魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-08-10 22:55:10 2021-08-10 22:55:12 2 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2021-08-10 22:55:12 2021-08-10 22:55:12
魔盾分数

1.4

正常的

文件详细信息

文件名 阿里云盘变本地硬盘-1.1.34_2.exe
文件大小 24044755 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 CB4BDA11
MD5 6f0ae80959c84527a887615031624b0c
SHA1 a2010b21f67cc43c65805d7d422911ac7078497c
SHA256 0832333561ad65fca4df8bd7ca821944e072efb9e3b02f7d515344f0c262d3f5
SHA512 6dbae8404d67cf5799f94295beab9d2e9719d640029681d852e09672ee7b747bed642eae108072a442914f12df39fd403fcbacf5ad4284f5fad67a7d90c67cd6
Ssdeep 393216:V+iWULLbnOrfrrlPiwf5XRdasLDuOQg0y0uMtT2JFIbc3SqgTOlcb:V3T/qrfvJioda89QgDTMtT2Dscv7lc
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • disable_dep (Bypass DEP)
  • create_process (Detection function for creating a new process)
  • escalate_priv (Detected escalate priviledges function)
  • win_registry (Detected system registries modification function)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasOverlay (Detected Overlay signature)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • with_images (Detected the presence of an or several images)
  • with_urls (Detected the presence of an or several urls)
  • Borland (Detects Borland program)
VirusTotal VirusTotal查询失败

特征

魔盾安全Yara规则检测结果 - 安全告警
Warning: Bypass DEP
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004b5eec
声明校验值 0x00000000
最低操作系统版本要求 6.1
编译时间 2021-06-03 16:09:11
载入哈希 5a594319a0d69dbc452e748bcf05892e
导出DLL库名称 \x38\x31\x31\x31\x31\x37\x31\x31\x34\x31\x31\x31

版本信息

LegalCopyright:
FileVersion:
CompanyName: Waytech Inc.
Comments: This installation was built with Inno Setup.
ProductName: CloudDrive
ProductVersion: 1.1
FileDescription: CloudDrive Setup
OriginalFileName:
Translation: 0x0000 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000b361c 0x000b3800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.36
.itext 0x000b5000 0x00001688 0x00001800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.97
.data 0x000b7000 0x000037a4 0x00003800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.04
.bss 0x000bb000 0x00006de8 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x000c2000 0x00000f36 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.90
.didata 0x000c3000 0x000001a4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.76
.edata 0x000c4000 0x0000009a 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.87
.tls 0x000c5000 0x00000018 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x000c6000 0x0000005d 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.38
.rsrc 0x000c7000 0x00010e00 0x00010e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.71

覆盖

偏移量: 0x000d7e00
大小: 0x016166d3

导入

库 kernel32.dll:
0x4c22e4 - GetACP
0x4c22e8 - GetExitCodeProcess
0x4c22ec - LocalFree
0x4c22f0 - CloseHandle
0x4c22f4 - SizeofResource
0x4c22f8 - VirtualProtect
0x4c22fc - VirtualFree
0x4c2300 - GetFullPathNameW
0x4c2304 - ExitProcess
0x4c2308 - HeapAlloc
0x4c230c - GetCPInfoExW
0x4c2310 - RtlUnwind
0x4c2314 - GetCPInfo
0x4c2318 - GetStdHandle
0x4c231c - GetModuleHandleW
0x4c2320 - FreeLibrary
0x4c2324 - HeapDestroy
0x4c2328 - ReadFile
0x4c232c - CreateProcessW
0x4c2330 - GetLastError
0x4c2334 - GetModuleFileNameW
0x4c2338 - SetLastError
0x4c233c - FindResourceW
0x4c2340 - CreateThread
0x4c2344 - CompareStringW
0x4c2348 - LoadLibraryA
0x4c234c - ResetEvent
0x4c2350 - GetVersion
0x4c2354 - RaiseException
0x4c2358 - FormatMessageW
0x4c235c - SwitchToThread
0x4c2360 - GetExitCodeThread
0x4c2364 - GetCurrentThread
0x4c2368 - LoadLibraryExW
0x4c236c - LockResource
0x4c2370 - GetCurrentThreadId
0x4c2374 - UnhandledExceptionFilter
0x4c2378 - VirtualQuery
0x4c237c - VirtualQueryEx
0x4c2380 - Sleep
0x4c2384 - EnterCriticalSection
0x4c2388 - SetFilePointer
0x4c238c - LoadResource
0x4c2390 - SuspendThread
0x4c2394 - GetTickCount
0x4c2398 - GetFileSize
0x4c239c - GetStartupInfoW
0x4c23a0 - GetFileAttributesW
0x4c23a4 - InitializeCriticalSection
0x4c23a8 - GetThreadPriority
0x4c23ac - SetThreadPriority
0x4c23b0 - GetCurrentProcess
0x4c23b4 - VirtualAlloc
0x4c23b8 - GetSystemInfo
0x4c23bc - GetCommandLineW
0x4c23c0 - LeaveCriticalSection
0x4c23c4 - GetProcAddress
0x4c23c8 - ResumeThread
0x4c23cc - GetVersionExW
0x4c23d0 - VerifyVersionInfoW
0x4c23d4 - HeapCreate
0x4c23d8 - GetWindowsDirectoryW
0x4c23dc - VerSetConditionMask
0x4c23e0 - GetDiskFreeSpaceW
0x4c23e4 - FindFirstFileW
0x4c23e8 - GetUserDefaultUILanguage
0x4c23ec - lstrlenW
0x4c23f0 - QueryPerformanceCounter
0x4c23f4 - SetEndOfFile
0x4c23f8 - HeapFree
0x4c23fc - WideCharToMultiByte
0x4c2400 - FindClose
0x4c2404 - MultiByteToWideChar
0x4c2408 - LoadLibraryW
0x4c240c - SetEvent
0x4c2410 - CreateFileW
0x4c2414 - GetLocaleInfoW
0x4c2418 - GetSystemDirectoryW
0x4c241c - DeleteFileW
0x4c2420 - GetLocalTime
0x4c2424 - GetEnvironmentVariableW
0x4c2428 - WaitForSingleObject
0x4c242c - WriteFile
0x4c2430 - ExitThread
0x4c2434 - DeleteCriticalSection
0x4c2438 - TlsGetValue
0x4c243c - GetDateFormatW
0x4c2440 - SetErrorMode
0x4c2444 - IsValidLocale
0x4c2448 - TlsSetValue
0x4c244c - CreateDirectoryW
0x4c2450 - GetSystemDefaultUILanguage
0x4c2454 - EnumCalendarInfoW
0x4c2458 - LocalAlloc
0x4c245c - GetUserDefaultLangID
0x4c2460 - RemoveDirectoryW
0x4c2464 - CreateEventW
0x4c2468 - SetThreadLocale
0x4c246c - GetThreadLocale
库 comctl32.dll:
0x4c2474 - InitCommonControls
库 version.dll:
0x4c247c - GetFileVersionInfoSizeW
0x4c2480 - VerQueryValueW
0x4c2484 - GetFileVersionInfoW
库 user32.dll:
0x4c248c - CreateWindowExW
0x4c2490 - TranslateMessage
0x4c2494 - CharLowerBuffW
0x4c2498 - CallWindowProcW
0x4c249c - CharUpperW
0x4c24a0 - PeekMessageW
0x4c24a4 - GetSystemMetrics
0x4c24a8 - SetWindowLongW
0x4c24ac - MessageBoxW
0x4c24b0 - DestroyWindow
0x4c24b4 - CharUpperBuffW
0x4c24b8 - CharNextW
0x4c24bc - MsgWaitForMultipleObjects
0x4c24c0 - LoadStringW
0x4c24c4 - ExitWindowsEx
0x4c24c8 - DispatchMessageW
库 oleaut32.dll:
0x4c24d0 - SysAllocStringLen
0x4c24d4 - SafeArrayPtrOfIndex
0x4c24d8 - VariantCopy
0x4c24dc - SafeArrayGetLBound
0x4c24e0 - SafeArrayGetUBound
0x4c24e4 - VariantInit
0x4c24e8 - VariantClear
0x4c24ec - SysFreeString
0x4c24f0 - SysReAllocStringLen
0x4c24f4 - VariantChangeType
0x4c24f8 - SafeArrayCreate
库 netapi32.dll:
0x4c2500 - NetWkstaGetInfo
0x4c2504 - NetApiBufferFree
库 advapi32.dll:
0x4c250c - RegQueryValueExW
0x4c2510 - AdjustTokenPrivileges
0x4c2514 - LookupPrivilegeValueW
0x4c2518 - RegCloseKey
0x4c251c - OpenProcessToken
0x4c2520 - RegOpenKeyExW

导出

序列 地址 名称
3 0x454060 TMethodImplementationIntercept
2 0x40d0a0 __dbk_fcall_wrapper
1 0x4be63c dbkFCallWrapperAddr

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息