魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2018-03-23 22:03:57	2018-03-23 22:06:18	141 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp03-2	win7-sp1-x64-hpdapp03-2	KVM	2018-03-23 22:04:01	2018-03-23 22:06:16

魔盾分数
2.0 正常的

文件详细信息

文件名	WSReset.exe
文件大小	58368 字节
文件类型	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
CRC32	5E7DD867
MD5	a6316079ae5313d86fef30624dd66d0b
SHA1	326915a083d9edf843cda3cb085f172fc0b7251c
SHA256	7386407e86ca281aa5e9c1be21a8bcc8f34e194445ffe419ffe6df1cebbe34e3
SHA512	e5af8b6a71529ac69e82461b884f428a1f1aacd37ef40d19223a20d2a9cb5ec90c37d3383583961547c33ffaa36fb3e92920573122e4b6960cf5da6330b6ee69
Ssdeep	1536:CcjzRN3vctWda9EQt5RTxJWi1NsbEdDpqmnouy8:C6NfyCaaWzHNsQdDZout
PEiD	无匹配
Yara	UPX () IsPE32 () IsConsole () IsPacked (Entropy Check) without_images (Rule to detect the no presence of any image) without_attachments (Rule to detect the no presence of any attachment) UPXv20MarkusLaszloReiser () UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () UPX20030XMarkusOberhumerLaszloMolnarJohnReiser () Big_Numbers1 (Looks for big numbers 32:sized) UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional () UPX_302 () PackerUPX_CompresorGratuito_wwwupxsourceforgenet () UPX_wwwupxsourceforgenet_additional () yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h () UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser () UPX_wwwupxsourceforgenet () suspicious_packer_section (The packer/protector section names/keywords) without_urls (Rule to detect the no presence of any url)
VirusTotal	无此文件扫描结果

特征

二进制文件可能包含加密或压缩数据

section: name: UPX1, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000b400, virtual_size: 0x0000c000

可执行文件被使用UPX压缩

section: name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00013000

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x0041e850
声明校验值	0x00000000
实际校验值	0x00014bd7
最低操作系统版本要求	4.0
编译时间	2017-12-31 04:32:31
载入哈希	a50e815adb2cfe3e58d388c791946db8
图标
图标精确哈希值	271e42efc6122181d4236b0c0fb7f44f
图标相似性哈希值	8689cb1cb86e6f6c41635fe8cc0d83e7

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
UPX0	0x00001000	0x00013000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00014000	0x0000c000	0x0000b400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.98
.rsrc	0x00020000	0x00003000	0x00002e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.83

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x000202b0	0x000025a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.00	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_RCDATA	0x0001b874	0x00000a76	LANG_NEUTRAL	SUBLANG_NEUTRAL	7.93	data
RT_GROUP_ICON	0x0002285c	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.92	MS Windows icon resource - 1 icon, 48x48
RT_MANIFEST	0x00022874	0x000002a0	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.09	XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库 COMCTL32.DLL:

• 0x422bdc - InitCommonControlsEx

库 GDI32.DLL:

• 0x422be4 - GetStockObject

库 KERNEL32.DLL:

• 0x422bec - LoadLibraryA

• 0x422bf0 - ExitProcess

• 0x422bf4 - GetProcAddress

• 0x422bf8 - VirtualProtect

库 MSVCRT.dll:

• 0x422c00 - free

库 OLE32.DLL:

• 0x422c08 - CoInitialize

库 SHELL32.DLL:

• 0x422c10 - ShellExecuteExW

库 SHLWAPI.DLL:

• 0x422c18 - PathRemoveArgsW

库 USER32.DLL:

• 0x422c20 - SetFocus

库 WINMM.DLL:

• 0x422c28 - timeBeginPeriod

投放文件

91B5.bat

文件名	91B5.bat
相关文件	C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat
文件大小	2661 bytes
文件类型	ISO-8859 text, with CRLF line terminators
MD5	de17fcd2d425d17e344060dc63b15c7b
SHA1	4358175866dd4785b434f9bcb0b973c90b28f52f
SHA256	4d42fa3a397a98287ffe852d63a950ff64ca5d79f7c86c4655a1ce71d4ada9ca
SHA512	39223c3454820417a0b72f6235f624b30c33995b5d00d44d6be526ae6283dd469784d73bca3dec72f19e73a126cf58f7a5bac3371eff1b90f2cca7a3b763a9f6
Ssdeep	48:7AOpZGC12wTatIutm6sGpgtmisLL/tftYotAtYTs30223018kjABP79MOwu00K:7AOpt12wTatIutm6sGOtTsL7tftXtAt1
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes) 无信息

执行的命令

"C:\Windows\sysnative\cmd" /c "C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat C:\Users\test\AppData\Local\Temp\WSReset.exe"

创建的服务 无信息

启动的服务 无信息

进程

WSReset.exe PID: 2004, 上一级进程 PID: 272

cmd.exe PID: 2032, 上一级进程 PID: 2004

访问的文件

\Device\KsecDD
C:\Users\test\AppData\Local\Temp\WSReset.exe
C:\Windows\sysnative\cmd
C:\Windows\sysnative\cmd.exe
C:\Users\test\AppData\Local\Temp\
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
C:\Users\test\AppData\Local\Temp\91A4.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B6.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\extd.exe
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat C:\Users\test\AppData\Local\Temp\WSReset.exe
C:\
C:\Users\test\AppData\Local\Temp\On.*
C:\Users\test\AppData\Local\Temp\On
C:\ProgramData\Oracle\Java\javapath\On.*
C:\ProgramData\Oracle\Java\javapath\On
C:\Windows\sysnative\On.*
C:\Windows\sysnative\On
C:\Windows\On.*
C:\Windows\On
C:\Windows\sysnative\wbem\On.*
C:\Windows\sysnative\wbem\On
C:\Windows\sysnative\WindowsPowerShell\v1.0\On.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\On
C:\Program Files (x86)\WinRAR\On.*
C:\Program Files (x86)\WinRAR\On
C:\Users\test\AppData\Local\Temp\dim.*
C:\Users\test\AppData\Local\Temp\dim
C:\ProgramData\Oracle\Java\javapath\dim.*
C:\ProgramData\Oracle\Java\javapath\dim
C:\Windows\sysnative\dim.*
C:\Windows\sysnative\dim
C:\Windows\dim.*
C:\Windows\dim
C:\Windows\sysnative\wbem\dim.*
C:\Windows\sysnative\wbem\dim
C:\Windows\sysnative\WindowsPowerShell\v1.0\dim.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\dim
C:\Program Files (x86)\WinRAR\dim.*
C:\Program Files (x86)\WinRAR\dim
C:\Users\test\AppData\Local\Temp\r.Regwrite
C:\Users\test\AppData\Local\Temp\r.Regwrite.*
C:\ProgramData\Oracle\Java\javapath\r.Regwrite
C:\ProgramData\Oracle\Java\javapath\r.Regwrite.*
C:\Windows\sysnative\r.Regwrite
C:\Windows\sysnative\r.Regwrite.*
C:\Windows\r.Regwrite
C:\Windows\r.Regwrite.*
C:\Windows\sysnative\wbem\r.Regwrite
C:\Windows\sysnative\wbem\r.Regwrite.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\r.Regwrite
C:\Windows\sysnative\WindowsPowerShell\v1.0\r.Regwrite.*
C:\Program Files (x86)\WinRAR\r.Regwrite
C:\Program Files (x86)\WinRAR\r.Regwrite.*
C:\Users\test\AppData\Local\Temp\so.GetFile
C:\Users\test\AppData\Local\Temp\so.GetFile.*
C:\ProgramData\Oracle\Java\javapath\so.GetFile
C:\ProgramData\Oracle\Java\javapath\so.GetFile.*
C:\Windows\sysnative\so.GetFile
C:\Windows\sysnative\so.GetFile.*
C:\Windows\so.GetFile
C:\Windows\so.GetFile.*
C:\Windows\sysnative\wbem\so.GetFile
C:\Windows\sysnative\wbem\so.GetFile.*
C:\Windows\sysnative\WindowsPowerShell\v1.0\so.GetFile
C:\Windows\sysnative\WindowsPowerShell\v1.0\so.GetFile.*
C:\Program Files (x86)\WinRAR\so.GetFile
C:\Program Files (x86)\WinRAR\so.GetFile.*
C:\Users\test\AppData\Local\Temp\"\Win32system.vbs")
C:\Win32system.vbs)
C:\Win32system.vbs).*
C:\Users\test\AppData\Local\Temp\"\Start Menu\Programs\\xe5\x90\xaf\xe5\x8a\xa8\Win32system.vbs")
C:\Start Menu\Programs\\xe5\x90\xaf\xe5\x8a\xa8\Win32system.vbs)
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui

读取的文件

\Device\KsecDD
C:\Windows\sysnative\cmd
C:\Windows\sysnative\cmd.exe
C:\Users\test\AppData\Local\Temp\91A4.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B6.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui

修改的文件

C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat

删除的文件

C:\Users\test\AppData\Local\Temp\91A4.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B6.tmp
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\extd.exe
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\91B5.bat
C:\Users\test\AppData\Local\Temp\91A4.tmp\91A5.tmp\

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.GetModuleHandleW
kernel32.dll.HeapCreate
kernel32.dll.GetStdHandle
kernel32.dll.SetConsoleCtrlHandler
kernel32.dll.HeapDestroy
kernel32.dll.ExitProcess
kernel32.dll.WriteFile
kernel32.dll.GetTempFileNameW
kernel32.dll.LoadLibraryExW
kernel32.dll.EnumResourceTypesW
kernel32.dll.FreeLibrary
kernel32.dll.RemoveDirectoryW
kernel32.dll.EnumResourceNamesW
kernel32.dll.GetCommandLineW
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.FreeResource
kernel32.dll.FindResourceW
kernel32.dll.GetNativeSystemInfo
kernel32.dll.GetShortPathNameW
kernel32.dll.GetWindowsDirectoryW
kernel32.dll.GetSystemDirectoryW
kernel32.dll.EnterCriticalSection
kernel32.dll.CloseHandle
kernel32.dll.LeaveCriticalSection
kernel32.dll.InitializeCriticalSection
kernel32.dll.WaitForSingleObject
kernel32.dll.TerminateThread
kernel32.dll.CreateThread
kernel32.dll.GetProcAddress
kernel32.dll.GetVersionExW
kernel32.dll.Sleep
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.WideCharToMultiByte
kernel32.dll.LoadLibraryW
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetModuleFileNameW
kernel32.dll.PeekNamedPipe
kernel32.dll.TerminateProcess
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.GetCurrentProcess
kernel32.dll.DuplicateHandle
kernel32.dll.CreatePipe
kernel32.dll.CreateProcessW
kernel32.dll.GetExitCodeProcess
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.HeapSize
kernel32.dll.MultiByteToWideChar
kernel32.dll.CreateDirectoryW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetTempPathW
kernel32.dll.DeleteFileW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.CreateFileW
kernel32.dll.SetFilePointer
kernel32.dll.TlsFree
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.TlsAlloc
kernel32.dll.HeapReAlloc
kernel32.dll.DeleteCriticalSection
kernel32.dll.InterlockedCompareExchange
kernel32.dll.InterlockedExchange
kernel32.dll.GetLastError
kernel32.dll.SetLastError
kernel32.dll.UnregisterWait
kernel32.dll.GetCurrentThread
kernel32.dll.RegisterWaitForSingleObject
comctl32.dll.InitCommonControlsEx
gdi32.dll.GetStockObject
msvcrt.dll.memset
msvcrt.dll.wcsncmp
msvcrt.dll.memmove
msvcrt.dll.wcsncpy
msvcrt.dll.wcsstr
msvcrt.dll._wcsnicmp
msvcrt.dll._wcsdup
msvcrt.dll.free
msvcrt.dll._wcsicmp
msvcrt.dll.wcslen
msvcrt.dll.wcscpy
msvcrt.dll.wcscmp
msvcrt.dll.wcscat
msvcrt.dll.memcpy
msvcrt.dll.tolower
msvcrt.dll.malloc
ole32.dll.CoInitialize
ole32.dll.CoTaskMemFree
shell32.dll.ShellExecuteExW
shell32.dll.SHGetFolderLocation
shell32.dll.SHGetPathFromIDListW
shlwapi.dll.PathAddBackslashW
shlwapi.dll.PathRenameExtensionW
shlwapi.dll.PathQuoteSpacesW
shlwapi.dll.PathRemoveArgsW
shlwapi.dll.PathRemoveBackslashW
user32.dll.CharUpperW
user32.dll.CharLowerW
user32.dll.MessageBoxW
user32.dll.DefWindowProcW
user32.dll.DestroyWindow
user32.dll.GetWindowLongW
user32.dll.GetWindowTextLengthW
user32.dll.GetWindowTextW
user32.dll.UnregisterClassW
user32.dll.LoadIconW
user32.dll.LoadCursorW
user32.dll.RegisterClassExW
user32.dll.IsWindowEnabled
user32.dll.EnableWindow
user32.dll.GetSystemMetrics
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.SendMessageW
user32.dll.SetFocus
user32.dll.CreateAcceleratorTableW
user32.dll.SetForegroundWindow
user32.dll.BringWindowToTop
user32.dll.GetMessageW
user32.dll.TranslateAcceleratorW
user32.dll.TranslateMessage
user32.dll.DispatchMessageW
user32.dll.DestroyAcceleratorTable
user32.dll.PostMessageW
user32.dll.GetForegroundWindow
user32.dll.GetWindowThreadProcessId
user32.dll.IsWindowVisible
user32.dll.EnumWindows
user32.dll.SetWindowPos
winmm.dll.timeBeginPeriod
cryptbase.dll.SystemFunction036
kernel32.dll.InitOnceExecuteOnce
ntdll.dll.RtlGetVersion
kernel32.dll.GetLongPathNameW
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel