魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-07-21 11:28:50 2019-07-21 11:30:05 75 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-2 win7-sp1-x64-hpdapp01-2 KVM 2019-07-21 11:28:54 None
魔盾分数

0.0

正常的

文件详细信息

文件名 api-ms-win-core-sysinfo-l1-1-0.dll
文件大小 20376 字节
文件类型 PE32 executable (DLL) (console) Intel 80386, for MS Windows
CRC32 EF0CF155
MD5 f69d3b75d2becfc53a29ce3decf62fe7
SHA1 28ad9523af0b3d569f959803cdc01f1dee87cf53
SHA256 460fa4cb795fab56d0949518d1c1d76d48dd55b3f9a02b3db421e79f98a64619
SHA512 f2653f4006ccee2a2e06227e75a95c0a702a625622311f5879a3b689078bfc623606fd7e4dd051f9987c624e922980c4c3a7c4852ce8cfc98fc11aa7115e4ac0
Ssdeep 384:WgPUZWEhWZMoq0GftpBjp1ZERHRN7lNclgHrIQeaM:WgPUZ3ai71ZEB5rI4M
PEiD 无匹配
Yara
  • IsPE32 (Detected 32bit PE signature)
  • IsDLL (Detect DLL signature)
  • IsConsole (Detected Console program signature)
  • HasOverlay (Detected Overlay signature)
  • HasDigitalSignature (Detected Digital Signature)
  • HasDebugData (Detected Debug Data)
  • ImportTableIsBad (ImportTable Check)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__Ticks ()
  • without_attachments (Detected no presence of any attachment)
  • without_images (Detected no presence of any image)
  • with_urls (Detected the presence of an or several urls)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2019-06-19 08:12:08
扫描结果: 0/71

特征

样本的签名证书合法
魔盾安全Yara检测结果 - 普通
Informational: Detected Overlay signature
Informational: Detected Debug Data
Warning: ImportTable Check
Informational: Detected Rich Signature
Informational: Detected no presence of any attachment
Informational: Detected no presence of any image
Informational: Detected the presence of an or several urls
异常的二进制特征
anomaly: Entrypoint of binary is located outside of any mapped sections

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x10000000
入口地址 0x10000000
声明校验值 0x0000f6a9
实际校验值 0x0000f6a9
最低操作系统版本要求 10.0
PDB路径 api-ms-win-core-sysinfo-l1-1-0.pdb
编译时间 2015-11-20 12:37:39
导出DLL库名称 \x39\x31\x3145\x31\x3145\x31\x31\x3145\x39\x31\x31\x3145\x31\x31\x31\x31\x31\x31\x3145\x31\x3445\x3445\x34\x34\x31\x31\x31

版本信息

LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
InternalName: apisetstub
FileVersion: 10.0.10586.15 (th2_release.151119-1817)
CompanyName: Microsoft Corporation
ProductName: Microsoft\xae Windows\xae Operating System
ProductVersion: 10.0.10586.15
FileDescription: ApiSet Stub DLL
OriginalFilename: apisetstub
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00000655 0x00000800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 4.39
.rsrc 0x00002000 0x000003f8 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.32

导出

序列 地址 名称
1 0x1000124a GetComputerNameExA
2 0x10001279 GetComputerNameExW
3 0x100012a2 GetLocalTime
4 0x100012d7 GetLogicalProcessorInformation
5 0x10001320 GetLogicalProcessorInformationEx
6 0x1000135e GetSystemDirectoryA
7 0x1000138f GetSystemDirectoryW
8 0x100013ba GetSystemInfo
9 0x100013df GetSystemTime
10 0x1000140e GetSystemTimeAdjustment
11 0x10001447 GetSystemTimeAsFileTime
12 0x10001483 GetSystemWindowsDirectoryA
13 0x100014c2 GetSystemWindowsDirectoryW
15 0x1000151a GetTickCount
14 0x100014f5 GetTickCount64
16 0x1000153b GetVersion
17 0x1000155d GetVersionExA
18 0x10001582 GetVersionExW
19 0x100015ae GetWindowsDirectoryA
20 0x100015e1 GetWindowsDirectoryW
21 0x10001614 GlobalMemoryStatusEx
22 0x1000163f SetLocalTime

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

rundll32.exe PID: 2680, 上一级进程 PID: 2304

访问的文件
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
读取的文件
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • api-ms-win-core-sysinfo-l1-1-0.dll.#1