 112.25.18.136 | 443 |
| 112.25.18.136 | 443 |
| 114.80.187.84 | 443 |
| 114.80.187.84 | 443 |
| 118.123.241.206 | 443 |
| 118.123.241.206 | 443 |
| 121.207.229.136 | 443 |
| 121.207.229.136 | 443 |
| 122.156.134.217 | 443 |
| 122.156.134.217 | 443 |
| 124.236.20.140 | 443 |
| 124.236.20.140 | 443 |
| 125.37.206.217 | 443 |
| 125.37.206.217 | 443 |
| 125.76.247.218 | 443 |
| 14.29.40.5 | 443 |
| 140.249.60.232 | 443 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00402100 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0007f6c7 |
| 最低操作系统版本要求 | 6.0 |
| 编译时间 | 2021-04-15 18:49:50 |
| 载入哈希 | 85ff4fa6bd88ca86b4f1135514125911 |
| 图标 |  |
| 图标精确哈希值 | f6b04579d6a93cfcb72847b1b6b520ff |
| 图标相似性哈希值 | 6ea6cee5848bed18069f5ee78efb7867 |
版本信息
| LegalCopyright: | Copyright (C) 1999-2021 Tencent. All Rights Reserved |
| FileVersion: | 9.4.5.27743 |
| CompanyName: | Tencent |
| ProductName: | \xe8\xe8QQ |
| ProductVersion: | 9.4.5.27743 |
| FileDescription: | \xe8\xe8QQ |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00001382 | 0x00001400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.28 |
| .rdata | 0x00003000 | 0x0000029a | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.77 |
| .data | 0x00004000 | 0x0005f55c | 0x0005f400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 8.00 |
| .rsrc | 0x00064000 | 0x00010248 | 0x00010400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.04 |
| .reloc | 0x00075000 | 0x000000c4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 2.83 |
覆盖
| 偏移量: | 0x00071600 |
| 大小: | 0x000035f0 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x000641e0 | 0x00000002 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 0.00 | data |
| RT_ICON | 0x000641e8 | 0x0000fdd8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.00 | dBase IV DBT of \366.DBF, blocks size 0, block length 62976, next free block index 40, next free block 0, next used block 0 |
| RT_DIALOG | 0x000641a0 | 0x00000040 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.37 | data |
| RT_GROUP_ICON | 0x00073fc0 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 128x123 |
| RT_VERSION | 0x00073fd8 | 0x00000270 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.55 | data |
导入
库 KERNEL32.dll:
• 0x403008 - HeapCreate
• 0x40300c - GetModuleHandleW
• 0x403010 - CreateEventW
• 0x403014 - TerminateProcess
• 0x403018 - GetCurrentProcess
• 0x40301c - IsProcessorFeaturePresent
• 0x403020 - HeapDestroy
• 0x403024 - WaitForSingleObject
• 0x403028 - HeapAlloc
• 0x40302c - UnhandledExceptionFilter
• 0x403030 - SetUnhandledExceptionFilter
库 USER32.dll:
• 0x403038 - DialogBoxParamW
库 COMCTL32.dll:
• 0x403000 - None
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
qax.exe PID: 2496, 上一级进程 PID: 2144
访问的文件
- C:\Users\test\AppData\Local\Temp\amsi.dll
- C:\Windows\System32\amsi.dll
- C:\Windows\system\amsi.dll
- C:\Windows\amsi.dll
- C:\ProgramData\Oracle\Java\javapath\amsi.dll
- C:\Windows\System32\wbem\amsi.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\amsi.dll
- C:\Program Files (x86)\WinRAR\amsi.dll
- C:\Users\test\AppData\Local\Temp\wldp.dll
- C:\Windows\System32\wldp.dll
- C:\Windows\system\wldp.dll
- C:\Windows\wldp.dll
- C:\ProgramData\Oracle\Java\javapath\wldp.dll
- C:\Windows\System32\wbem\wldp.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\wldp.dll
- C:\Program Files (x86)\WinRAR\wldp.dll
- C:\Users\test\AppData\Local\Temp\wwanmm.dll
- C:\Windows\System32\wwanmm.dll
- C:\Windows\system\wwanmm.dll
- C:\Windows\wwanmm.dll
- C:\ProgramData\Oracle\Java\javapath\wwanmm.dll
- C:\Windows\System32\wbem\wwanmm.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\wwanmm.dll
- C:\Program Files (x86)\WinRAR\wwanmm.dll
读取的文件
无信息
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.GetProcAddress
- kernel32.dll.CreateFileW
- kernel32.dll.WriteFile
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.GetModuleHandleA
- kernel32.dll.CreateEventW
- kernel32.dll.WaitForSingleObject
- kernel32.dll.LoadLibraryA
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.RaiseException
- kernel32.dll.FindClose
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.GetConsoleCP
- kernel32.dll.FlushFileBuffers
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.GetLastError
- kernel32.dll.CloseHandle
- kernel32.dll.GetCurrentProcess
- kernel32.dll.EnumUILanguagesW
- kernel32.dll.GetModuleHandleW
- kernel32.dll.SetStdHandle
- kernel32.dll.GetStringTypeW
- kernel32.dll.GetProcessHeap
- kernel32.dll.LCMapStringW
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.GetSystemInfo
- kernel32.dll.VirtualProtect
- kernel32.dll.VirtualQuery
- kernel32.dll.FreeLibrary
- kernel32.dll.LoadLibraryExA
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.TerminateProcess
- kernel32.dll.IsProcessorFeaturePresent
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.GetStartupInfoW
- kernel32.dll.QueryPerformanceCounter
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.GetSystemTimeAsFileTime
- kernel32.dll.InitializeSListHead
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.LocalFree
- kernel32.dll.OutputDebugStringW
- kernel32.dll.EnterCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.RtlUnwind
- kernel32.dll.InterlockedFlushSList
- kernel32.dll.SetLastError
- kernel32.dll.InitializeCriticalSectionAndSpinCount
- kernel32.dll.TlsAlloc
- kernel32.dll.TlsGetValue
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsFree
- kernel32.dll.LoadLibraryExW
- kernel32.dll.ExitProcess
- kernel32.dll.GetModuleHandleExW
- kernel32.dll.HeapFree
- kernel32.dll.HeapAlloc
- kernel32.dll.GetStdHandle
- kernel32.dll.GetFileType
- kernel32.dll.HeapSize
- kernel32.dll.HeapReAlloc
- kernel32.dll.SetFilePointerEx
- kernel32.dll.GetConsoleMode
- kernel32.dll.FindFirstFileExW
- kernel32.dll.FindNextFileW
- kernel32.dll.IsValidCodePage
- kernel32.dll.GetACP
- kernel32.dll.GetOEMCP
- kernel32.dll.GetCPInfo
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetCommandLineW
- kernel32.dll.WriteConsoleW
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsGetValue
- kernel32.dll.LCMapStringEx
- kernel32.dll.AreFileApisANSI
- kernel32.dll.GetThreadContext
- kernel32.dll.ReadProcessMemory
- kernel32.dll.CreateProcessA
- kernel32.dll.GetCurrentDirectoryW
- kernel32.dll.VirtualProtectEx
- kernel32.dll.WriteProcessMemory
- kernel32.dll.ResumeThread
- kernel32.dll.GetFullPathNameA
- kernel32.dll.SystemTimeToTzSpecificLocalTime
- kernel32.dll.GetLogicalDrives
- kernel32.dll.ExpandEnvironmentStringsA
- kernel32.dll.GetFileAttributesA
- kernel32.dll.FileTimeToSystemTime
- kernel32.dll.FindFirstFileA
- kernel32.dll.CopyFileA
- kernel32.dll.MoveFileA
- kernel32.dll.FindNextFileA
- kernel32.dll.OpenProcess
- kernel32.dll.Thread32First
- kernel32.dll.Thread32Next
- kernel32.dll.VirtualAllocEx
- kernel32.dll.OpenThread
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.CreateThread
- kernel32.dll.CreateRemoteThread
- kernel32.dll.SetThreadContext
- kernel32.dll.MapViewOfFile
- kernel32.dll.UnmapViewOfFile
- kernel32.dll.CreateFileMappingA
- kernel32.dll.GetVersionExA
- kernel32.dll.CreateFileA
- kernel32.dll.PeekNamedPipe
- kernel32.dll.WaitNamedPipeA
- kernel32.dll.SetNamedPipeHandleState
- kernel32.dll.GetComputerNameA
- kernel32.dll.GetModuleFileNameA
- kernel32.dll.DeleteProcThreadAttributeList
- kernel32.dll.CreateNamedPipeA
- kernel32.dll.InitializeProcThreadAttributeList
- kernel32.dll.SetErrorMode
- kernel32.dll.UpdateProcThreadAttribute
- kernel32.dll.ProcessIdToSessionId
- kernel32.dll.DuplicateHandle
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- kernel32.dll.ExitThread
- kernel32.dll.ReadFile
- kernel32.dll.GetCurrentThread
- kernel32.dll.ConnectNamedPipe
- kernel32.dll.GetCurrentDirectoryA
- kernel32.dll.CreatePipe
- kernel32.dll.GetLocalTime
- kernel32.dll.GetStartupInfoA
- kernel32.dll.SetCurrentDirectoryA
- kernel32.dll.DisconnectNamedPipe
- kernel32.dll.GetTickCount
- kernel32.dll.Sleep
- kernel32.dll.DebugBreak
- kernel32.dll.SetEnvironmentVariableW
- kernel32.dll.VirtualAlloc
- kernel32.dll.SetEnvironmentVariableA
- kernel32.dll.CompareStringW
- kernel32.dll.CompareStringA
- kernel32.dll.SetEndOfFile
- kernel32.dll.GetStringTypeA
- kernel32.dll.LCMapStringA
- kernel32.dll.GetConsoleOutputCP
- kernel32.dll.WriteConsoleA
- kernel32.dll.GetLocaleInfoA
- kernel32.dll.VirtualFree
- kernel32.dll.DeleteFileA
- kernel32.dll.CreateDirectoryA
- kernel32.dll.RemoveDirectoryA
- kernel32.dll.HeapCreate
- kernel32.dll.HeapDestroy
- kernel32.dll.InterlockedIncrement
- kernel32.dll.InterlockedDecrement
- kernel32.dll.SetHandleCount
- kernel32.dll.SetFilePointer
- kernel32.dll.FreeEnvironmentStringsA
- kernel32.dll.GetEnvironmentStrings
- advapi32.dll.LookupAccountSidA
- advapi32.dll.OpenThreadToken
- advapi32.dll.CryptReleaseContext
- advapi32.dll.CryptAcquireContextA
- advapi32.dll.CryptGenRandom
- advapi32.dll.LogonUserA
- advapi32.dll.CheckTokenMembership
- advapi32.dll.FreeSid
- advapi32.dll.RevertToSelf
- advapi32.dll.AllocateAndInitializeSid
- advapi32.dll.DuplicateTokenEx
- advapi32.dll.OpenProcessToken
- advapi32.dll.GetTokenInformation
- advapi32.dll.GetUserNameA
- advapi32.dll.CreateProcessWithTokenW
- advapi32.dll.CreateProcessWithLogonW
- advapi32.dll.CreateProcessAsUserA
- advapi32.dll.AdjustTokenPrivileges
- advapi32.dll.ImpersonateNamedPipeClient
- advapi32.dll.ImpersonateLoggedOnUser
- advapi32.dll.LookupPrivilegeValueA
- wininet.dll.InternetReadFile
- wininet.dll.InternetConnectA
- wininet.dll.InternetQueryDataAvailable
- wininet.dll.InternetSetOptionA
- wininet.dll.HttpOpenRequestA
- wininet.dll.HttpAddRequestHeadersA
- wininet.dll.InternetSetStatusCallback
- wininet.dll.HttpSendRequestA
- wininet.dll.InternetOpenA
- wininet.dll.InternetCloseHandle
- wininet.dll.InternetQueryOptionA
- wininet.dll.HttpQueryInfoA
- kernel32.dll.FlsFree
- cryptsp.dll.CryptAcquireContextA
- cryptsp.dll.CryptGenRandom
- cryptsp.dll.CryptReleaseContext
- kernel32.dll.IsWow64Process
- rasapi32.dll.RasConnectionNotificationW
- sechost.dll.NotifyServiceStatusChangeA
- cryptbase.dll.SystemFunction036