分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp02-1 | 2022-05-27 19:03:02 | 2022-05-27 19:05:14 | 132 秒 |
魔盾分数
3.35
可疑的
文件详细信息
| 文件名 | winspool.drv |
|---|---|
| 文件大小 | 6725632 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | a969725278044c93696913eada98b6bf |
| SHA1 | 4b2b71e64e53c05e3dce8744ff515f3dad5d325e |
| SHA256 | 3d7f073e74e0d537bebfd030636bdcc51bf08339ede1d9ab1c6301cb7194fd74 |
| SHA512 | 1580e6e620cab88c42f618acd7c104ff349e4b15a11db5fea9b3e4fdaace44f409bd16e289669fcfc109e2e8464599662fc23beaba016ce1bfb32d96afd784e6 |
| CRC32 | 9E6D7A11 |
| Ssdeep | 98304:69ONcyyx3wQgApVZVK2ugeuo7AOaGHmvReN7ILRb4QEmOW6bNS9:69OwwQXKKvo7AiHmENcbEmLkNS9 |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x10000000 |
|---|---|
| 入口地址 | 0x106af985 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0067499f |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2021-07-22 12:37:32 |
| 载入哈希 | acbcd7be0d337be66199e309a2375c8f |
| 导出DLL库名称 | \x31\x31\x31\x31\x31\x31\x31\x31\x34\x31\x31\x31 |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| Comments | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000a1fd2 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x000a3000 | 0x00015a4d | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x000b9000 | 0x0003af8c | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x000f4000 | 0x003df10e | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .vmp1 | 0x004d4000 | 0x00665c40 | 0x00666000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.97 |
| .reloc | 0x00b3a000 | 0x000005a8 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 1.91 |
| .rsrc | 0x00b3b000 | 0x0000159d | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.88 |
导入
库: USER32.dll:
• 0x10ae300c SetClipboardData
库: GDI32.dll:
• 0x10ae3014 SetStretchBltMode
库: WINMM.dll:
• 0x10ae301c midiStreamRestart
库: ADVAPI32.dll:
• 0x10ae3024 RegCloseKey
库: SHELL32.dll:
• 0x10ae302c Shell_NotifyIconA
库: ole32.dll:
• 0x10ae3034 OleInitialize
库: OLEAUT32.dll:
• 0x10ae303c UnRegisterTypeLib
库: COMCTL32.dll:
• 0x10ae3044 ImageList_Destroy
库: WS2_32.dll:
• 0x10ae304c getpeername
库: comdlg32.dll:
• 0x10ae3054 GetFileTitleA
库: WTSAPI32.dll:
• 0x10ae305c WTSSendMessageW
库: KERNEL32.dll:
• 0x10ae3064 VirtualQuery
库: USER32.dll:
• 0x10ae306c GetProcessWindowStation
库: KERNEL32.dll:
• 0x10ae3074 LocalAlloc
• 0x10ae3078 LocalFree
• 0x10ae307c GetModuleFileNameW
• 0x10ae3080 GetProcessAffinityMask
• 0x10ae3084 SetProcessAffinityMask
• 0x10ae3088 SetThreadAffinityMask
• 0x10ae308c Sleep
• 0x10ae3090 ExitProcess
• 0x10ae3094 FreeLibrary
• 0x10ae3098 LoadLibraryA
• 0x10ae309c GetModuleHandleA
• 0x10ae30a0 GetProcAddress
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x1000fded | ADVANCEDSETUPDIALOG |
| 2 | 0x1000fe0c | AbortPrinter |
| 3 | 0x1000fe18 | AddFormA |
| 4 | 0x1000fe37 | AddFormW |
| 5 | 0x1000fe43 | AddJobA |
| 6 | 0x1000fe62 | AddJobW |
| 7 | 0x1000fe6e | AddMonitorA |
| 8 | 0x1000fe8d | AddMonitorW |
| 9 | 0x1000fe99 | AddPortA |
| 10 | 0x1000feb8 | AddPortExA |
| 11 | 0x1000fed7 | AddPortExW |
| 12 | 0x1000fee3 | AddPortW |
| 13 | 0x1000feef | AddPrintProcessorA |
| 14 | 0x1000ff0e | AddPrintProcessorW |
| 15 | 0x1000ff1a | AddPrintProvidorA |
| 16 | 0x1000ff39 | AddPrintProvidorW |
| 17 | 0x1000ff45 | AddPrinterA |
| 18 | 0x1000ff64 | AddPrinterConnection2A |
| 19 | 0x1000ff83 | AddPrinterConnection2W |
| 20 | 0x1000ff8f | AddPrinterConnectionA |
| 21 | 0x1000ffae | AddPrinterConnectionW |
| 22 | 0x1000ffcd | AddPrinterDriverA |
| 23 | 0x1000ffec | AddPrinterDriverExA |
| 24 | 0x1001000b | AddPrinterDriverExW |
| 25 | 0x10010017 | AddPrinterDriverW |
| 26 | 0x10010036 | AddPrinterW |
| 27 | 0x10010042 | AdvancedDocumentPropertiesA |
| 28 | 0x10010061 | AdvancedDocumentPropertiesW |
| 29 | 0x10010080 | AdvancedSetupDialog |
| 30 | 0x1001009f | ClosePrinter |
| 31 | 0x100100be | CloseSpoolFileHandle |
| 32 | 0x100100ca | CommitSpoolData |
| 33 | 0x100100e9 | ConfigurePortA |
| 34 | 0x10010108 | ConfigurePortW |
| 35 | 0x10010114 | ConnectToPrinterDlg |
| 36 | 0x10010133 | ConvertAnsiDevModeToUnicodeDevmode |
| 37 | 0x10010152 | ConvertUnicodeDevModeToAnsiDevmode |
| 38 | 0x10010171 | CorePrinterDriverInstalledA |
| 39 | 0x10010190 | CorePrinterDriverInstalledW |
| 40 | 0x1001019c | CreatePrintAsyncNotifyChannel |
| 41 | 0x100101bb | CreatePrinterIC |
| 42 | 0x100101c7 | DEVICECAPABILITIES |
| 43 | 0x100101e6 | DEVICEMODE |
| 44 | 0x10010205 | DeleteFormA |
| 45 | 0x10010224 | DeleteFormW |
| 46 | 0x10010243 | DeleteMonitorA |
| 47 | 0x10010262 | DeleteMonitorW |
| 48 | 0x1001026e | DeletePortA |
| 49 | 0x1001028d | DeletePortW |
| 50 | 0x10010299 | DeletePrintProcessorA |
| 51 | 0x100102b8 | DeletePrintProcessorW |
| 52 | 0x100102c4 | DeletePrintProvidorA |
| 53 | 0x100102e3 | DeletePrintProvidorW |
| 54 | 0x100102ef | DeletePrinter |
| 55 | 0x100102fb | DeletePrinterConnectionA |
| 56 | 0x1001031a | DeletePrinterConnectionW |
| 57 | 0x10010326 | DeletePrinterDataA |
| 58 | 0x10010345 | DeletePrinterDataExA |
| 59 | 0x10010364 | DeletePrinterDataExW |
| 60 | 0x10010370 | DeletePrinterDataW |
| 61 | 0x1001037c | DeletePrinterDriverA |
| 62 | 0x1001039b | DeletePrinterDriverExA |
| 63 | 0x100103ba | DeletePrinterDriverExW |
| 64 | 0x100103c6 | DeletePrinterDriverPackageA |
| 65 | 0x100103e5 | DeletePrinterDriverPackageW |
| 66 | 0x100103f1 | DeletePrinterDriverW |
| 67 | 0x100103fd | DeletePrinterIC |
| 68 | 0x10010409 | DeletePrinterKeyA |
| 69 | 0x10010428 | DeletePrinterKeyW |
| 70 | 0x10010434 | DevQueryPrint |
| 71 | 0x10010440 | DevQueryPrintEx |
| 72 | 0x1001044c | DeviceCapabilities |
| 73 | 0x1001046b | DeviceCapabilitiesA |
| 74 | 0x1001048a | DeviceCapabilitiesW |
| 75 | 0x100104a9 | DeviceMode |
| 76 | 0x100104c8 | DevicePropertySheets |
| 77 | 0x1000fdce | |
| 78 | 0x100104e7 | |
| 79 | 0x10010506 | |
| 80 | 0x10010525 | |
| 81 | 0x10010531 | |
| 82 | 0x10010550 | |
| 83 | 0x1001056f | |
| 84 | 0x1001057b | |
| 85 | 0x10010587 | |
| 86 | 0x100105a6 | |
| 87 | 0x100105b2 | |
| 88 | 0x100105d1 | |
| 89 | 0x100105dd | |
| 90 | 0x100105fc | |
| 91 | 0x10010608 | |
| 92 | 0x10010627 | |
| 93 | 0x10010633 | |
| 94 | 0x10010652 | |
| 95 | 0x1001065e | |
| 96 | 0x1001067d | |
| 97 | 0x10010689 | |
| 98 | 0x100106a8 | |
| 99 | 0x100106c7 | |
| 100 | 0x100106d3 | |
| 101 | 0x100106df | |
| 102 | 0x100106fe | |
| 103 | 0x1001070a | |
| 104 | 0x10010729 | |
| 105 | 0x10010735 | |
| 106 | 0x10010754 | |
| 107 | 0x10010760 | |
| 108 | 0x1001077f | |
| 109 | 0x1001078b | |
| 110 | 0x100107aa | |
| 111 | 0x100107b6 | |
| 112 | 0x100107c2 | |
| 113 | 0x100107e1 | |
| 114 | 0x10010800 | |
| 115 | 0x1001080c | |
| 116 | 0x1001082b | |
| 117 | 0x1001084a | |
| 118 | 0x10010869 | |
| 119 | 0x10010888 | |
| 120 | 0x100108a7 | |
| 121 | 0x100108b3 | |
| 122 | 0x100108d2 | |
| 123 | 0x100108f1 | |
| 124 | 0x100108fd | |
| 125 | 0x1001091c | |
| 126 | 0x1001093b | |
| 127 | 0x1001095a | |
| 128 | 0x10010966 | |
| 129 | 0x10010972 | |
| 130 | 0x10010991 | |
| 131 | 0x100109b0 | |
| 132 | 0x100109cf | |
| 133 | 0x100109ee | |
| 134 | 0x100109fa | |
| 135 | 0x10010a19 | |
| 136 | 0x10010a25 | |
| 137 | 0x10010a44 | |
| 138 | 0x10010a50 | |
| 139 | 0x10010a5c | |
| 140 | 0x10010a7b | |
| 141 | 0x10010a87 | |
| 142 | 0x10010aa6 | |
| 143 | 0x10010ac5 | |
| 144 | 0x10010ae4 | |
| 145 | 0x10010af0 | |
| 146 | 0x10010b0f | |
| 147 | 0x10010b2e | |
| 148 | 0x10010b3a | |
| 149 | 0x10010b59 | |
| 150 | 0x10010b78 | |
| 151 | 0x10010b84 | |
| 152 | 0x10010ba3 | |
| 153 | 0x10010bc2 | |
| 154 | 0x10010bce | |
| 155 | 0x10010bda | |
| 156 | 0x10010bf9 | |
| 157 | 0x10010c18 | |
| 158 | 0x10010c24 | |
| 159 | 0x10010c43 | |
| 160 | 0x10010c4f | |
| 161 | 0x10010c6e | |
| 162 | 0x10010c8d | |
| 163 | 0x10010cac | |
| 164 | 0x10010cb8 | |
| 165 | 0x10010cd7 | |
| 166 | 0x10010ce3 | |
| 167 | 0x10010d02 | |
| 168 | 0x10010d21 | |
| 169 | 0x10010d40 | |
| 170 | 0x10010d4c | |
| 171 | 0x10010d6b | |
| 172 | 0x10010d77 | |
| 173 | 0x10010d96 | |
| 174 | 0x10010db5 | |
| 175 | 0x10010dd4 | |
| 176 | 0x10010de0 | |
| 177 | 0x10010dec | |
| 178 | 0x10010df8 | |
| 179 | 0x10010e17 | |
| 180 | 0x10010e23 | |
| 181 | 0x10010e42 | |
| 182 | 0x10010e61 | |
| 183 | 0x10010e80 | |
| 184 | 0x10010e8c | |
| 185 | 0x10010e98 | |
| 186 | 0x10010ea4 | |
| 187 | 0x10010ec3 | |
| 188 | 0x10010ee2 | |
| 189 | 0x10010eee | |
| 190 | 0x10010efa | |
| 191 | 0x10010f19 |
.text
`.rdata
@.data
.vmp0
`.vmp1
`.reloc
@.rsrc
GetUserObjectInformationW
ExitProcess
OleInitialize
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 23.72.90.16 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 63246 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49160 | 23.72.90.16 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 63246 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 29.726 seconds )
- 14.436 Static
- 11.554 Suricata
- 1.857 NetworkAnalysis
- 1.448 TargetInfo
- 0.338 peid
- 0.047 BehaviorAnalysis
- 0.019 config_decoder
- 0.014 AnalysisInfo
- 0.011 Strings
- 0.002 Memory
Signatures ( 1.409 seconds )
- 1.317 md_url_bl
- 0.014 antiav_detectreg
- 0.009 md_domain_bl
- 0.006 antiav_detectfile
- 0.006 infostealer_ftp
- 0.005 anomaly_persistence_autorun
- 0.005 infostealer_bitcoin
- 0.004 geodo_banking_trojan
- 0.004 infostealer_im
- 0.004 ransomware_files
- 0.003 network_http
- 0.003 ransomware_extensions
- 0.002 tinba_behavior
- 0.002 stealth_decoy_document
- 0.002 rat_nanocore
- 0.002 api_spamming
- 0.002 stealth_timeout
- 0.002 antianalysis_detectreg
- 0.002 antivm_vbox_files
- 0.002 disables_browser_warn
- 0.002 infostealer_mail
- 0.001 injection_createremotethread
- 0.001 betabot_behavior
- 0.001 cerber_behavior
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 disables_system_restore
- 0.001 maldun_malicious_drop_executable_file_to_temp_folder
- 0.001 md_bad_drop
- 0.001 network_cnc_http
Reporting ( 0.555 seconds )
- 0.548 ReportHTMLSummary
- 0.007 Malheur
| Task ID | 692549 |
|---|---|
| Mongo ID | 6290b0b6dc327b07f30dcb89 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号