魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-09-06 14:52:25 | 2016-09-06 14:52:48 | 23 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-1 | win7-sp1-x64-1 | KVM | 2016-09-06 14:52:26 | 2016-09-06 14:52:46 |
| 魔盾分数 |
|---|
1.0正常的 |
文件详细信息
| 文件名 | dwtrig20.exe |
|---|---|
| 文件大小 | 519584 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 1286A57B |
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
| Ssdeep | 12288:qMwXwNSO5X3IA1iBihI7XHgZQKhJgeCmvz0/:dew0O1IA1UiuLHgZpJEGg/ |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2016-08-24 07:15:29 扫描结果: 0/56 |
特征
二进制文件可能包含加密或压缩数据
section: name: .data, entropy: 7.61, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00032200, virtual_size: 0x00039518
运行截图
网络分析
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.69 | 53197 |
| 192.168.122.69 | 64810 |
| 224.0.0.252 | 5355 |
| 239.255.255.250 | 1900 |
| 52.169.179.91 | 123 |
静态分析
PE 信息
| 初始地址 | 0x2e000000 |
|---|---|
| 入口地址 | 0x2e035125 |
| 声明校验值 | 0x0008d6d7 |
| 实际校验值 | 0x0008d6d7 |
| 最低操作系统版本要求 | 5.1 |
| PDB路径 | t:\dw\x86\ship\0\dwtrig20.pdb\x00\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb |
| 编译时间 | 2010-02-28 17:09:06 |
| 导出DLL库名称 | dwtrig20.exe |
版本信息
| LegalCopyright: | \xa9 2010 Microsoft Corporation. All rights reserved. |
| InternalName: | dwtrig20.exe |
| FileVersion: | 14.0.4750.1000 |
| CompanyName: | Microsoft Corporation |
| LegalTrademarks1: | Microsoft\xae is a registered trademark of Microsoft Corporation. |
| LegalTrademarks2: | Windows\xae is a registered trademark of Microsoft Corporation. |
| ProductName: | Watson Subscriber for SENS Network Notifications |
| ProductVersion: | 14.0.4750.1000 |
| FileDescription: | Watson Subscriber for SENS Network Notifications |
| OriginalFilename: | dwtrig20.exe |
| Translation: | 0x0000 0x04e4 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00047fa0 | 0x00048000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.54 |
| .data | 0x00049000 | 0x00039518 | 0x00032200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.61 |
| .rsrc | 0x00083000 | 0x00000910 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.18 |
| .reloc | 0x00084000 | 0x00002510 | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.68 |
覆盖
| 偏移量: | 0x0007d600 |
| 大小: | 0x000017a0 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x000830a0 | 0x00000514 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.42 | data |
| RT_MANIFEST | 0x000835b8 | 0x00000351 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.19 | XML document text |
导入
库 VERSION.dll:
• 0x2e001000 - VerQueryValueW
• 0x2e001004 - GetFileVersionInfoSizeW
• 0x2e001008 - GetFileVersionInfoW
库 Secur32.dll:
• 0x2e001010 - GetUserNameExW
库 ADVAPI32.dll:
• 0x2e001018 - GetTokenInformation
• 0x2e00101c - OpenThreadToken
• 0x2e001020 - UnregisterTraceGuids
• 0x2e001024 - ConvertSidToStringSidA
• 0x2e001028 - RegCloseKey
• 0x2e00102c - RegSetValueExW
• 0x2e001030 - RegCreateKeyExW
• 0x2e001034 - RegDeleteKeyW
• 0x2e001038 - RegEnumKeyExW
• 0x2e00103c - RegOpenKeyExW
• 0x2e001040 - RegQueryValueExA
• 0x2e001044 - RegQueryValueExW
• 0x2e001048 - GetTraceEnableFlags
• 0x2e00104c - GetTraceEnableLevel
• 0x2e001050 - GetTraceLoggerHandle
• 0x2e001054 - RegisterTraceGuidsA
• 0x2e001058 - TraceEvent
• 0x2e00105c - RegQueryInfoKeyW
• 0x2e001060 - RegEnumKeyW
• 0x2e001064 - RegEnumValueW
• 0x2e001068 - RegOpenKeyExA
• 0x2e00106c - GetLengthSid
• 0x2e001070 - AddAccessAllowedAce
• 0x2e001074 - AddAccessDeniedAce
• 0x2e001078 - InitializeAcl
• 0x2e00107c - AllocateAndInitializeSid
• 0x2e001080 - CopySid
• 0x2e001084 - OpenProcessToken
• 0x2e001088 - FreeSid
• 0x2e00108c - SetSecurityDescriptorDacl
• 0x2e001090 - InitializeSecurityDescriptor
• 0x2e001094 - GetSecurityDescriptorDacl
• 0x2e001098 - ConvertStringSecurityDescriptorToSecurityDescriptorW
• 0x2e00109c - CheckTokenMembership
• 0x2e0010a0 - IsValidSid
库 GDI32.dll:
• 0x2e0010a8 - GetDeviceCaps
• 0x2e0010ac - DeleteDC
• 0x2e0010b0 - DeleteObject
• 0x2e0010b4 - CreateDCA
• 0x2e0010b8 - CreateSolidBrush
库 KERNEL32.dll:
• 0x2e0010c0 - GetSystemWindowsDirectoryW
• 0x2e0010c4 - lstrcmpiW
• 0x2e0010c8 - WriteConsoleW
• 0x2e0010cc - SetEvent
• 0x2e0010d0 - lstrlenW
• 0x2e0010d4 - CreateEventW
• 0x2e0010d8 - GetModuleFileNameW
• 0x2e0010dc - WaitForSingleObject
• 0x2e0010e0 - RaiseException
• 0x2e0010e4 - HeapFree
• 0x2e0010e8 - HeapAlloc
• 0x2e0010ec - GetProcessHeap
• 0x2e0010f0 - GetModuleHandleA
• 0x2e0010f4 - VirtualAlloc
• 0x2e0010f8 - HeapSetInformation
• 0x2e0010fc - HeapCreate
• 0x2e001100 - HeapDestroy
• 0x2e001104 - HeapReAlloc
• 0x2e001108 - HeapSize
• 0x2e00110c - HeapUnlock
• 0x2e001110 - HeapLock
• 0x2e001114 - TlsSetValue
• 0x2e001118 - SetLastError
• 0x2e00111c - GetLastError
• 0x2e001120 - VirtualFree
• 0x2e001124 - TlsGetValue
• 0x2e001128 - InitializeCriticalSectionAndSpinCount
• 0x2e00112c - TlsAlloc
• 0x2e001130 - GetSystemDefaultLCID
• 0x2e001134 - TlsFree
• 0x2e001138 - DeleteCriticalSection
• 0x2e00113c - EnterCriticalSection
• 0x2e001140 - LeaveCriticalSection
• 0x2e001144 - IsValidLocale
• 0x2e001148 - GetModuleHandleW
• 0x2e00114c - GetProcAddress
• 0x2e001150 - GetFileAttributesW
• 0x2e001154 - GetVersion
• 0x2e001158 - GetVersionExA
• 0x2e00115c - GetModuleHandleExW
• 0x2e001160 - RtlCaptureStackBackTrace
• 0x2e001164 - ReleaseMutex
• 0x2e001168 - CloseHandle
• 0x2e00116c - GetSystemTimeAsFileTime
• 0x2e001170 - GetTickCount
• 0x2e001174 - GetLocalTime
• 0x2e001178 - WriteFile
• 0x2e00117c - SetFileAttributesW
• 0x2e001180 - DeleteFileW
• 0x2e001184 - CreateFileW
• 0x2e001188 - ExpandEnvironmentStringsW
• 0x2e00118c - GetProcessTimes
• 0x2e001190 - GetCurrentProcess
• 0x2e001194 - GlobalFree
• 0x2e001198 - LoadLibraryW
• 0x2e00119c - OutputDebugStringA
• 0x2e0011a0 - CreateMutexA
• 0x2e0011a4 - OpenMutexA
• 0x2e0011a8 - CreateSemaphoreA
• 0x2e0011ac - GetShortPathNameA
• 0x2e0011b0 - GetModuleFileNameA
• 0x2e0011b4 - GlobalAlloc
• 0x2e0011b8 - GetSystemDirectoryW
• 0x2e0011bc - GetTimeZoneInformation
• 0x2e0011c0 - GetDiskFreeSpaceExW
• 0x2e0011c4 - IsWow64Process
• 0x2e0011c8 - GetUserDefaultLCID
• 0x2e0011cc - FreeLibrary
• 0x2e0011d0 - GetSystemInfo
• 0x2e0011d4 - GetVersionExW
• 0x2e0011d8 - TerminateProcess
• 0x2e0011dc - GetCurrentProcessId
• 0x2e0011e0 - GetCurrentThreadId
• 0x2e0011e4 - CreateProcessW
• 0x2e0011e8 - LoadLibraryA
• 0x2e0011ec - GetConsoleOutputCP
• 0x2e0011f0 - LocalFree
• 0x2e0011f4 - LocalAlloc
• 0x2e0011f8 - Sleep
• 0x2e0011fc - GetTempPathW
• 0x2e001200 - GetShortPathNameW
• 0x2e001204 - GetLongPathNameW
• 0x2e001208 - CreateDirectoryW
• 0x2e00120c - GetFileType
• 0x2e001210 - CreateFileA
• 0x2e001214 - InitializeCriticalSection
• 0x2e001218 - LoadLibraryExW
• 0x2e00121c - IsDBCSLeadByte
• 0x2e001220 - GetStringTypeExW
• 0x2e001224 - GetACP
• 0x2e001228 - WideCharToMultiByte
• 0x2e00122c - IsValidCodePage
• 0x2e001230 - CompareStringW
• 0x2e001234 - MultiByteToWideChar
• 0x2e001238 - GetCurrentThread
• 0x2e00123c - FlushFileBuffers
• 0x2e001240 - GlobalMemoryStatus
• 0x2e001244 - ReleaseSemaphore
• 0x2e001248 - IsProcessorFeaturePresent
• 0x2e00124c - RtlUnwind
• 0x2e001250 - SetUnhandledExceptionFilter
• 0x2e001254 - ExitProcess
• 0x2e001258 - GetStdHandle
• 0x2e00125c - FreeEnvironmentStringsW
• 0x2e001260 - GetEnvironmentStringsW
• 0x2e001264 - GetCommandLineW
• 0x2e001268 - SetHandleCount
• 0x2e00126c - GetStartupInfoA
• 0x2e001270 - InterlockedIncrement
• 0x2e001274 - InterlockedDecrement
• 0x2e001278 - QueryPerformanceCounter
• 0x2e00127c - UnhandledExceptionFilter
• 0x2e001280 - IsDebuggerPresent
• 0x2e001284 - GetCPInfo
• 0x2e001288 - GetOEMCP
• 0x2e00128c - LCMapStringA
• 0x2e001290 - LCMapStringW
• 0x2e001294 - InterlockedExchange
• 0x2e001298 - SetFilePointer
• 0x2e00129c - GetConsoleCP
• 0x2e0012a0 - GetConsoleMode
• 0x2e0012a4 - GetLocaleInfoA
• 0x2e0012a8 - SetStdHandle
• 0x2e0012ac - GetStringTypeA
• 0x2e0012b0 - GetStringTypeW
• 0x2e0012b4 - WriteConsoleA
库 ole32.dll:
• 0x2e0012bc - CoCreateInstance
• 0x2e0012c0 - StringFromCLSID
• 0x2e0012c4 - CoTaskMemFree
• 0x2e0012c8 - CoInitializeEx
• 0x2e0012cc - CoRegisterClassObject
• 0x2e0012d0 - CoRevokeClassObject
• 0x2e0012d4 - CoUninitialize
• 0x2e0012d8 - StringFromIID
库 OLEAUT32.dll:
• 0x2e0012e0 - None
• 0x2e0012e4 - None
• 0x2e0012e8 - None
• 0x2e0012ec - None
库 RPCRT4.dll:
• 0x2e0012f4 - UuidCreate
库 SHELL32.dll:
• 0x2e0012fc - SHGetSpecialFolderPathW
库 USER32.dll:
• 0x2e001304 - GetSysColor
• 0x2e001308 - EnumDisplayMonitors
• 0x2e00130c - GetMonitorInfoA
• 0x2e001310 - GetKeyboardLayoutList
• 0x2e001314 - GetKeyboardLayout
• 0x2e001318 - GetMenuCheckMarkDimensions
• 0x2e00131c - ReleaseDC
• 0x2e001320 - GetDC
• 0x2e001324 - SystemParametersInfoA
• 0x2e001328 - GetSystemMetrics
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x2e034f62 | _GetAllocCounters@0 |
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
dwtrig20.exe PID: 2728, 上一级进程 PID: 2256
访问的文件
无信息
读取的文件
无信息
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_CURRENT_USER\Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
- HKEY_LOCAL_MACHINE\software\microsoft\office\14.0\common\filespaths
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\FilesPaths\mso.dll
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Common\FilesPaths\mso.dll
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0
- HKEY_CURRENT_USER\Software\Microsoft\Office\14.0
- HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common
- HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MsoHeapInit
- HKEY_LOCAL_MACHINE\Software\Microsoft\Office\14.0\Common\Security
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\FilesPaths\mso.dll
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Common\FilesPaths\mso.dll
- HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MsoHeapInit
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.IsProcessorFeaturePresent
- advapi32.dll.EventWrite
- advapi32.dll.EventRegister
- advapi32.dll.EventUnregister