魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2017-07-07 22:09:37	2017-07-07 22:12:01	144 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp04-3	win7-sp1-x64-hpdapp04-3	KVM	2017-07-07 22:09:42	2017-07-07 22:12:00

魔盾分数
10.0 恶意的

文件详细信息

文件名	e.exe
文件大小	483328 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	77BE99B9
MD5	c0fb5863d4bbd92fb5870e2ce85a9aa8
SHA1	913023993c19a10c5bb2c4e9ac80ebe3cc5f5af7
SHA256	e44165481d5200e85873dec33779d442cf420a02e4ca4af4f1d2ef804c9edfcf
SHA512	b78b5f32685eb8f59d1175c2c5e903ef9c8d7f6ca013d9f1acf8c511b8efbfe4ac451735efd2b1aca058f9d2645b085bcec98fe9eaa1772d4f0301d18f571db4
Ssdeep	6144:q4HViBRagOPlrf7qfcnlNDBp/RbVtCRL1lMoLHPYCJi8xcBYhM+gSnC:RHVCRWlPqgb98R4oDPNJ72BU3gV
PEiD	无匹配
Yara	IsPE32 () IsWindowsGUI () HasRichSignature (Rich Signature Check) anti_dbg (Checks if being debugged) win_registry (Affect system registries) win_files_operation (Affect private profile) without_images (Rule to detect the no presence of any image) without_urls (Rule to detect the no presence of any url) VC8_Microsoft_Corporation () Microsoft_Visual_Cpp_8 () without_attachments (Rule to detect the no presence of any attachment)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2017-07-07 13:57:38 扫描结果: 13/63

特征

创建RWX内存

文件已被至少十个VirusTotal上的反病毒引擎检测为病毒

Invincea: heuristic

Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9990

Symantec: Trojan Horse

Kaspersky: UDS:DangerousObject.Multi.Generic

Paloalto: generic.ml

SentinelOne: static engine - malicious

Webroot: W32.Trojan.Gen

Avira: TR/Crypt.ZPACK.ifaet

Endgame: malicious (high confidence)

AegisLab: Ml.Attribute.Gen!c

ZoneAlarm: UDS:DangerousObject.Multi.Generic

Panda: Trj/Genetic.gen

CrowdStrike: malicious_confidence_100% (W)

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00409ca9
声明校验值	0x00000000
实际校验值	0x0007e954
最低操作系统版本要求	4.0
编译时间	2017-07-07 15:08:31
载入哈希	07b361eeb8ec09d583d219650e6cb531

版本信息

LegalCopyright:	Copyright \xa9 2007-2014 Zello Inc
InternalName:	Zello
FileVersion:	1.43.0.0
CompanyName:	Zello Inc
ProductName:	Zello
ProductVersion:	1.43.0.0
FileDescription:	Zello
Translation:	0x0409 0x0000

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00013dfa	0x00014000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.63
.rdata	0x00015000	0x00002e50	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.24
.data	0x00018000	0x00082578	0x0005d000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	6.17
.rsrc	0x0009b000	0x00000490	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	1.55

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_VERSION	0x0009b0a0	0x0000026c	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.22	data
RT_MANIFEST	0x0009b310	0x0000017d	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.91	XML 1.0 document text

导入

库 ole32.dll:

• 0x4151f4 - OleUninitialize

• 0x4151f8 - OleInitialize

• 0x4151fc - CoTaskMemFree

• 0x415200 - CoTaskMemAlloc

• 0x415204 - StringFromCLSID

• 0x415208 - CoCreateInstance

• 0x41520c - CoUninitialize

• 0x415210 - CoInitialize

库 ADVAPI32.dll:

• 0x415000 - RegOpenKeyExW

• 0x415004 - RegCloseKey

• 0x415008 - RegQueryValueExW

库 KERNEL32.dll:

• 0x415010 - GetStringTypeW

• 0x415014 - CompareStringA

• 0x415018 - SetEnvironmentVariableA

• 0x41501c - GetLocaleInfoA

• 0x415020 - GetThreadPriority

• 0x415024 - HeapAlloc

• 0x415028 - GetProcessHeap

• 0x41502c - BeginUpdateResourceW

• 0x415030 - CloseHandle

• 0x415034 - CompareStringW

• 0x415038 - CreateDirectoryW

• 0x41503c - CreateEventW

• 0x415040 - CreateFileW

• 0x415044 - CreateFileMappingW

• 0x415048 - CreateThread

• 0x41504c - DeleteCriticalSection

• 0x415050 - DeleteFileW

• 0x415054 - EndUpdateResourceW

• 0x415058 - EnterCriticalSection

• 0x41505c - EnumCalendarInfoW

• 0x415060 - EnumResourceNamesW

• 0x415064 - EnumSystemLocalesW

• 0x415068 - FileTimeToDosDateTime

• 0x41506c - FileTimeToLocalFileTime

• 0x415070 - FileTimeToSystemTime

• 0x415074 - FindClose

• 0x415078 - FindFirstFileW

• 0x41507c - FindNextFileW

• 0x415080 - FindResourceW

• 0x415084 - FormatMessageW

• 0x415088 - FreeLibrary

• 0x41508c - FreeResource

• 0x415090 - GetACP

• 0x415094 - GetCPInfo

• 0x415098 - GetCPInfoExW

• 0x41509c - GetCurrentProcess

• 0x4150a0 - GetCurrentProcessId

• 0x4150a4 - GetCurrentThread

• 0x4150a8 - GetCurrentThreadId

• 0x4150ac - GetDateFormatW

• 0x4150b0 - GetDiskFreeSpaceW

• 0x4150b4 - GetDriveTypeW

• 0x4150b8 - GetExitCodeThread

• 0x4150bc - GetFileAttributesW

• 0x4150c0 - GetFileAttributesExW

• 0x4150c4 - GetFileSize

• 0x4150c8 - GetFullPathNameW

• 0x4150cc - GetLastError

• 0x4150d0 - GetLocalTime

• 0x4150d4 - GetLocaleInfoW

• 0x4150d8 - GetLogicalDriveStringsW

• 0x4150dc - GetLogicalDrives

• 0x4150e0 - GetModuleFileNameW

• 0x4150e4 - GetModuleHandleW

• 0x4150e8 - GetPrivateProfileStringW

• 0x4150ec - GetProcAddress

• 0x4150f0 - GetLongPathNameW

• 0x4150f4 - GetStdHandle

• 0x4150f8 - GetSystemDefaultLangID

• 0x4150fc - GetSystemTimes

• 0x415100 - GetTempPathW

• 0x415104 - GetThreadLocale

• 0x415108 - GetTickCount

• 0x41510c - GetTimeZoneInformation

• 0x415110 - GetVersion

• 0x415114 - GetVersionExW

• 0x415118 - GetVolumeInformationW

• 0x41511c - GlobalAddAtomW

• 0x415120 - GlobalAlloc

• 0x415124 - GlobalDeleteAtom

• 0x415128 - GlobalFindAtomW

• 0x41512c - GlobalFree

• 0x415130 - GlobalLock

• 0x415134 - GlobalUnlock

• 0x415138 - HeapCreate

• 0x41513c - HeapDestroy

• 0x415140 - HeapFree

• 0x415144 - HeapSize

• 0x415148 - InitializeCriticalSection

• 0x41514c - IsValidLocale

• 0x415150 - GetSystemTimeAsFileTime

• 0x415154 - GetCommandLineA

• 0x415158 - GetStartupInfoA

• 0x41515c - TerminateProcess

• 0x415160 - UnhandledExceptionFilter

• 0x415164 - SetUnhandledExceptionFilter

• 0x415168 - IsDebuggerPresent

• 0x41516c - GetModuleHandleA

• 0x415170 - WideCharToMultiByte

• 0x415174 - Sleep

• 0x415178 - ExitProcess

• 0x41517c - WriteFile

• 0x415180 - GetModuleFileNameA

• 0x415184 - FreeEnvironmentStringsA

• 0x415188 - GetEnvironmentStrings

• 0x41518c - FreeEnvironmentStringsW

• 0x415190 - GetEnvironmentStringsW

• 0x415194 - SetHandleCount

• 0x415198 - GetFileType

• 0x41519c - TlsGetValue

• 0x4151a0 - TlsAlloc

• 0x4151a4 - TlsSetValue

• 0x4151a8 - TlsFree

• 0x4151ac - InterlockedIncrement

• 0x4151b0 - SetLastError

• 0x4151b4 - InterlockedDecrement

• 0x4151b8 - VirtualFree

• 0x4151bc - QueryPerformanceCounter

• 0x4151c0 - GetOEMCP

• 0x4151c4 - IsValidCodePage

• 0x4151c8 - LeaveCriticalSection

• 0x4151cc - LoadLibraryA

• 0x4151d0 - InitializeCriticalSectionAndSpinCount

• 0x4151d4 - VirtualAlloc

• 0x4151d8 - HeapReAlloc

• 0x4151dc - RtlUnwind

• 0x4151e0 - LCMapStringA

• 0x4151e4 - MultiByteToWideChar

• 0x4151e8 - LCMapStringW

• 0x4151ec - GetStringTypeA

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

e.exe PID: 2268, 上一级进程 PID: 2140

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\tzres.dll
C:\Users\test\AppData\Local\Temp\a.Manifest

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\tzres.dll
C:\Users\test\AppData\Local\Temp\a.Manifest

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.VirtualAlloc
ntdll.dll.ZwOpenProcessToken
ntdll.dll.ZwClose
ntdll.dll.mbstowcs
ntdll.dll.NtQuerySystemInformation
ntdll.dll.RtlNtStatusToDosError
ntdll.dll.memcpy
ntdll.dll.memset
ntdll.dll.ZwQueryInformationProcess
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtMapViewOfSection
ntdll.dll.RtlUpcaseUnicodeString
ntdll.dll.NtCreateSection
ntdll.dll.ZwOpenProcess
ntdll.dll.ZwQueryInformationToken
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.RtlUnwind
ntdll.dll.NtQueryVirtualMemory
shlwapi.dll.PathFindExtensionW
shlwapi.dll.StrRChrA
shlwapi.dll.PathFindExtensionA
shlwapi.dll.StrChrA
shlwapi.dll.PathCombineW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.StrChrW
shlwapi.dll.StrTrimW
shlwapi.dll.PathFindFileNameA
kernel32.dll.CloseHandle
kernel32.dll.ResetEvent
kernel32.dll.LoadLibraryA
kernel32.dll.CreateWaitableTimerA
kernel32.dll.GetTickCount
kernel32.dll.SetFileAttributesW
kernel32.dll.CreateProcessA
kernel32.dll.SetEvent
kernel32.dll.CreateEventA
kernel32.dll.GetProcAddress
kernel32.dll.GetLastError
kernel32.dll.lstrcatW
kernel32.dll.Sleep
kernel32.dll.HeapFree
kernel32.dll.lstrcmpiW
kernel32.dll.lstrlenW
kernel32.dll.SetWaitableTimer
kernel32.dll.HeapAlloc
kernel32.dll.GetCommandLineW
kernel32.dll.ExitProcess
kernel32.dll.GetModuleHandleA
kernel32.dll.HeapCreate
kernel32.dll.HeapDestroy
kernel32.dll.WaitForSingleObject
kernel32.dll.DeleteFileW
kernel32.dll.VirtualProtectEx
kernel32.dll.ResumeThread
kernel32.dll.SuspendThread
kernel32.dll.lstrcmpA
kernel32.dll.GetTempFileNameA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetTempPathA
kernel32.dll.GetFileSize
kernel32.dll.lstrcpynA
kernel32.dll.GetFileTime
kernel32.dll.FindNextFileA
kernel32.dll.CompareFileTime
kernel32.dll.GetLongPathNameW
kernel32.dll.OpenProcess
kernel32.dll.GetVersion
kernel32.dll.GetCurrentProcessId
kernel32.dll.CreateFileW
kernel32.dll.GetModuleFileNameA
kernel32.dll.lstrcatA
kernel32.dll.FindClose
kernel32.dll.CreateFileA
kernel32.dll.VirtualFree
kernel32.dll.SetLastError
kernel32.dll.lstrcpyA
kernel32.dll.lstrcmpiA
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.ReadFile
kernel32.dll.GetModuleFileNameW
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.WriteFile
kernel32.dll.SetEndOfFile
kernel32.dll.lstrcpyW
kernel32.dll.CreateDirectoryW
kernel32.dll.FlushFileBuffers
kernel32.dll.LocalFree
kernel32.dll.FindFirstFileA
user32.dll.wsprintfW
user32.dll.wsprintfA
user32.dll.GetCursorInfo
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegOpenKeyW
advapi32.dll.RegDeleteValueW
advapi32.dll.GetTokenInformation
advapi32.dll.OpenProcessToken
advapi32.dll.GetSidSubAuthority
advapi32.dll.RegQueryValueExA
advapi32.dll.RegCreateKeyA
advapi32.dll.RegSetValueExW
advapi32.dll.RegSetValueExA
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegOpenKeyA
shell32.dll.ShellExecuteExW
shell32.dll.#92
shell32.dll.ShellExecuteW
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize