分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2022-05-27 22:40:19 2022-05-27 22:42:32 133 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 3333.exe
文件大小 5475134 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fddde184ff5ecf9dd184ec3600c6ad8b
SHA1 b3e5218b6be2ac5317e655a118676a626a9ce881
SHA256 e0a54d150f3955d62cfdb6e5fafb3c5d673db898df5f31ad6b9e48b6911de06d
SHA512 f9083a7e1feac24e2c1b58bfd3f76662504bbb582a69e39bc5782e7729057cff63aa215a0698937bf8d9b316abab7d307fd72d9f6e9cde4418398ad3c1b16b43
CRC32 B59B2F04
Ssdeep 98304:ObJxxmmIjcbcT5Ec7O47yH8GoVRPzBn6mnZqlsneHeYnbW/5f3cL51g:ONPmmPcT5Ecq47tGMlxaVN624
Yara 登录查看Yara规则
找不到该样本 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
113.240.96.105 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
officecdn.microsoft.com CNAME officecdn.microsoft.com.a.bdydns.com
CNAME tlu.dl.delivery.mp.microsoft.com.w.alikunlun.com
A 113.240.96.105
A 116.211.183.217
A 220.181.157.227
A 116.211.183.214
A 120.39.194.225
A 116.211.183.216
CNAME officecdn.trafficmanager.net
A 220.181.157.229
A 119.96.138.227
A 220.181.157.228
A 124.225.45.248
A 119.96.138.226
A 219.153.55.200
A 220.181.157.226
A 124.236.18.224
CNAME opencdnmsdl1.jomodns.com
A 116.211.183.215
A 124.236.18.223

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0041ec40
声明校验值 0x00000000
实际校验值 0x00548569
最低操作系统版本要求 5.1
PDB路径 D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
编译时间 2020-12-02 02:00:55
载入哈希 fcf1390e9ce472c7270447fc5c61a0c1
图标
图标精确哈希值 8d9da329386d64d6b86a12bd2f986399
图标相似性哈希值 9043363bfee17e0d508057b9ae7189e9

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000310ea 0x00031200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.71
.rdata 0x00033000 0x0000a612 0x0000a800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.22
.data 0x0003e000 0x00023728 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.71
.didat 0x00062000 0x00000188 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.30
.rsrc 0x00063000 0x0000e000 0x0000d600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.82
.reloc 0x00071000 0x00002268 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.55

覆盖

偏移量 0x0004ca00
大小 0x004ec13e

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
PNG 0x0006418c 0x000015a9 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.80 PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced
PNG 0x0006418c 0x000015a9 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.80 PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced
RT_ICON 0x0006aea8 0x00003d71 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.95 PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x0006aea8 0x00003d71 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.95 PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x0006aea8 0x00003d71 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.95 PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x0006aea8 0x00003d71 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.95 PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x0006aea8 0x00003d71 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.95 PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x0006aea8 0x00003d71 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.95 PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x0006aea8 0x00003d71 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 7.95 PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_DIALOG 0x0006f324 0x000001e6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.85 data
RT_DIALOG 0x0006f324 0x000001e6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.85 data
RT_DIALOG 0x0006f324 0x000001e6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.85 data
RT_DIALOG 0x0006f324 0x000001e6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.85 data
RT_DIALOG 0x0006f324 0x000001e6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.85 data
RT_DIALOG 0x0006f324 0x000001e6 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.85 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_STRING 0x0006fc3c 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.43 data
RT_GROUP_ICON 0x0006fcb4 0x00000068 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.72 MS Windows icon resource - 7 icons, 16x16
RT_MANIFEST 0x0006fd1c 0x00000753 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 XML 1.0 document, ASCII text, with CRLF line terminators

导入

库: KERNEL32.dll:
0x433000 GetLastError
0x433004 SetLastError
0x433008 FormatMessageW
0x43300c GetCurrentProcess
0x433010 DeviceIoControl
0x433014 SetFileTime
0x433018 CloseHandle
0x43301c CreateDirectoryW
0x433020 RemoveDirectoryW
0x433024 CreateFileW
0x433028 DeleteFileW
0x43302c CreateHardLinkW
0x433030 GetShortPathNameW
0x433034 GetLongPathNameW
0x433038 MoveFileW
0x43303c GetFileType
0x433040 GetStdHandle
0x433044 WriteFile
0x433048 ReadFile
0x43304c FlushFileBuffers
0x433050 SetEndOfFile
0x433054 SetFilePointer
0x433058 SetFileAttributesW
0x43305c GetFileAttributesW
0x433060 FindClose
0x433064 FindFirstFileW
0x433068 FindNextFileW
0x43306c GetVersionExW
0x433074 GetFullPathNameW
0x433078 FoldStringW
0x43307c GetModuleFileNameW
0x433080 GetModuleHandleW
0x433084 FindResourceW
0x433088 FreeLibrary
0x43308c GetProcAddress
0x433090 GetCurrentProcessId
0x433094 ExitProcess
0x43309c Sleep
0x4330a0 LoadLibraryW
0x4330a4 GetSystemDirectoryW
0x4330a8 CompareStringW
0x4330ac AllocConsole
0x4330b0 FreeConsole
0x4330b4 AttachConsole
0x4330b8 WriteConsoleW
0x4330c0 CreateThread
0x4330c4 SetThreadPriority
0x4330d8 SetEvent
0x4330dc ResetEvent
0x4330e0 ReleaseSemaphore
0x4330e4 WaitForSingleObject
0x4330e8 CreateEventW
0x4330ec CreateSemaphoreW
0x4330f0 GetSystemTime
0x43310c GetCPInfo
0x433110 IsDBCSLeadByte
0x433114 MultiByteToWideChar
0x433118 WideCharToMultiByte
0x43311c GlobalAlloc
0x433120 LockResource
0x433124 GlobalLock
0x433128 GlobalUnlock
0x43312c GlobalFree
0x433130 LoadResource
0x433134 SizeofResource
0x43313c GetExitCodeProcess
0x433140 GetLocalTime
0x433144 GetTickCount
0x433148 MapViewOfFile
0x43314c UnmapViewOfFile
0x433150 CreateFileMappingW
0x433154 OpenFileMappingW
0x433158 GetCommandLineW
0x433164 GetTempPathW
0x433168 MoveFileExW
0x43316c GetLocaleInfoW
0x433170 GetTimeFormatW
0x433174 GetDateFormatW
0x433178 GetNumberFormatW
0x43317c SetFilePointerEx
0x433180 GetConsoleMode
0x433184 GetConsoleCP
0x433188 HeapSize
0x43318c SetStdHandle
0x433190 GetProcessHeap
0x433194 RaiseException
0x433198 GetSystemInfo
0x43319c VirtualProtect
0x4331a0 VirtualQuery
0x4331a4 LoadLibraryExA
0x4331ac IsDebuggerPresent
0x4331b8 GetStartupInfoW
0x4331c0 GetCurrentThreadId
0x4331c8 InitializeSListHead
0x4331cc TerminateProcess
0x4331d0 RtlUnwind
0x4331d4 EncodePointer
0x4331dc TlsAlloc
0x4331e0 TlsGetValue
0x4331e4 TlsSetValue
0x4331e8 TlsFree
0x4331ec LoadLibraryExW
0x4331f4 GetModuleHandleExW
0x4331f8 GetModuleFileNameA
0x4331fc GetACP
0x433200 HeapFree
0x433204 HeapAlloc
0x433208 HeapReAlloc
0x43320c GetStringTypeW
0x433210 LCMapStringW
0x433214 FindFirstFileExA
0x433218 FindNextFileA
0x43321c IsValidCodePage
0x433220 GetOEMCP
0x433224 GetCommandLineA
0x433230 DecodePointer
库: gdiplus.dll:
0x433238 GdiplusShutdown
0x43323c GdiplusStartup
0x43324c GdipDisposeImage
0x433250 GdipCloneImage
0x433254 GdipFree
0x433258 GdipAlloc

.text
`.rdata
@.data
.didat
.rsrc
@.reloc
t1h!0
Pht6C
t,PhT6C
v'Ph\6C
~(h06C
t(Ph@6C
PhH6C
Sh0@@
SUVWj
u&hh7C
Wh`7C
tOhT8C
Sh\8C
Ph\8C
Ph`9C
Ph\9C
jPhX9C
t$DVSj
SUVWh`;C
tdht;C
D$( <C
D$,8<C
D$0P<C
D$4l<C
D$8|<C
D$X4=C
D$\D=C
D$``=C
D$dx=C
rfh8<C
u'h(BC
tMSh,TC
VWh,TC
_hXFC
Sh<TC
PhlSC
Sh\TC
VQhLTC
@PWhlTC
N Wh|TC
$SUVWj
SUVWh
UUh|PC
D$$PUh
PhLOC
Ph`OC
PhLOC
Ph`OC
Sh RC
PShtRC
VhlPC
VhlOC
D$|Ph4PC
D$0hHPC
没有防病毒引擎扫描信息!

进程树


3333.exe, PID: 2652, 上一级进程 PID: 2272
SpicControl.exe, PID: 2824, 上一级进程 PID: 2652
WINWORD.EXE, PID: 2912, 上一级进程 PID: 2652

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
113.240.96.105 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 50585 113.240.96.105 officecdn.microsoft.com 443
192.168.122.201 50587 113.240.96.105 officecdn.microsoft.com 443
192.168.122.201 50588 113.240.96.105 officecdn.microsoft.com 443
192.168.122.201 50584 192.168.122.1 53
192.168.122.201 49160 23.223.198.226 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
officecdn.microsoft.com CNAME officecdn.microsoft.com.a.bdydns.com
CNAME tlu.dl.delivery.mp.microsoft.com.w.alikunlun.com
A 113.240.96.105
A 116.211.183.217
A 220.181.157.227
A 116.211.183.214
A 120.39.194.225
A 116.211.183.216
CNAME officecdn.trafficmanager.net
A 220.181.157.229
A 119.96.138.227
A 220.181.157.228
A 124.225.45.248
A 119.96.138.226
A 219.153.55.200
A 220.181.157.226
A 124.236.18.224
CNAME opencdnmsdl1.jomodns.com
A 116.211.183.215
A 124.236.18.223

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 50585 113.240.96.105 officecdn.microsoft.com 443
192.168.122.201 50587 113.240.96.105 officecdn.microsoft.com 443
192.168.122.201 50588 113.240.96.105 officecdn.microsoft.com 443
192.168.122.201 50584 192.168.122.1 53
192.168.122.201 49160 23.223.198.226 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 56270 192.168.122.1 53
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

Timestamp Source IP Source Port Destination IP Destination Port Version Issuer Subject Fingerprint
2022-05-27 22:41:11.526555+0800 192.168.122.201 50585 113.240.96.105 443 TLS 1.2 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=officecdn.microsoft.com 8d:2d:67:1e:a1:57:41:9b:de:1c:c3:0e:4d:b7:d0:a8:70:68:99:c2

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 28.458 seconds )

  • 10.903 Suricata
  • 7.609 NetworkAnalysis
  • 4.47 VirusTotal
  • 2.508 Static
  • 1.416 BehaviorAnalysis
  • 1.167 TargetInfo
  • 0.353 peid
  • 0.011 Strings
  • 0.01 AnalysisInfo
  • 0.009 config_decoder
  • 0.002 Memory

Signatures ( 2.162 seconds )

  • 1.35 md_url_bl
  • 0.118 antiav_detectreg
  • 0.079 api_spamming
  • 0.074 stealth_decoy_document
  • 0.064 stealth_timeout
  • 0.045 infostealer_ftp
  • 0.026 infostealer_im
  • 0.024 antianalysis_detectreg
  • 0.02 mimics_filetime
  • 0.02 reads_self
  • 0.018 antivm_generic_disk
  • 0.016 bootkit
  • 0.016 stealth_file
  • 0.016 virus
  • 0.016 infostealer_mail
  • 0.015 antiav_detectfile
  • 0.014 antivm_generic_scsi
  • 0.014 shifu_behavior
  • 0.013 hancitor_behavior
  • 0.011 md_domain_bl
  • 0.01 antivm_generic_services
  • 0.01 infostealer_bitcoin
  • 0.009 anormaly_invoke_kills
  • 0.008 geodo_banking_trojan
  • 0.007 kibex_behavior
  • 0.007 infostealer_browser_password
  • 0.007 kovter_behavior
  • 0.006 antiemu_wine_func
  • 0.006 betabot_behavior
  • 0.006 anomaly_persistence_autorun
  • 0.006 antivm_vbox_files
  • 0.006 antivm_xen_keys
  • 0.006 darkcomet_regkeys
  • 0.005 antivm_parallels_keys
  • 0.004 maldun_anomaly_massive_file_ops
  • 0.004 injection_createremotethread
  • 0.004 antivm_generic_diskreg
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.004 recon_fingerprint
  • 0.003 injection_runpe
  • 0.003 antisandbox_productid
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 network_tor
  • 0.002 antivm_vbox_libs
  • 0.002 infostealer_browser
  • 0.002 bypass_firewall
  • 0.002 antidbg_devices
  • 0.002 antivm_xen_keys
  • 0.002 antivm_hyperv_keys
  • 0.002 antivm_vbox_acpi
  • 0.002 antivm_vbox_keys
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_vpc_keys
  • 0.002 disables_browser_warn
  • 0.002 maldun_anomaly_invoke_vb_vba
  • 0.002 network_torgateway
  • 0.002 packer_armadillo_regkey
  • 0.001 hawkeye_behavior
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 injection_explorer
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 ipc_namedpipe
  • 0.001 antiav_bitdefender_libs
  • 0.001 exec_crash
  • 0.001 cerber_behavior
  • 0.001 h1n1_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 codelux_behavior
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 rat_pcclient
  • 0.001 recon_programs
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.532 seconds )

  • 0.51 ReportHTMLSummary
  • 0.022 Malheur
Task ID 692587
Mongo ID 6290e38d7e769a0b42021f09
Cuckoo release 1.4-Maldun