魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2024-04-25 00:30:39 2024-04-25 00:32:50 131 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2024-04-25 00:30:40 2024-04-25 00:32:52
魔盾分数

2.35

可疑的

文件详细信息

文件名 IAS_v1.2_Chs.cmd
文件大小 31248 字节
文件类型 DOS batch file, ISO-8859 text, with very long lines, with CRLF line terminators
CRC32 868AB8D6
MD5 2ccad521446af52b45f6f604d4d01440
SHA1 14a925b5761263d1ebb83626669f007c2217b209
SHA256 581cc7e81a620a0451d50158ac90e8fbc2f5f150b336a87bd30f9eecf1be8b91
SHA512 02c1f22d6dd0e03d39aa36fd4e9e23bf97183392d5fe5eb5bf5b71c232d61225763eb8da22c77bf16da70fdab9ec9a1715f907b23c301b3d4e8d815e768bcdf5
Ssdeep 192:3WNnh0ADP0lwUrjM43pist+AUq8QNDHG0ovEdyKB6zY46//SjDdvcRvJ3hgEH0Dj:mNnhkL3piuUq5IVjjjwYdMK14TEJ0a/
PEiD 无匹配
Yara
  • with_images (Detected the presence of an or several images)
  • with_urls (Detected the presence of an or several urls)
  • powershell (PowerShell Detected)
VirusTotal VirusTotal查询失败

特征

可疑的样本异常终止
专有的Yara检测结果 - 普通
Informational: PowerShell Detected
强制将一个创建的进程加载为另一个不相关进程的子进程
process: C:\Windows\sysnative\cmd.exe, PID 2832

运行截图

网络分析

TCP连接

IP地址 端口
208.185.115.123 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

无信息

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令
  • C:\Windows\Sysnative\cmd.exe /c ""C:\Users\test\AppData\Local\Temp\IAS_v1.2_Chs.cmd" r1"
  • findstr /v "$" "IAS_v1.2_Chs.cmd"
创建的服务 无信息
启动的服务 无信息

进程

cmd.exe PID: 2540, 上一级进程 PID: 2236

cmd.exe PID: 2748, 上一级进程 PID: 2540

cmd.exe PID: 2832, 上一级进程 PID: 2748

findstr.exe PID: 2956, 上一级进程 PID: 2832

访问的文件
  • C:\Users\test\AppData\Local\Temp
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • C:\
  • C:\Users\test\AppData\Local\Temp\IAS_v1.2_Chs.cmd
  • C:\Windows\Sysnative\reg.exe
  • C:\Windows\Sysnative\cmd.exe
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Users\test\AppData\Local\Temp\"C:\Users\test\AppData\Local\Temp\IAS_v1.2_Chs.cmd"
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\SysArm32\cmd.exe
  • \Device\NamedPipe\
  • C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
  • \??\nul
  • C:\Users\test\AppData\Local\Temp\findstr.*
  • C:\Users\test\AppData\Local\Temp\findstr
  • C:\Windows\sysnative\findstr.*
  • C:\Windows\sysnative\findstr.COM
  • C:\Windows\sysnative\findstr.exe
  • C:\Users\test\AppData\Local\Temp\echo:
  • C:\Users\test\AppData\Local\Temp\echo
读取的文件
  • C:\Users\test\AppData\Local\Temp\IAS_v1.2_Chs.cmd
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • \Device\NamedPipe\
  • C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
修改的文件
  • \??\nul
删除的文件 无信息
注册表键
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.SetThreadUILanguage
  • kernel32.dll.CopyFileExW
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.SetConsoleInputExeNameW
  • advapi32.dll.SaferIdentifyLevel
  • advapi32.dll.SaferComputeTokenFromLevel
  • advapi32.dll.SaferCloseLevel
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle