魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-09-22 13:15:55 2021-09-22 13:15:56 1 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2021-09-22 13:15:56 2021-09-22 13:15:56
魔盾分数

1.75

正常的

文件详细信息

文件名 SppExtComObj.Exe
文件大小 572928 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
CRC32 E056E67B
MD5 728a78909aa69ca0e976e94482350700
SHA1 6508dfcbf37df25cae8ae68cf1fcd4b78084abb7
SHA256 2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c
SHA512 22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1
Ssdeep 12288:NyoBXlQ2Uu47gFeOHgskuzvABNK7PCxIZLx59kIQbwjX2m:NzK2U/EFPPxzv2N4PCxe
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • network_dns (Detected network communications use DNS)
  • create_process (Detection function for creating a new process)
  • win_registry (Detected system registries modification function)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE64 (Detected a 64bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • CRC32b_poly_Constant (Look for CRC32b [poly])
VirusTotal VirusTotal查询失败

特征

二进制文件可能包含加密或压缩数据
section: name: .text, entropy: 7.53, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0006bc00, virtual_size: 0x0006ba76
魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x140000000
入口地址 0x14000d220
声明校验值 0x000919b7
实际校验值 0x000919b7
最低操作系统版本要求 10.0
PDB路径 SppExtComObj.pdb
编译时间 2020-12-18 03:27:49
载入哈希 4c96b0e079d994b8689c66f7872425eb

版本信息

LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
InternalName: SppExtComObj
FileVersion: 10.0.19041.1202 (WinBuild.160101.0800)
CompanyName: Microsoft Corporation
ProductName: Microsoft\xae Windows\xae Operating System
ProductVersion: 10.0.19041.1202
FileDescription: KMS Connection Broker
OriginalFilename: SppExtComObj.exe
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0006ba76 0x0006bc00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.53
?g_Encry 0x0006d000 0x00002dac 0x00002e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 3.96
.rdata 0x00070000 0x00015e98 0x00016000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.67
.data 0x00086000 0x00001430 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.19
.pdata 0x00088000 0x00004548 0x00004600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.60
.rsrc 0x0008d000 0x00000718 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.16
.reloc 0x0008e000 0x0000159c 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.42

导入

库 ADVAPI32.dll:
0x140076ae0 - RegEnumKeyW
0x140076ae8 - RegSetKeySecurity
0x140076af0 - RegDeleteKeyW
0x140076af8 - RegCreateKeyExW
0x140076b00 - RegQueryInfoKeyW
0x140076b08 - CryptAcquireContextW
0x140076b10 - CryptReleaseContext
0x140076b18 - CryptGenRandom
0x140076b20 - RegQueryValueExW
0x140076b28 - RegSetValueExW
0x140076b30 - RegOpenKeyExW
0x140076b38 - RegCloseKey
库 KERNEL32.dll:
0x140076b70 - EncodePointer
0x140076b78 - GetCurrentProcessId
0x140076b80 - CreateProcessW
0x140076b88 - OpenEventW
0x140076b90 - DecodePointer
0x140076b98 - LocalAlloc
0x140076ba0 - LocalFree
0x140076ba8 - SetLastError
0x140076bb0 - CreateEventW
0x140076bb8 - GetCurrentProcess
0x140076bc0 - VirtualAlloc
0x140076bc8 - RtlAddFunctionTable
0x140076bd0 - InitializeCriticalSection
0x140076bd8 - HeapSetInformation
0x140076be0 - RaiseFailFastException
0x140076be8 - GetCurrentThread
0x140076bf0 - DeleteCriticalSection
0x140076bf8 - GetModuleHandleW
0x140076c00 - RtlDeleteFunctionTable
0x140076c08 - LoadLibraryExW
0x140076c10 - SetThreadPriority
0x140076c18 - SetEvent
0x140076c20 - CloseHandle
0x140076c28 - GetModuleFileNameW
0x140076c30 - GetLastError
0x140076c38 - GetCommandLineW
0x140076c40 - GetSystemDirectoryW
0x140076c48 - FreeLibrary
0x140076c50 - WaitForMultipleObjects
0x140076c58 - CreateThread
0x140076c60 - EnterCriticalSection
0x140076c68 - LeaveCriticalSection
0x140076c70 - InitializeCriticalSectionAndSpinCount
0x140076c78 - GetComputerNameExW
0x140076c80 - VirtualQuery
0x140076c88 - GetProcessHeap
0x140076c90 - GetProcAddress
0x140076c98 - HeapAlloc
0x140076ca0 - GetModuleHandleExW
0x140076ca8 - HeapFree
0x140076cb0 - WaitForSingleObject
0x140076cb8 - VirtualFree
0x140076cc0 - FreeLibraryAndExitThread
库 msvcrt.dll:
0x140076fd0 - memcmp
0x140076fd8 - memmove
0x140076fe0 - memcpy
0x140076fe8 - _vsnwprintf
0x140076ff0 - memset
0x140076ff8 - _unlock
0x140077000 - _wcsicmp
0x140077008 - _purecall
0x140077010 - srand
0x140077018 - rand
0x140077020 - wcschr
0x140077028 - towupper
0x140077030 - __C_specific_handler
0x140077038 - _XcptFilter
0x140077040 - ?terminate@@YAXXZ
0x140077048 - _onexit
0x140077050 - __dllonexit
0x140077058 - wcscmp
0x140077060 - _lock
0x140077068 - _commode
0x140077070 - _fmode
0x140077078 - _acmdln
0x140077080 - _initterm
0x140077088 - __setusermatherr
0x140077090 - _ismbblead
0x140077098 - _cexit
0x1400770a0 - _exit
0x1400770a8 - exit
0x1400770b0 - __set_app_type
0x1400770b8 - __getmainargs
0x1400770c0 - _amsg_exit
库 ntdll.dll:
0x1400770d0 - RtlCaptureContext
0x1400770d8 - RtlLookupFunctionEntry
0x1400770e0 - RtlVirtualUnwind
0x1400770e8 - NtQuerySystemInformation
库 RPCRT4.dll:
0x140076db0 - UuidToStringW
0x140076db8 - I_RpcMapWin32Status
0x140076dc0 - CStdStubBuffer_Invoke
0x140076dc8 - IUnknown_AddRef_Proxy
0x140076dd0 - CStdStubBuffer_DebugServerQueryInterface
0x140076dd8 - NdrOleFree
0x140076de0 - CStdStubBuffer_AddRef
0x140076de8 - UuidFromStringW
0x140076df0 - IUnknown_Release_Proxy
0x140076df8 - CStdStubBuffer_CountRefs
0x140076e00 - CStdStubBuffer_QueryInterface
0x140076e08 - NdrOleAllocate
0x140076e10 - CStdStubBuffer_DebugServerRelease
0x140076e18 - Ndr64AsyncServerCallAll
0x140076e20 - RpcStringFreeW
0x140076e28 - NdrAsyncServerCall
0x140076e30 - Ndr64AsyncClientCall
0x140076e38 - NdrDllGetClassObject
0x140076e40 - RpcStringBindingComposeW
0x140076e48 - RpcBindingFromStringBindingW
0x140076e50 - RpcAsyncInitializeHandle
0x140076e58 - I_RpcExceptionFilter
0x140076e60 - RpcAsyncCancelCall
0x140076e68 - RpcAsyncCompleteCall
0x140076e70 - RpcBindingFree
0x140076e78 - IUnknown_QueryInterface_Proxy
0x140076e80 - CStdStubBuffer_IsIIDSupported
0x140076e88 - CStdStubBuffer_Connect
0x140076e90 - RpcServerUseProtseqEpW
0x140076e98 - RpcServerRegisterIf2
0x140076ea0 - RpcServerUnregisterIf
0x140076ea8 - NdrCStdStubBuffer_Release
0x140076eb0 - CStdStubBuffer_Disconnect
库 OLEAUT32.dll:
0x140076cd0 - BSTR_UserUnmarshal
0x140076cd8 - BSTR_UserSize
0x140076ce0 - VariantClear
0x140076ce8 - VariantInit
0x140076cf0 - BSTR_UserFree
0x140076cf8 - LPSAFEARRAY_UserSize
0x140076d00 - BSTR_UserUnmarshal64
0x140076d08 - BSTR_UserMarshal
0x140076d10 - LPSAFEARRAY_UserMarshal64
0x140076d18 - SysFreeString
0x140076d20 - SysAllocString
0x140076d28 - LPSAFEARRAY_UserMarshal
0x140076d30 - BSTR_UserFree64
0x140076d38 - LPSAFEARRAY_UserFree
0x140076d40 - LPSAFEARRAY_UserUnmarshal
0x140076d48 - BSTR_UserSize64
0x140076d50 - SafeArrayDestroy
0x140076d58 - LPSAFEARRAY_UserUnmarshal64
0x140076d60 - LPSAFEARRAY_UserSize64
0x140076d68 - BSTR_UserMarshal64
0x140076d70 - LPSAFEARRAY_UserFree64
0x140076d78 - SafeArrayAccessData
0x140076d80 - SafeArrayUnaccessData
0x140076d88 - SafeArrayCreateVector
0x140076d90 - UnRegisterTypeLib
0x140076d98 - RegisterTypeLib
0x140076da0 - LoadTypeLib
库 api-ms-win-core-com-l1-1-0.dll:
0x140076f08 - CoResumeClassObjects
0x140076f10 - CoRegisterClassObject
0x140076f18 - CoRevertToSelf
0x140076f20 - CoImpersonateClient
0x140076f28 - CoReleaseServerProcess
0x140076f30 - CoRevokeClassObject
0x140076f38 - CoUninitialize
0x140076f40 - CoInitializeEx
0x140076f48 - CoAddRefServerProcess
0x140076f50 - CoSuspendClassObjects
库 api-ms-win-core-synch-l1-2-0.dll:
0x140076fa8 - Sleep
库 api-ms-win-core-processthreads-l1-1-0.dll:
0x140076f78 - TerminateProcess
0x140076f80 - GetCurrentThreadId
0x140076f88 - GetStartupInfoW
库 api-ms-win-core-errorhandling-l1-1-0.dll:
0x140076f60 - SetUnhandledExceptionFilter
0x140076f68 - UnhandledExceptionFilter
库 api-ms-win-core-profile-l1-1-0.dll:
0x140076f98 - QueryPerformanceCounter
库 api-ms-win-core-sysinfo-l1-1-0.dll:
0x140076fb8 - GetTickCount
0x140076fc0 - GetSystemTimeAsFileTime
库 ole32.dll:
0x1400770f8 - CoRegisterPSClsid
0x140077100 - ObjectStublessClient3
0x140077108 - ObjectStublessClient5
0x140077110 - ObjectStublessClient4
库 SHELL32.dll:
0x140076ec0 - CommandLineToArgvW
库 WS2_32.dll:
0x140076ed0 - FreeAddrInfoW
0x140076ed8 - WSAAddressToStringW
0x140076ee0 - WSAGetLastError
0x140076ee8 - WSACleanup
0x140076ef0 - WSAStartup
0x140076ef8 - GetAddrInfoW
库 DNSAPI.dll:
0x140076b48 - DnsQuery_W
0x140076b50 - DnsNameCompare_W
0x140076b58 - DnsModifyRecordsInSet_W
0x140076b60 - DnsFree
库 ACTIVEDS.dll:
0x140076ac0 - None
0x140076ac8 - None
0x140076ad0 - None

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息