魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2018-05-22 11:20:58 2018-05-22 11:23:16 138 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp01-1 win7-sp1-x64-shaapp01-1 KVM 2018-05-22 11:20:59 2018-05-22 11:23:15
魔盾分数

1.15

正常的

文件详细信息

文件名 (4).exe
文件大小 197682 字节
文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
CRC32 D48E0721
MD5 45024f9da3c07af8c4c26e0e0f62018a
SHA1 4bbcaaf949148d265ce3296b07600fd344dccb5e
SHA256 f996341aa4c2922f6d0ca1283218b053ae6093700b009c4e513ebb971b342248
SHA512 4532bd280838448389a6e9370fff9e10db1cecb0c8ab69852c448ae1d8981a726427e99999dbb16c49133e1c508c882f898432dfeb5a033b537cf68494d7db7f
Ssdeep 3072:Eqkkr3Owrt4DtSOnmS0yolSVtlL780kUY15e5D/x:Egn48XjSVr380AG
PEiD 无匹配
Yara
  • powershell ()
  • IsPE32 ()
  • IsDLL ()
  • IsWindowsGUI ()
  • HasOverlay (Overlay Check)
  • HasModified_DOS_Message (DOS Message Check)
  • anti_dbg (Checks if being debugged)
  • inject_thread (Code injection with CreateRemoteThread in a remote process)
  • create_service (Create a windows service)
  • network_http (Communications over HTTP)
  • network_dns (Communications use DNS)
  • escalate_priv (Escalade priviledges)
  • win_registry (Affect system registries)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • maldoc_find_kernel32_base_method_1 ()
  • maldoc_getEIP_method_1 ()
  • Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration)
  • Str_Win32_Wininet_Library (Match Windows Inet API library declaration)
  • Str_Win32_Internet_API (Match Windows Inet API call)
  • Str_Win32_Http_API (Match Windows Http API call)
  • with_urls (Rule to detect the presence of an or several urls)
  • without_attachments (Rule to detect the no presence of any attachment)
  • without_images (Rule to detect the no presence of any image)
  • Prime_Constants_long (List of primes [long])
  • RijnDael_AES (RijnDael AES)
  • BASE64_table (Look for Base64 table)
  • VC8_Random (Look for Random function)
  • Visual_Cpp_2005_DLL_Microsoft ()
  • Visual_Cpp_2003_DLL_Microsoft ()
VirusTotal 无此文件扫描结果

特征

创建RWX内存
异常的二进制特征
anomaly: Actual checksum does not match that reported in PE header

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x10000000
入口地址 0x10015d44
声明校验值 0x0003585b
实际校验值 0x00036a14
最低操作系统版本要求 5.0
编译时间 2016-09-17 10:10:05
载入哈希 44b279bbda1558424b378a71a2ed8452
导出DLL库名称 6d9e70.dll

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00021c1c 0x00021e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.63
.rdata 0x00023000 0x000098c1 0x00009a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.59
.data 0x0002d000 0x00010120 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.82
.rsrc 0x0003e000 0x000001b4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.12
.reloc 0x0003f000 0x00001d4c 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.55

覆盖

偏移量: 0x00030000
大小: 0x00000432

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MANIFEST 0x0003e058 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 4.80 ASCII text, with CRLF line terminators

导入

库 KERNEL32.dll:
0x1002309c - OpenProcess
0x100230a0 - VirtualAllocEx
0x100230a4 - WriteProcessMemory
0x100230a8 - FreeLibrary
0x100230ac - VirtualFree
0x100230b0 - Thread32First
0x100230b4 - Thread32Next
0x100230b8 - SetLastError
0x100230bc - VirtualAlloc
0x100230c0 - LoadLibraryA
0x100230c4 - OpenThread
0x100230c8 - CreateToolhelp32Snapshot
0x100230cc - SuspendThread
0x100230d0 - ResumeThread
0x100230d4 - PeekNamedPipe
0x100230d8 - WaitNamedPipeA
0x100230dc - SetNamedPipeHandleState
0x100230e0 - LocalAlloc
0x100230e4 - LocalFree
0x100230e8 - GetComputerNameA
0x100230ec - Process32First
0x100230f0 - TerminateProcess
0x100230f4 - Process32Next
0x100230f8 - ProcessIdToSessionId
0x100230fc - GetFileAttributesA
0x10023100 - GetLogicalDrives
0x10023104 - SystemTimeToTzSpecificLocalTime
0x10023108 - GetFullPathNameA
0x1002310c - CreateThread
0x10023110 - GetVersionExA
0x10023114 - GetModuleHandleA
0x10023118 - CreateNamedPipeA
0x1002311c - GetProcAddress
0x10023120 - ReadFile
0x10023124 - GetCurrentThread
0x10023128 - ConnectNamedPipe
0x1002312c - GetCurrentProcess
0x10023130 - CloseHandle
0x10023134 - GetFileTime
0x10023138 - GetCurrentDirectoryA
0x1002313c - CreatePipe
0x10023140 - GetCurrentDirectoryW
0x10023144 - GetLastError
0x10023148 - GetWindowsDirectoryA
0x1002314c - SetCurrentDirectoryA
0x10023150 - FlushFileBuffers
0x10023154 - DisconnectNamedPipe
0x10023158 - GetEnvironmentVariableA
0x1002315c - CreateProcessA
0x10023160 - WriteFile
0x10023164 - SetFileTime
0x10023168 - WaitForSingleObject
0x1002316c - CreateFileA
0x10023170 - GetCurrentProcessId
0x10023174 - GetLocalTime
0x10023178 - Sleep
0x1002317c - SetEndOfFile
0x10023180 - VirtualQuery
0x10023184 - GetModuleFileNameW
0x10023188 - GetProcessHeap
0x1002318c - SetStdHandle
0x10023190 - WriteConsoleW
0x10023194 - GetConsoleOutputCP
0x10023198 - WriteConsoleA
0x1002319c - GetTickCount
0x100231a0 - GetStringTypeW
0x100231a4 - GetStringTypeA
0x100231a8 - LCMapStringW
0x100231ac - LCMapStringA
0x100231b0 - GetLocaleInfoA
0x100231b4 - HeapSize
0x100231b8 - DebugBreak
0x100231bc - RaiseException
0x100231c0 - QueryPerformanceCounter
0x100231c4 - GetEnvironmentStringsW
0x100231c8 - FreeEnvironmentStringsW
0x100231cc - GetEnvironmentStrings
0x100231d0 - FreeEnvironmentStringsA
0x100231d4 - CreateRemoteThread
0x100231d8 - FindNextFileA
0x100231dc - FindClose
0x100231e0 - FindFirstFileA
0x100231e4 - GetStartupInfoA
0x100231e8 - FileTimeToSystemTime
0x100231ec - SetFilePointer
0x100231f0 - GetFileType
0x100231f4 - SetHandleCount
0x100231f8 - GetConsoleMode
0x100231fc - HeapFree
0x10023200 - HeapAlloc
0x10023204 - GetModuleHandleW
0x10023208 - ExitProcess
0x1002320c - MultiByteToWideChar
0x10023210 - DeleteFileA
0x10023214 - CreateDirectoryA
0x10023218 - RemoveDirectoryA
0x1002321c - GetCurrentThreadId
0x10023220 - GetCommandLineA
0x10023224 - GetSystemTimeAsFileTime
0x10023228 - UnhandledExceptionFilter
0x1002322c - SetUnhandledExceptionFilter
0x10023230 - IsDebuggerPresent
0x10023234 - HeapCreate
0x10023238 - HeapDestroy
0x1002323c - DeleteCriticalSection
0x10023240 - LeaveCriticalSection
0x10023244 - EnterCriticalSection
0x10023248 - HeapReAlloc
0x1002324c - GetStdHandle
0x10023250 - GetModuleFileNameA
0x10023254 - TlsGetValue
0x10023258 - TlsAlloc
0x1002325c - TlsSetValue
0x10023260 - TlsFree
0x10023264 - InterlockedIncrement
0x10023268 - InterlockedDecrement
0x1002326c - InitializeCriticalSectionAndSpinCount
0x10023270 - GetCPInfo
0x10023274 - GetACP
0x10023278 - GetOEMCP
0x1002327c - IsValidCodePage
0x10023280 - RtlUnwind
0x10023284 - WideCharToMultiByte
0x10023288 - GetConsoleCP
库 ADVAPI32.dll:
0x10023000 - CryptGenRandom
0x10023004 - CryptReleaseContext
0x10023008 - CryptAcquireContextA
0x1002300c - LogonUserA
0x10023010 - CheckTokenMembership
0x10023014 - FreeSid
0x10023018 - RevertToSelf
0x1002301c - AllocateAndInitializeSid
0x10023020 - DuplicateTokenEx
0x10023024 - LookupAccountSidA
0x10023028 - GetTokenInformation
0x1002302c - SetSecurityDescriptorDacl
0x10023030 - InitializeSecurityDescriptor
0x10023034 - GetUserNameA
0x10023038 - AdjustTokenPrivileges
0x1002303c - ControlService
0x10023040 - QueryServiceStatusEx
0x10023044 - ImpersonateNamedPipeClient
0x10023048 - ImpersonateLoggedOnUser
0x1002304c - LookupPrivilegeValueA
0x10023050 - OpenThreadToken
0x10023054 - OpenProcessToken
0x10023058 - OpenServiceA
0x1002305c - OpenSCManagerA
0x10023060 - QueryServiceStatus
0x10023064 - CreateProcessWithTokenW
0x10023068 - StartServiceA
0x1002306c - CreateServiceA
0x10023070 - DeleteService
0x10023074 - CreateProcessWithLogonW
0x10023078 - CloseServiceHandle
0x1002307c - CreateProcessAsUserA
库 WININET.dll:
0x100232a0 - InternetConnectA
0x100232a4 - InternetQueryDataAvailable
0x100232a8 - InternetReadFile
0x100232ac - InternetSetOptionA
0x100232b0 - HttpOpenRequestA
0x100232b4 - HttpSendRequestA
0x100232b8 - InternetOpenA
0x100232bc - InternetCloseHandle
0x100232c0 - InternetQueryOptionA
0x100232c4 - HttpQueryInfoA
库 WS2_32.dll:
0x100232cc - ntohs
0x100232d0 - connect
0x100232d4 - htons
0x100232d8 - socket
0x100232dc - accept
0x100232e0 - send
0x100232e4 - gethostname
0x100232e8 - inet_ntoa
0x100232ec - WSAStartup
0x100232f0 - gethostbyname
0x100232f4 - ntohl
0x100232f8 - htonl
0x100232fc - listen
0x10023300 - __WSAFDIsSet
0x10023304 - bind
0x10023308 - recv
0x1002330c - shutdown
0x10023310 - WSAGetLastError
0x10023314 - select
0x10023318 - ioctlsocket
0x1002331c - inet_addr
0x10023320 - closesocket
0x10023324 - WSACleanup
库 DNSAPI.dll:
0x10023084 - DnsFree
0x10023088 - DnsQuery_A
库 IPHLPAPI.DLL:
0x10023090 - GetIfEntry
0x10023094 - GetIpAddrTable
库 Secur32.dll:
0x10023290 - LsaCallAuthenticationPackage
0x10023294 - LsaConnectUntrusted
0x10023298 - LsaLookupAuthenticationPackage

导出

序列 地址 名称
1 0x10007f59 _ReflectiveLoader@4

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 1808, 上一级进程 PID: 1872

访问的文件
  • C:\Users\test\AppData\Local\Temp\_4_.exe.dll
  • C:\Users\test\AppData\Local\Temp\_4_.exe.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\_4_.exe.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\DNSAPI.dll
  • C:\Windows\System32\dnsapi.dll
  • C:\Users\test\AppData\Local\Temp\IPHLPAPI.DLL
  • C:\Windows\System32\IPHLPAPI.DLL
  • C:\Users\test\AppData\Local\Temp\WINNSI.DLL
  • C:\Windows\System32\winnsi.dll
  • C:\Users\test\AppData\Local\Temp\Secur32.dll
  • C:\Windows\System32\secur32.dll
读取的文件
  • C:\Users\test\AppData\Local\Temp\_4_.exe.dll
  • C:\Users\test\AppData\Local\Temp\_4_.exe.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\_4_.exe.dll.124.Manifest
  • C:\Windows\System32\dnsapi.dll
  • C:\Windows\System32\IPHLPAPI.DLL
  • C:\Windows\System32\winnsi.dll
  • C:\Windows\System32\secur32.dll
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsFree
  • _4_.exe.dll.#1