魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2024-04-26 09:46:12 2024-04-26 09:48:23 131 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2024-04-26 09:46:13 2024-04-26 09:48:25
魔盾分数

0.35

正常的

文件详细信息

文件名 winsharedutils64.dll
文件大小 115200 字节
文件类型 PE32+ executable (DLL) (console) x86-64, for MS Windows
CRC32 97B1D6EC
MD5 e378c5e23a8066f0fb9971c59eed51d5
SHA1 fcc390772ae140da49587bc082f53b3bb343f533
SHA256 0128b8b83d9ac20b194b6319987968b2b64b239c7308db7bbe25b56872eddcaa
SHA512 36c88cd2654b2895e8240764345a03fbc8bbca5d491820aa76ca9bc9dd8125763bee523a146aa1fd6da1e488d781a5b40c5b6d8ee692b222e24ab03b550f9523
Ssdeep 3072:E3cC5UIdAurYS+/Or0OPwOVSo2iRnSVrWfr24Ru:E3cC/dAusS90OPrV+iRnsWtR
PEiD 无匹配
Yara
  • DebuggerTiming__PerformanceCounter ()
  • anti_dbg (Detected self protection if being debugged)
  • screenshot (Detected take screenshot function)
  • win_registry (Detected system registries modification function)
  • IsPE64 (Detected a 64bit PE sample)
  • IsDLL (Detect a DLL sample)
  • IsConsole (Detected a console program sample)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
VirusTotal VirusTotal查询失败

特征

专有的Yara规则检测结果 - 安全告警

运行截图

网络分析

TCP连接

IP地址 端口
23.213.161.8 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x180000000
入口地址 0x180008ba4
声明校验值 0x00000000
实际校验值 0x0002b583
最低操作系统版本要求 6.0
编译时间 2024-04-26 07:40:22
载入哈希 d404dd21218d9e6c6b73f277e6c778ff
导出DLL库名称 \x31\x31\x31\x31\x31\x39\x31\x31\x31\x31\x31\x31\x31\x31\x35\x35\x34\x31\x31\x31

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00011fd8 0x00012000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.35
.rdata 0x00013000 0x00007a36 0x00007c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.79
.data 0x0001b000 0x000010c0 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.04
.pdata 0x0001d000 0x00001434 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.70
.rsrc 0x0001f000 0x000001e0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.72
.reloc 0x00020000 0x00000250 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.87

导入

库 dwmapi.dll:
0x1800133b8 - DwmSetWindowAttribute
库 KERNEL32.dll:
0x180013090 - GlobalLock
0x180013098 - GetLastError
0x1800130a0 - InitializeCriticalSectionEx
0x1800130a8 - DeleteCriticalSection
0x1800130b0 - GetModuleFileNameW
0x1800130b8 - MulDiv
0x1800130c0 - WriteFile
0x1800130c8 - CreatePipe
0x1800130d0 - WakeAllConditionVariable
0x1800130d8 - AcquireSRWLockExclusive
0x1800130e0 - ReleaseSRWLockExclusive
0x1800130e8 - RtlCaptureContext
0x1800130f0 - RtlLookupFunctionEntry
0x1800130f8 - RtlVirtualUnwind
0x180013100 - UnhandledExceptionFilter
0x180013108 - SetUnhandledExceptionFilter
0x180013110 - GetCurrentProcess
0x180013118 - TerminateProcess
0x180013120 - IsProcessorFeaturePresent
0x180013128 - IsDebuggerPresent
0x180013130 - GlobalUnlock
0x180013138 - QueryPerformanceCounter
0x180013140 - GetCurrentProcessId
0x180013148 - GetCurrentThreadId
0x180013150 - GetSystemTimeAsFileTime
0x180013158 - InitializeSListHead
0x180013160 - CreateSemaphoreW
0x180013168 - TryAcquireSRWLockExclusive
0x180013170 - GlobalSize
0x180013178 - GlobalAlloc
0x180013180 - Sleep
0x180013188 - WaitForSingleObject
0x180013190 - LoadLibraryW
0x180013198 - GetProcAddress
0x1800131a0 - CompareStringOrdinal
0x1800131a8 - GetModuleHandleW
0x1800131b0 - EncodePointer
0x1800131b8 - SleepConditionVariableSRW
0x1800131c0 - MultiByteToWideChar
0x1800131c8 - EnterCriticalSection
0x1800131d0 - GetModuleHandleExW
0x1800131d8 - ReleaseSemaphore
0x1800131e0 - IsWow64Process
0x1800131e8 - GetNativeSystemInfo
0x1800131f0 - OpenProcess
0x1800131f8 - GetExitCodeProcess
0x180013200 - CloseHandle
0x180013208 - ExitProcess
0x180013210 - FreeLibrary
0x180013218 - LeaveCriticalSection
0x180013220 - LocalFree
0x180013228 - OutputDebugStringW
0x180013230 - RaiseException
0x180013238 - RtlUnwindEx
0x180013240 - InterlockedFlushSList
0x180013248 - VirtualQuery
库 USER32.dll:
0x1800132a0 - IsWindow
0x1800132a8 - ShowWindow
0x1800132b0 - GetWindowPlacement
0x1800132b8 - SetWindowPlacement
0x1800132c0 - ChangeWindowMessageFilter
0x1800132c8 - DestroyWindow
0x1800132d0 - PostQuitMessage
0x1800132d8 - RegisterWindowMessageW
0x1800132e0 - GetIconInfo
0x1800132e8 - DrawIconEx
0x1800132f0 - SetRectEmpty
0x1800132f8 - ReleaseDC
0x180013300 - GetDC
0x180013308 - EmptyClipboard
0x180013310 - GetClipboardData
0x180013318 - SetClipboardData
0x180013320 - CloseClipboard
0x180013328 - OpenClipboard
0x180013330 - CreateWindowExW
0x180013338 - RegisterClassW
0x180013340 - DefWindowProcW
0x180013348 - DispatchMessageW
0x180013350 - TranslateMessage
0x180013358 - GetMessageW
0x180013360 - GetWindowThreadProcessId
0x180013368 - EnumWindows
0x180013370 - SetWindowLongW
0x180013378 - GetWindowLongW
0x180013380 - IsWindowEnabled
0x180013388 - IsWindowVisible
库 GDI32.dll:
0x180013048 - SelectObject
0x180013050 - GetBitmapBits
0x180013058 - DeleteObject
0x180013060 - DeleteDC
0x180013068 - CreateCompatibleDC
0x180013070 - CreateCompatibleBitmap
0x180013078 - GetDeviceCaps
0x180013080 - GetObjectW
库 SHELL32.dll:
0x180013280 - ExtractIconExW
库 ole32.dll:
0x180013520 - OleSetContainedObject
0x180013528 - OleCreate
0x180013530 - CoTaskMemFree
0x180013538 - CoInitialize
0x180013540 - CoCreateInstance
0x180013548 - CoUninitialize
0x180013550 - OleLockRunning
库 OLEAUT32.dll:
0x180013258 - SysAllocString
0x180013260 - SysFreeString
0x180013268 - VariantInit
0x180013270 - VariantClear
库 ADVAPI32.dll:
0x180013000 - RegQueryValueExW
0x180013008 - RegOpenKeyExW
0x180013010 - RegDeleteValueW
0x180013018 - RegCreateKeyExW
0x180013020 - RegQueryValueExA
0x180013028 - RegOpenKeyExA
0x180013030 - RegCloseKey
0x180013038 - RegSetValueExW
库 VERSION.dll:
0x180013398 - GetFileVersionInfoW
0x1800133a0 - VerQueryValueW
0x1800133a8 - GetFileVersionInfoSizeW
库 SHLWAPI.dll:
0x180013290 - PathFindFileNameW
库 msvcrt.dll:
0x1800133c8 - log10
0x1800133d0 - ceil
0x1800133d8 - _fileno
0x1800133e0 - fflush
0x1800133e8 - _isatty
0x1800133f0 - ___lc_codepage_func
0x1800133f8 - _msize
0x180013400 - __getmainargs
0x180013408 - __CppXcptFilter
0x180013410 - wctomb_s
0x180013418 - strtol
0x180013420 - strnlen
0x180013428 - wcsnlen
0x180013430 - tolower
0x180013438 - __pctype_func
0x180013440 - _iob
0x180013448 - _unlock
0x180013450 - _lock
0x180013458 - ?terminate@@YAXXZ
0x180013460 - _errno
0x180013468 - abort
0x180013470 - _initterm_e
0x180013478 - _initterm
0x180013480 - _callnewh
0x180013488 - realloc
0x180013490 - malloc
0x180013498 - free
0x1800134a0 - strcpy_s
0x1800134a8 - wcscpy_s
0x1800134b0 - pow
0x1800134b8 - _beginthreadex
0x1800134c0 - _local_unwind
0x1800134c8 - __DestructExceptionObject
0x1800134d0 - _amsg_exit
0x1800134d8 - __C_specific_handler
0x1800134e0 - memcpy
0x1800134e8 - _CxxThrowException
0x1800134f0 - memset
0x1800134f8 - __CxxFrameHandler3
0x180013500 - _clearfp
0x180013508 - memmove
0x180013510 - strrchr

导出

序列 地址 名称
1 0x180003560 GetLnkTargetPath
2 0x180003d30 GetProcessMute
3 0x1800010e0 Is64bit
4 0x180004d30 SAPI_List
5 0x180004e70 SAPI_Speak
6 0x180003f50 SetProcessMute
7 0x180002d60 WriteMemoryCallback
8 0x180002e00 WriteMemoryToQueue
9 0x180001800 _SetTheme
10 0x180002ec0 c_free
11 0x1800033a0 clipboard_get
12 0x180003490 clipboard_set
13 0x180007e60 endmaglistener
14 0x180007850 extracticon2data
15 0x180002ed0 free_all
16 0x180002ee0 freestringlist
17 0x180002f40 freewstringlist
18 0x180001160 getpidhwndfirst
19 0x180005d20 html_navigate
20 0x180005d30 html_new
21 0x180005fb0 html_release
22 0x180005fc0 html_resize
23 0x1800019a0 isDark
24 0x180001190 letfullscreen
25 0x180003b40 levenshtein_distance
26 0x180003b60 levenshtein_ratio
27 0x180002fa0 lockedqueuecreate
28 0x180003050 lockedqueueempty
29 0x1800030b0 lockedqueuefree
30 0x180003110 lockedqueueget
31 0x1800032b0 lockedqueuepush
32 0x180005590 mecab_end
33 0x1800055b0 mecab_init
34 0x1800058b0 mecab_parse
35 0x180002350 otsu_binary
36 0x180001280 pid_running
37 0x180001c10 queryversion
38 0x1800012d0 recoverwindow
39 0x180001360 showintab
40 0x180001650 startdarklistener
41 0x180007e90 startmaglistener

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 2528, 上一级进程 PID: 2172

访问的文件
  • C:\Users\test\AppData\Local\Temp\winsharedutils64.dll
  • C:\Users\test\AppData\Local\Temp\winsharedutils64.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\winsharedutils64.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\dwmapi.dll
  • C:\Windows\sysnative\dwmapi.dll
  • C:\Users\test\AppData\Local\Temp\VERSION.dll
  • C:\Windows\sysnative\version.dll
读取的文件
  • C:\Users\test\AppData\Local\Temp\winsharedutils64.dll
  • C:\Users\test\AppData\Local\Temp\winsharedutils64.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\winsharedutils64.dll.124.Manifest
  • C:\Windows\sysnative\dwmapi.dll
  • C:\Windows\sysnative\version.dll
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • winsharedutils64.dll.#1