魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2022-07-05 16:52:13 2022-07-05 16:52:43 30 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2022-07-05 16:52:13 2022-07-05 16:52:44
魔盾分数

9.138

恶意的

文件详细信息

文件名 bdch.dll.1
文件大小 842240 字节
文件类型 PE32+ executable (DLL) (console) x86-64, for MS Windows
CRC32 202B0630
MD5 aba2d34fa519be59e271d6bc5bf1ea87
SHA1 25900373741a1788a49e0e07afc30a7f1fef0a11
SHA256 2199e4930cdf5e56bf7d3c8010e823ba47f734eb6b4c46cb120d95d5204c06d0
SHA512 014bfe01f4952f3329deaecbbd81510887b635ecef61ff0a1cfef32a8de6989c6f9d03ef46a1ab3ac9b6ee689f42046cbb0913761d9c84488985223b9047c601
Ssdeep 24576:M+4RKuZNLM5O1MIomeloT8ICtT+zwYsW:M+qKujLMaMIQtYzwPW
PEiD 无匹配
Yara
  • IsPE64 (Detected a 64bit PE sample)
  • IsDLL (Detect a DLL sample)
  • IsConsole (Detected a console program sample)
  • IsPacked (Detected Entropy signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
  • anti_dbg (Detected self protection if being debugged)
  • win_files_operation (Affect private profile)
VirusTotal VirusTotal查询失败

特征

魔盾安全Yara检测结果 - 普通
二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.89, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000b8400, virtual_size: 0x000b82be
错误的扩展名的可疑样本
Anomaly: DLL ==> .1
检测到样本尝试模糊或欺骗文件类型

运行截图

无运行截图

网络分析

TCP连接

IP地址 端口
23.15.14.8 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x180000000
入口地址 0x180002c20
声明校验值 0x00000000
实际校验值 0x000d3b46
最低操作系统版本要求 6.0
编译时间 2022-06-29 16:54:43
载入哈希 519ff2fcf50b8feeefc096cd20de8b3c
导出DLL库名称 bdch.dll

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000123f4 0x00012400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.53
.rdata 0x00014000 0x000b82be 0x000b8400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.89
.data 0x000cd000 0x00002368 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.03
.pdata 0x000d0000 0x00001248 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.73
_RDATA 0x000d2000 0x000000fc 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.99
.rsrc 0x000d3000 0x000001e0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.71
.reloc 0x000d4000 0x00000738 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.19

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MANIFEST 0x000d3060 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US 4.91 XML 1.0 document text

导入

库 KERNEL32.dll:
0x180014000 - CloseHandle
0x180014008 - GetProcAddress
0x180014010 - GetModuleHandleW
0x180014018 - WideCharToMultiByte
0x180014020 - SetErrorMode
0x180014028 - DisableThreadLibraryCalls
0x180014030 - WriteConsoleW
0x180014038 - RtlCaptureContext
0x180014040 - RtlLookupFunctionEntry
0x180014048 - RtlVirtualUnwind
0x180014050 - UnhandledExceptionFilter
0x180014058 - SetUnhandledExceptionFilter
0x180014060 - GetCurrentProcess
0x180014068 - TerminateProcess
0x180014070 - IsProcessorFeaturePresent
0x180014078 - QueryPerformanceCounter
0x180014080 - GetCurrentProcessId
0x180014088 - GetCurrentThreadId
0x180014090 - GetSystemTimeAsFileTime
0x180014098 - InitializeSListHead
0x1800140a0 - IsDebuggerPresent
0x1800140a8 - GetStartupInfoW
0x1800140b0 - EnterCriticalSection
0x1800140b8 - LeaveCriticalSection
0x1800140c0 - InitializeCriticalSectionEx
0x1800140c8 - DeleteCriticalSection
0x1800140d0 - EncodePointer
0x1800140d8 - DecodePointer
0x1800140e0 - MultiByteToWideChar
0x1800140e8 - GetStringTypeW
0x1800140f0 - GetCPInfo
0x1800140f8 - RtlUnwindEx
0x180014100 - RtlPcToFileHeader
0x180014108 - RaiseException
0x180014110 - InterlockedFlushSList
0x180014118 - GetLastError
0x180014120 - SetLastError
0x180014128 - InitializeCriticalSectionAndSpinCount
0x180014130 - TlsAlloc
0x180014138 - TlsGetValue
0x180014140 - TlsSetValue
0x180014148 - TlsFree
0x180014150 - FreeLibrary
0x180014158 - LoadLibraryExW
0x180014160 - ExitProcess
0x180014168 - GetModuleHandleExW
0x180014170 - GetModuleFileNameW
0x180014178 - SetFilePointerEx
0x180014180 - GetStdHandle
0x180014188 - GetFileType
0x180014190 - FlushFileBuffers
0x180014198 - WriteFile
0x1800141a0 - GetConsoleOutputCP
0x1800141a8 - GetConsoleMode
0x1800141b0 - HeapFree
0x1800141b8 - HeapAlloc
0x1800141c0 - LCMapStringW
0x1800141c8 - FindClose
0x1800141d0 - FindFirstFileExW
0x1800141d8 - FindNextFileW
0x1800141e0 - IsValidCodePage
0x1800141e8 - GetACP
0x1800141f0 - GetOEMCP
0x1800141f8 - GetCommandLineA
0x180014200 - GetCommandLineW
0x180014208 - GetEnvironmentStringsW
0x180014210 - FreeEnvironmentStringsW
0x180014218 - GetProcessHeap
0x180014220 - HeapReAlloc
0x180014228 - SetStdHandle
0x180014230 - HeapSize
0x180014238 - CreateFileW

导出

序列 地址 名称
1 0x1800027e0 BdCreateObject
2 0x180002800 BdDestroyObject
3 0x180002810 EnableCrashHandler
4 0x180002850 MCPV_migrate_update_data
5 0x180002830 SetSettingsFile
6 0x180002820 SignalHandler

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 2612, 上一级进程 PID: 2248

访问的文件
  • C:\Users\test\AppData\Local\Temp\bdch.dll.1.dll
  • C:\Users\test\AppData\Local\Temp\bdch.dll.1.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\bdch.dll.1.dll.124.Manifest
读取的文件
  • C:\Users\test\AppData\Local\Temp\bdch.dll.1.dll
  • C:\Users\test\AppData\Local\Temp\bdch.dll.1.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\bdch.dll.1.dll.124.Manifest
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsGetValue
  • kernel32.dll.LCMapStringEx
  • kernel32.dll.AreFileApisANSI
  • bdch.dll.1.dll.#1
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.VirtualFree
  • kernel32.dll.VirtualProtect
  • kernel32.dll.GetCommandLineW
  • kernel32.dll.GetModuleFileNameW
  • kernel32.dll.GetTempPathW
  • kernel32.dll.Sleep
  • kernel32.dll.lstrcatW
  • kernel32.dll.CreateThread
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.GetCurrentProcessId
  • kernel32.dll.CopyFileW
  • kernel32.dll.GetTickCount
  • kernel32.dll.SetEndOfFile
  • kernel32.dll.WriteConsoleW
  • kernel32.dll.GetModuleHandleW
  • kernel32.dll.CreateProcessW
  • kernel32.dll.GetNativeSystemInfo
  • kernel32.dll.OpenProcess
  • kernel32.dll.K32GetModuleFileNameExW
  • kernel32.dll.GetProcAddress
  • kernel32.dll.CloseHandle
  • kernel32.dll.GetLastError
  • kernel32.dll.DuplicateHandle
  • kernel32.dll.VirtualAllocEx
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.HeapSize
  • kernel32.dll.CreateFileW
  • kernel32.dll.SetStdHandle
  • kernel32.dll.GetProcessHeap
  • kernel32.dll.FreeEnvironmentStringsW
  • kernel32.dll.GetEnvironmentStringsW
  • kernel32.dll.GetCommandLineA
  • kernel32.dll.GetOEMCP
  • kernel32.dll.GetACP
  • kernel32.dll.IsValidCodePage
  • kernel32.dll.FindNextFileW
  • kernel32.dll.FindFirstFileExW
  • kernel32.dll.FindClose
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.DeleteCriticalSection
  • kernel32.dll.LocalFree
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.GetStringTypeW
  • kernel32.dll.GetCPInfo
  • kernel32.dll.RtlCaptureContext
  • kernel32.dll.RtlLookupFunctionEntry
  • kernel32.dll.RtlVirtualUnwind
  • kernel32.dll.UnhandledExceptionFilter
  • kernel32.dll.SetUnhandledExceptionFilter
  • kernel32.dll.TerminateProcess
  • kernel32.dll.IsProcessorFeaturePresent
  • kernel32.dll.QueryPerformanceCounter
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.GetSystemTimeAsFileTime
  • kernel32.dll.InitializeSListHead
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.GetStartupInfoW
  • kernel32.dll.RtlUnwindEx
  • kernel32.dll.RtlPcToFileHeader
  • kernel32.dll.RaiseException
  • kernel32.dll.InterlockedFlushSList
  • kernel32.dll.SetLastError
  • kernel32.dll.InitializeCriticalSectionAndSpinCount
  • kernel32.dll.TlsAlloc
  • kernel32.dll.TlsGetValue
  • kernel32.dll.TlsSetValue
  • kernel32.dll.TlsFree
  • kernel32.dll.FreeLibrary
  • kernel32.dll.LoadLibraryExW
  • kernel32.dll.ExitProcess
  • kernel32.dll.GetModuleHandleExW
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.HeapFree
  • kernel32.dll.HeapAlloc
  • kernel32.dll.GetFileSizeEx
  • kernel32.dll.SetFilePointerEx
  • kernel32.dll.GetStdHandle
  • kernel32.dll.GetFileType
  • kernel32.dll.FlushFileBuffers
  • kernel32.dll.WriteFile
  • kernel32.dll.GetConsoleOutputCP
  • kernel32.dll.GetConsoleMode
  • kernel32.dll.LCMapStringW
  • kernel32.dll.GetLocaleInfoW
  • kernel32.dll.IsValidLocale
  • kernel32.dll.GetUserDefaultLCID
  • kernel32.dll.EnumSystemLocalesW
  • kernel32.dll.ReadFile
  • kernel32.dll.ReadConsoleW
  • kernel32.dll.RtlUnwind
  • user32.dll.wsprintfW
  • advapi32.dll.CreateServiceW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.CloseServiceHandle
  • advapi32.dll.ChangeServiceConfig2W
  • advapi32.dll.OpenSCManagerA
  • advapi32.dll.RegCreateKeyExA
  • advapi32.dll.DeleteService
  • advapi32.dll.RegSetValueExW
  • advapi32.dll.RegOpenKeyExA
  • advapi32.dll.RegDeleteValueW
  • advapi32.dll.OpenServiceW
  • shell32.dll.SHCreateDirectoryExW
  • shell32.dll.#680
  • shell32.dll.CommandLineToArgvW
  • shell32.dll.SHGetSpecialFolderPathW
  • ole32.dll.CoInitializeSecurity
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoCreateInstance
  • oleaut32.dll.#2
  • oleaut32.dll.#9
  • oleaut32.dll.#8
  • oleaut32.dll.#6
  • ntdll.dll.NtQuerySystemInformation
  • ntdll.dll.NtDuplicateObject
  • ntdll.dll.NtQueryObject
  • kernel32.dll.FlsFree