恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2022-05-28 00:57:39	2022-05-28 00:59:01	82 秒

魔盾分数

10.0

危险的

文件详细信息

文件名	Ransom.FrozrLock.exe
文件大小	790016 字节
文件类型	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	1d2679334ade760f4a102250f6567542
SHA1	d00e7bd09fd09f80dc85ee2614446b55228d76d4
SHA256	89284ff8858d739741dfc8007f02548489786ed3d1dace339ad7157b6921a0f5
SHA512	d5598eebadd35ad64b49a769f71490b49457b4bb6478853d0ecc68409d7a35a87a0f0dcc20db2b32c07133838abbef25505daed514d434ce374fde9603c0ced1
CRC32	3012DEE1
Ssdeep	24576:s2+x3v8wxTll5U/2oWtJ8c2PSaQxRkiNhEZZe:+18wxhbJimxR3EZZ
Yara	登录查看Yara规则
	找不到该样本提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	104.18.115.97	美国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
icanhazip.com	A 104.18.114.97 A 104.18.115.97
iwantmyfiles.asia	NXDOMAIN

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x004c800a
声明校验值	0x00000000
实际校验值	0x000c4c76
最低操作系统版本要求	4.0
编译时间	2017-07-20 16:24:10
载入哈希	f34d5f2d4577ed6d9ceec516c1f5a744

版本信息

Translation
LegalCopyright
Assembly Version
InternalName
FileVersion
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
\x05W\h0f\|	0x00002000	0x000ad7a0	0x000ad800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.text	0x000b0000	0x00012598	0x00012600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.72
.rsrc	0x000c4000	0x00000710	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.81
.reloc	0x000c6000	0x0000000c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	0.09
	0x000c8000	0x00000010	0x00000200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	0.14

导入

库: mscoree.dll:

• 0x4c8000 _CorExeMain

W\h0f|
.text
`.rsrc
@.reloc
>#v/Uj
g|x,@
>XZP\^
]!Tl&=6:
`)1H)

没有防病毒引擎扫描信息!

进程树

Ransom.FrozrLock.exe id: 2320
- cmd.exe id: 2656
  - UpdateServices.exe id: 2780
    - cmd.exe id: 2840
      - choice.exe id: 2916
- cmd.exe id: 2700
  - choice.exe id: 2848

Ransom.FrozrLock.exe, PID: 2320, 上一级进程 PID: 2180

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

cmd.exe, PID: 2656, 上一级进程 PID: 2320

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

cmd.exe, PID: 2700, 上一级进程 PID: 2320

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

UpdateServices.exe, PID: 2780, 上一级进程 PID: 2656

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

choice.exe, PID: 2848, 上一级进程 PID: 2700

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

cmd.exe, PID: 2840, 上一级进程 PID: 2780

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

choice.exe, PID: 2916, 上一级进程 PID: 2840

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级	地理位置
否	104.18.115.97	美国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49167	104.18.115.97 icanhazip.com	80
192.168.122.201	49160	23.213.230.137	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53118	192.168.122.1	53
192.168.122.201	57526	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
icanhazip.com	A 104.18.114.97 A 104.18.115.97
iwantmyfiles.asia	NXDOMAIN

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49167	104.18.115.97 icanhazip.com	80
192.168.122.201	49160	23.213.230.137	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	53118	192.168.122.1	53
192.168.122.201	57526	192.168.122.1	53
192.168.122.201	63246	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
URL专业沙箱检测 -> http://icanhazip.com/	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
URL专业沙箱检测 -> http://icanhazip.com/	GET / HTTP/1.1 Host: icanhazip.com

URI

HTTP数据

URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

URL专业沙箱检测 -> http://icanhazip.com/

GET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive

URL专业沙箱检测 -> http://icanhazip.com/

GET / HTTP/1.1
Host: icanhazip.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp	Source IP	Source Port	Destination IP	Destination Port	Protocol	SID	Signature	Category
2022-05-28 00:58:35.844874+0800	192.168.122.201	49167	104.18.115.97	80	TCP	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
2022-05-28 00:58:36.114848+0800	192.168.122.201	49167	104.18.115.97	80	TCP	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
2022-05-28 00:58:36.293445+0800	192.168.122.201	49167	104.18.115.97	80	TCP	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
2022-05-28 00:58:37.063887+0800	192.168.122.201	49167	104.18.115.97	80	TCP	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
2022-05-28 00:58:37.232439+0800	192.168.122.201	49167	104.18.115.97	80	TCP	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
2022-05-28 00:58:37.400875+0800	192.168.122.201	49167	104.18.115.97	80	TCP	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
2022-05-28 00:58:37.779152+0800	192.168.122.201	49167	104.18.115.97	80	TCP	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 25.631 seconds )

11.228 Suricata
4.711 NetworkAnalysis
3.789 VirusTotal
2.774 Static
1.527 BehaviorAnalysis
0.892 static_dotnet
0.375 TargetInfo
0.311 peid
0.011 Strings
0.01 AnalysisInfo
0.002 Memory
0.001 config_decoder

Signatures ( 19.639 seconds )

17.657 network_http
1.416 md_url_bl
0.077 api_spamming
0.059 stealth_decoy_document
0.05 antiav_detectreg
0.022 infostealer_ftp
0.017 stealth_timeout
0.016 mimics_filetime
0.015 reads_self
0.014 antivm_generic_disk
0.014 virus
0.014 antiav_detectfile
0.014 infostealer_im
0.013 stealth_file
0.012 bootkit
0.012 injection_createremotethread
0.011 antivm_generic_scsi
0.011 md_domain_bl
0.01 hancitor_behavior
0.01 antianalysis_detectreg
0.01 infostealer_bitcoin
0.009 antiemu_wine_func
0.009 infostealer_browser_password
0.009 kovter_behavior
0.008 antivm_generic_services
0.008 injection_runpe
0.008 infostealer_mail
0.007 maldun_anomaly_massive_file_ops
0.006 anomaly_persistence_autorun
0.006 anormaly_invoke_kills
0.006 antivm_vbox_files
0.005 geodo_banking_trojan
0.005 ransomware_extensions
0.004 ransomware_files
0.003 antivm_vbox_libs
0.003 antiav_avast_libs
0.003 betabot_behavior
0.003 antisandbox_sunbelt_libs
0.003 kibex_behavior
0.003 shifu_behavior
0.003 antivm_parallels_keys
0.003 network_torgateway
0.002 tinba_behavior
0.002 hawkeye_behavior
0.002 rat_nanocore
0.002 antiav_bitdefender_libs
0.002 dyre_behavior
0.002 exec_crash
0.002 antidbg_devices
0.002 antivm_xen_keys
0.002 disables_browser_warn
0.002 darkcomet_regkeys
0.002 rat_pcclient
0.001 network_tor
0.001 infostealer_browser
0.001 maldun_malicious_write_executeable_under_temp_to_regrun
0.001 rat_luminosity
0.001 antivm_vmware_libs
0.001 maldun_anomaly_write_exe_and_obsfucate_extension
0.001 Locky_behavior
0.001 kazybot_behavior
0.001 maldun_anomaly_write_exe_and_dll_under_winroot_run
0.001 encrypted_ioc
0.001 cerber_behavior
0.001 bypass_firewall
0.001 antianalysis_detectfile
0.001 antisandbox_productid
0.001 antivm_generic_diskreg
0.001 antivm_hyperv_keys
0.001 antivm_vmware_files
0.001 bot_drive
0.001 bot_drive2
0.001 browser_addon
0.001 browser_security
0.001 modify_proxy
0.001 codelux_behavior
0.001 maldun_malicious_drop_executable_file_to_temp_folder
0.001 maldun_anomaly_invoke_vb_vba
0.001 md_bad_drop
0.001 network_cnc_http
0.001 recon_fingerprint
0.001 stealth_modify_uac_prompt

Reporting ( 0.563 seconds )

0.563 ReportHTMLSummary


Task ID	692596
Mongo ID	62910393dc327b07f30dd316
Cuckoo release	1.4-Maldun