比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2022-07-04 11:08:37 2022-07-04 11:09:15 38 秒

魔盾分数

4.375

可疑的

文件详细信息

文件名 shellext.dll
文件大小 514560 字节
文件类型 PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 cebbf354e76812d9406e8ec805c1c5d7
SHA1 21ae7e47ce9b3709b831737ea6513bde8322cc27
SHA256 d41887d82d0731468fec718bf0f15bf78925f72b62f6f5da974fcc246425b69f
SHA512 0d7d15912ac84b36ae8ca2f56435efaa7970657168e05ec672d5874dcae811664fd0d614bca64479814bb11f953688c3e1856bb94e8414952079bf338e8af65c
CRC32 758F9FD9
Ssdeep 6144:QLeDN96MCBE/8yi06OmDmrDwBZS5CPfsmuGJQhSOM5zvYVYOpoGaA8:QLeDPJCBSSm2ZS5CH1uGoS3MVaA8
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x180000000
入口地址 0x1800461dc
声明校验值 0x0008dd29
实际校验值 0x00086854
最低操作系统版本要求 5.2
PDB路径 C:\var\JFR\workspace\last-successful\PL\Cmake\targets\Windows_x64\libs\Release\shellext.pdb
编译时间 2021-05-28 18:52:23
载入哈希 e414a80e78593af7ff0e9e0cd8cdd00c
导出DLL库名称 shellext.dll

版本信息

InternalName
OriginalFilename
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0004d109 0x0004d200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.05
.rdata 0x0004f000 0x00021e2a 0x00022000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.03
.data 0x00071000 0x00002a28 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.43
.pdata 0x00074000 0x0000786c 0x00007a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.71
.rsrc 0x0007c000 0x00003c30 0x00003e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.56
.reloc 0x00080000 0x00000c3a 0x00000e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.81

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
REGISTRY 0x0007dfe0 0x00000549 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.31 ASCII text, with CRLF line terminators
TYPELIB 0x0007e52c 0x00001224 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.05 data
RT_DIALOG 0x0007f750 0x00000078 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.14 data
RT_STRING 0x0007f7f8 0x0000003c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.72 data
RT_STRING 0x0007f7f8 0x0000003c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.72 data
RT_VERSION 0x0007f834 0x000001a4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.14 data
RT_MANIFEST 0x0007f9d8 0x00000258 LANG_ENGLISH SUBLANG_ENGLISH_US 5.02 ASCII text, with CRLF line terminators

导入

库: PSAPI.DLL:
0x18004f700 GetProcessImageFileNameW
库: imagehlp.dll:
0x18004f8f0 UnMapAndLoad
0x18004f900 MapAndLoad
0x18004f908 ImageRvaToVa
库: cfl.dll:
库: KERNEL32.dll:
0x18004f118 FindResourceExW
0x18004f120 lstrcpynA
0x18004f128 lstrcpynW
0x18004f130 GetVersionExW
0x18004f138 GetFileAttributesW
0x18004f140 GlobalUnlock
0x18004f148 GlobalLock
0x18004f150 GetLongPathNameW
0x18004f158 GetPrivateProfileIntW
0x18004f160 GetPrivateProfileStringW
0x18004f168 SetLastError
0x18004f170 DeleteFileW
0x18004f178 CreateMutexW
0x18004f180 FindClose
0x18004f188 FindNextFileW
0x18004f190 FindFirstFileW
0x18004f198 GetDriveTypeW
0x18004f1a0 GetLogicalDriveStringsW
0x18004f1a8 CloseHandle
0x18004f1b0 GetFileAttributesExW
0x18004f1b8 CreateFileW
0x18004f1c0 WriteFile
0x18004f1c8 SetFilePointer
0x18004f1d0 ReadFile
0x18004f1d8 DuplicateHandle
0x18004f1e0 GetCurrentProcess
0x18004f1e8 OpenProcess
0x18004f1f0 GetCurrentProcessId
0x18004f1f8 LockResource
0x18004f200 lstrcmpiW
0x18004f208 SwitchToThread
0x18004f210 GetNativeSystemInfo
0x18004f218 DeleteCriticalSection
0x18004f220 Process32NextW
0x18004f228 ProcessIdToSessionId
0x18004f230 Process32FirstW
0x18004f238 CreateToolhelp32Snapshot
0x18004f240 Module32NextW
0x18004f248 Module32FirstW
0x18004f250 GetProcessId
0x18004f258 CompareFileTime
0x18004f260 GetProcessTimes
0x18004f268 lstrlenA
0x18004f270 GlobalFree
0x18004f278 GlobalAlloc
0x18004f288 WaitNamedPipeW
0x18004f290 GetFileSizeEx
0x18004f298 DisconnectNamedPipe
0x18004f2a0 ConnectNamedPipe
0x18004f2a8 FlushFileBuffers
0x18004f2b0 CreateNamedPipeW
0x18004f2b8 ReadProcessMemory
0x18004f2c0 HeapReAlloc
0x18004f2c8 HeapFree
0x18004f2d0 HeapAlloc
0x18004f2d8 HeapDestroy
0x18004f2e0 TerminateThread
0x18004f2e8 WideCharToMultiByte
0x18004f2f8 GetThreadLocale
0x18004f300 SetThreadLocale
0x18004f308 GetModuleHandleW
0x18004f310 GetProcAddress
0x18004f318 GetLastError
0x18004f320 LeaveCriticalSection
0x18004f328 EnterCriticalSection
0x18004f330 RaiseException
0x18004f338 lstrlenW
0x18004f340 LoadLibraryExW
0x18004f348 FindResourceW
0x18004f350 LoadResource
0x18004f358 SizeofResource
0x18004f360 MultiByteToWideChar
0x18004f368 FreeLibrary
0x18004f370 QueryDosDeviceW
0x18004f378 GetModuleFileNameW
0x18004f380 HeapSize
0x18004f388 GetProcessHeap
0x18004f390 Sleep
0x18004f398 TerminateProcess
0x18004f3a0 UnhandledExceptionFilter
0x18004f3b0 IsDebuggerPresent
0x18004f3b8 RtlVirtualUnwind
0x18004f3c0 GetSystemTimeAsFileTime
0x18004f3c8 RtlLookupFunctionEntry
0x18004f3d0 RtlCaptureContext
0x18004f3d8 QueryPerformanceCounter
0x18004f3e0 GetTickCount
0x18004f3e8 GetCurrentThreadId
0x18004f3f0 WaitForSingleObject
库: USER32.dll:
0x18004f798 SetClipboardData
0x18004f7a0 PostMessageW
0x18004f7a8 EmptyClipboard
0x18004f7b0 OpenClipboard
0x18004f7b8 FindWindowExW
0x18004f7c0 CloseClipboard
0x18004f7c8 GetSystemMetrics
0x18004f7d0 InsertMenuItemW
0x18004f7d8 MessageBoxExW
0x18004f7e0 SendMessageW
0x18004f7e8 FindWindowW
0x18004f7f0 CreatePopupMenu
0x18004f7f8 CharNextW
0x18004f800 RegisterClipboardFormatW
0x18004f808 SetWindowLongPtrW
库: GDI32.dll:
0x18004f0c8 GetObjectW
0x18004f0d0 DeleteDC
0x18004f0d8 CreateCompatibleDC
0x18004f0e0 DeleteObject
0x18004f0e8 SelectObject
0x18004f0f0 SetDIBColorTable
0x18004f0f8 CreateDIBSection
库: SHELL32.dll:
0x18004f710 SHGetPathFromIDListW
0x18004f718 None
0x18004f720 None
0x18004f728 ShellExecuteExW
0x18004f730 SHBrowseForFolderW
0x18004f738 SHGetPathFromIDListEx
0x18004f740 SHGetFolderPathW
0x18004f748 SHParseDisplayName
0x18004f750 None
0x18004f758 None
0x18004f760 None
0x18004f768 DragQueryFileW
库: ole32.dll:
0x18004f918 CoCreateInstance
0x18004f920 CoInitialize
0x18004f928 CoUninitialize
0x18004f930 ReleaseStgMedium
0x18004f938 CoTaskMemAlloc
0x18004f940 CoTaskMemRealloc
0x18004f948 StringFromGUID2
0x18004f950 CoTaskMemFree
库: OLEAUT32.dll:
0x18004f6b8 LoadRegTypeLib
0x18004f6c0 VarUI4FromStr
0x18004f6c8 RegisterTypeLib
0x18004f6d0 UnRegisterTypeLib
0x18004f6d8 LoadTypeLib
0x18004f6e0 SysAllocString
0x18004f6e8 SysFreeString
0x18004f6f0 SysStringLen
库: ADVAPI32.dll:
0x18004f000 RegQueryInfoKeyW
0x18004f008 RegDeleteValueW
0x18004f010 RegCloseKey
0x18004f018 RegCreateKeyExW
0x18004f020 RegOpenKeyExW
0x18004f028 RegSetValueExW
0x18004f030 RegEnumKeyExW
0x18004f038 RegQueryValueExW
0x18004f040 AdjustTokenPrivileges
0x18004f048 LookupPrivilegeValueW
0x18004f050 OpenProcessToken
0x18004f058 GetTokenInformation
0x18004f060 CloseServiceHandle
0x18004f068 QueryServiceStatusEx
0x18004f070 OpenServiceW
0x18004f078 OpenSCManagerW
0x18004f080 ReportEventW
0x18004f088 RegisterEventSourceW
0x18004f0a0 RegDeleteKeyW
库: MSVCP90.dll:
库: SHLWAPI.dll:
0x18004f778 SHDeleteKeyW
0x18004f780 PathFileExistsW
0x18004f788 SHCopyKeyW
库: MSVCR90.dll:
0x18004f4c0 _encode_pointer
0x18004f4c8 __dllonexit
0x18004f4d0 _unlock
0x18004f4d8 ?terminate@@YAXXZ
0x18004f4e0 realloc
0x18004f4e8 _vscwprintf
0x18004f4f0 _vsnwprintf_s
0x18004f4f8 _lock
0x18004f500 _wctime64
0x18004f508 memcpy
0x18004f510 sprintf
0x18004f518 isdigit
0x18004f520 tolower
0x18004f528 strstr
0x18004f530 _onexit
0x18004f538 _decode_pointer
0x18004f540 _malloc_crt
0x18004f548 _initterm
0x18004f550 _initterm_e
0x18004f558 _encoded_null
0x18004f560 _amsg_exit
0x18004f568 wcschr
0x18004f580 memmove_s
0x18004f590 ??2@YAPEAX_K@Z
0x18004f598 _purecall
0x18004f5a0 memcmp
0x18004f5a8 calloc
0x18004f5b0 _resetstkoflw
0x18004f5b8 __CppXcptFilter
0x18004f5c8 __crt_debugger_hook
0x18004f5d8 _swprintf
0x18004f5e0 _time64
0x18004f5e8 _snwprintf_s
0x18004f5f0 _beginthreadex
0x18004f5f8 _wtoi64
0x18004f600 _i64tow
0x18004f608 ??3@YAXPEAX@Z
0x18004f610 wcsstr
0x18004f618 malloc
0x18004f620 free
0x18004f628 memcpy_s
0x18004f630 _CxxThrowException
0x18004f638 wcscpy_s
0x18004f640 wcsncpy_s
0x18004f648 wcscat_s
0x18004f650 ??_V@YAXPEAX@Z
0x18004f658 __CxxFrameHandler3
0x18004f660 _recalloc
0x18004f668 memset
0x18004f670 _wcsnicmp
0x18004f678 wcsrchr
0x18004f680 __C_specific_handler
0x18004f688 _wcsicmp
0x18004f6a8 wcsncmp
库: gdiplus.dll:
0x18004f850 GdipCreateBitmapFromFile
0x18004f868 GdipBitmapLockBits
0x18004f870 GdipBitmapUnlockBits
0x18004f878 GdiplusStartup
0x18004f880 GdipGetImagePalette
0x18004f890 GdipDrawImageI
0x18004f898 GdipCloneImage
0x18004f8a0 GdipAlloc
0x18004f8a8 GdipFree
0x18004f8b0 GdipGetImagePaletteSize
0x18004f8b8 GdipGetImagePixelFormat
0x18004f8c0 GdipGetImageHeight
0x18004f8c8 GdipGetImageWidth
0x18004f8d0 GdipDisposeImage
0x18004f8d8 GdiplusShutdown
0x18004f8e0 GdipDeleteGraphics
库: COMCTL32.dll:
0x18004f0b0 DestroyPropertySheetPage
0x18004f0b8 CreatePropertySheetPageW
库: IPHLPAPI.DLL:
0x18004f108 GetAdaptersInfo

导出

序列 地址 名称
1 0x180002cf0 DllCanUnloadNow
2 0x1800056a0 DllGetClassObject
3 0x180006000 DllInstall
4 0x180005fc0 DllRegisterServer
5 0x180005fe0 DllUnregisterServer
.text
`.rdata
@.data
.pdata
@.rsrc
@.reloc
没有防病毒引擎扫描信息!

进程树

regsvr32.exe, PID: 2544, 上一级进程 PID: 2244
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 208.185.115.99 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 208.185.115.99 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 16.389 seconds )

  • 11.208 Suricata
  • 1.851 AnalysisInfo
  • 0.943 NetworkAnalysis
  • 0.883 VirusTotal
  • 0.735 Static
  • 0.352 TargetInfo
  • 0.31 peid
  • 0.093 BehaviorAnalysis
  • 0.011 Strings
  • 0.002 Memory
  • 0.001 config_decoder

Signatures ( 1.43 seconds )

  • 1.322 md_url_bl
  • 0.018 antiav_detectreg
  • 0.009 md_domain_bl
  • 0.008 infostealer_ftp
  • 0.006 antiav_detectfile
  • 0.005 anomaly_persistence_autorun
  • 0.005 infostealer_im
  • 0.004 api_spamming
  • 0.004 antianalysis_detectreg
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 stealth_decoy_document
  • 0.003 stealth_timeout
  • 0.003 infostealer_mail
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.001 rat_nanocore
  • 0.001 mimics_filetime
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 antidbg_windows
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.459 seconds )

  • 0.458 ReportHTMLSummary
  • 0.001 Malheur
Task ID 697830
Mongo ID 62c259f47e769a4b382056b6
Cuckoo release 1.4-Maldun