分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64-shaapp02-1 | 2024-04-22 19:59:49 | 2024-04-22 20:00:46 | 57 秒 |
魔盾分数
1.4
正常的
文件详细信息
| 文件名 | 附件.exe |
|---|---|
| 文件大小 | 8667536 字节 |
| 文件类型 | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5 | 997529fc403a23644c79b12935d2cc96 |
| SHA1 | 90dcf069bdca0c81042c057a855be71c99feed40 |
| SHA256 | a5e88c0e5cad02222695d024957e525459cb7f575c21e41c29deff7889312f14 |
| SHA512 | 27832fdfb35cb2149c9b31a66ec56b30a495003fe8cd7b04ee51890cb3e5ab5def74b1b264407cc11de6ca3a0a83cdbfd1691dd5f5771d90ad855ec749c8fe86 |
| CRC32 | 0F4850B3 |
| Ssdeep | 24576:JWuyFUXsn15uysu4uJPp5ylu2LXK6DVpjMEtiijfc+Wc9/6MlhED5izzpg6ySY8f:ouyFUXsn15uysu/Pp5ysBxIZ |
| Yara | 登录查看Yara规则 |
| 找不到该样本 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x1400013d0 |
| 声明校验值 | 0x009dab46 |
| 实际校验值 | 0x00851bbe |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2024-04-15 12:15:25 |
| 载入哈希 | 8f6ad62a33a89fad40981d224725251e |
版本信息
| LegalCopyright | |
|---|---|
| FileVersion | |
| CompanyName | |
| ProductName | |
| ProductVersion | |
| FileDescription | |
| OriginalFilename | |
| Translation |
微软证书验证 (Sign Tool)
| SHA1 | 时间戳 | 有效性 | 错误 |
|---|---|---|---|
| 1e162b914fe939316bff7b558693ebe5b6354c56 | Tue Apr 02 01:40:41 2024 | WinVerifyTrust returned error 0x80096010 |
| 证书链 | Certificate Chain 1 |
| 发行给 | DigiCert Assured ID Root CA |
| 发行人 | DigiCert Assured ID Root CA |
| 有效期 | Mon Nov 10 080000 2031 |
| SHA1 哈希 | 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43 |
| 证书链 | Certificate Chain 2 |
| 发行给 | DigiCert Trusted Root G4 |
| 发行人 | DigiCert Assured ID Root CA |
| 有效期 | Mon Nov 10 075959 2031 |
| SHA1 哈希 | a99d5b79e9f1cda59cdab6373169d5353f5874c6 |
| 证书链 | Certificate Chain 3 |
| 发行给 | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 |
| 发行人 | DigiCert Trusted Root G4 |
| 有效期 | Tue Apr 29 075959 2036 |
| SHA1 哈希 | 7b0f360b775f76c94a12ca48445aa2d2a875701c |
| 证书链 | Certificate Chain 4 |
| 发行给 | Zhuhai Kingsoft Office Software Co., Ltd. |
| 发行人 | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 |
| 有效期 | Thu Oct 17 075959 2024 |
| SHA1 哈希 | f4cb57db2be6530631b1346e181ce63b926a3553 |
| 证书链 | Timestamp Chain 1 |
| 发行给 | DigiCert Assured ID Root CA |
| 发行人 | DigiCert Assured ID Root CA |
| 有效期 | Mon Nov 10 080000 2031 |
| SHA1 哈希 | 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43 |
| 证书链 | Timestamp Chain 2 |
| 发行给 | DigiCert Trusted Root G4 |
| 发行人 | DigiCert Assured ID Root CA |
| 有效期 | Mon Nov 10 075959 2031 |
| SHA1 哈希 | a99d5b79e9f1cda59cdab6373169d5353f5874c6 |
| 证书链 | Timestamp Chain 3 |
| 发行给 | DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA |
| 发行人 | DigiCert Trusted Root G4 |
| 有效期 | Mon Mar 23 075959 2037 |
| SHA1 哈希 | b6c8af834d4e53b673c76872aa8c950c7c54df5f |
| 证书链 | Timestamp Chain 4 |
| 发行给 | DigiCert Timestamp 2023 |
| 发行人 | DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA |
| 有效期 | Sat Oct 14 075959 2034 |
| SHA1 哈希 | 66f02b32c2c2c90f825dceaa8ac9c64f199ccf40 |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000c4008 | 0x000c4200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.16 |
| .data | 0x000c6000 | 0x000032a0 | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.51 |
| .rdata | 0x000ca000 | 0x00744ca0 | 0x00744e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.74 |
| .pdata | 0x0080f000 | 0x0000bc04 | 0x0000be00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.98 |
| .xdata | 0x0081b000 | 0x0001081c | 0x00010a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.90 |
| .bss | 0x0082c000 | 0x00000cb0 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .idata | 0x0082d000 | 0x00001f9c | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.65 |
| .CRT | 0x0082f000 | 0x00000060 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.27 |
| .tls | 0x00830000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .rsrc | 0x00831000 | 0x000052d4 | 0x00005400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.84 |
| .reloc | 0x00837000 | 0x00001664 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.34 |
| /4 | 0x00839000 | 0x00000140 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.13 |
| /19 | 0x0083a000 | 0x000076b5 | 0x00007800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.86 |
| /31 | 0x00842000 | 0x00001222 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.69 |
| /45 | 0x00844000 | 0x0000136e | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.85 |
| /57 | 0x00846000 | 0x000008f0 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 3.81 |
| /70 | 0x00847000 | 0x000001ef | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.10 |
| /81 | 0x00848000 | 0x00000c6c | 0x00000e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.81 |
| /97 | 0x00849000 | 0x00000f0d | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.77 |
| /113 | 0x0084a000 | 0x00000114 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 2.98 |
导入
库: GDI32.dll:
• 0x14082d7d8 AddFontResourceExA
• 0x14082d7e0 BitBlt
• 0x14082d7e8 CombineRgn
• 0x14082d7f0 CreateBitmap
• 0x14082d7f8 CreateCompatibleDC
• 0x14082d800 CreateDIBSection
• 0x14082d808 CreateFontIndirectA
• 0x14082d810 CreateRectRgn
• 0x14082d818 CreateRectRgnIndirect
• 0x14082d820 DeleteDC
• 0x14082d828 DeleteObject
• 0x14082d830 EnumFontFamiliesExA
• 0x14082d838 ExcludeClipRect
• 0x14082d840 GetDeviceCaps
• 0x14082d848 GetGlyphIndicesA
• 0x14082d850 GetGlyphOutlineA
• 0x14082d858 GetKerningPairsA
• 0x14082d860 GetObjectA
• 0x14082d868 GetOutlineTextMetricsA
• 0x14082d870 GetRegionData
• 0x14082d878 GetTextMetricsA
• 0x14082d880 RemoveFontResourceExA
• 0x14082d888 RestoreDC
• 0x14082d890 SaveDC
• 0x14082d898 SelectObject
• 0x14082d8a0 SetBrushOrgEx
• 0x14082d8a8 SetMapMode
• 0x14082d8b0 SetMapperFlags
• 0x14082d8b8 SetStretchBltMode
• 0x14082d8c0 StretchBlt
• 0x14082d8c8 StretchDIBits
库: KERNEL32.dll:
• 0x14082d8d8 CloseHandle
• 0x14082d8e0 CreateProcessW
• 0x14082d8e8 CreateThread
• 0x14082d8f0 DeleteCriticalSection
• 0x14082d8f8 DuplicateHandle
• 0x14082d900 EnterCriticalSection
• 0x14082d908 EnumSystemFirmwareTables
• 0x14082d910 ExitThread
• 0x14082d918 FormatMessageA
• 0x14082d920 GetCurrentProcess
• 0x14082d928 GetCurrentThread
• 0x14082d930 GetCurrentThreadId
• 0x14082d938 GetExitCodeThread
• 0x14082d940 GetLastError
• 0x14082d948 GetModuleHandleA
• 0x14082d950 GetProcAddress
• 0x14082d958 GetSystemInfo
• 0x14082d960 GetSystemTimeAsFileTime
• 0x14082d968 GetTempPathW
• 0x14082d970 GetThreadId
• 0x14082d978 GetTimeZoneInformation
• 0x14082d980 InitializeConditionVariable
• 0x14082d988 InitializeCriticalSection
• 0x14082d990 LeaveCriticalSection
• 0x14082d998 LocalFree
• 0x14082d9a0 MultiByteToWideChar
• 0x14082d9a8 RaiseException
• 0x14082d9b0 ResumeThread
• 0x14082d9b8 RtlCaptureContext
• 0x14082d9c0 RtlLookupFunctionEntry
• 0x14082d9c8 RtlUnwindEx
• 0x14082d9d0 RtlVirtualUnwind
• 0x14082d9d8 SetLastError
• 0x14082d9e0 SetUnhandledExceptionFilter
• 0x14082d9e8 Sleep
• 0x14082d9f0 SleepConditionVariableCS
• 0x14082d9f8 TlsAlloc
• 0x14082da00 TlsFree
• 0x14082da08 TlsGetValue
• 0x14082da10 TlsSetValue
• 0x14082da18 TryEnterCriticalSection
• 0x14082da20 VirtualProtect
• 0x14082da28 VirtualQuery
• 0x14082da30 WaitForSingleObject
• 0x14082da38 WakeAllConditionVariable
• 0x14082da40 WakeConditionVariable
• 0x14082da48 WideCharToMultiByte
库: api-ms-win-crt-convert-l1-1-0.dll:
• 0x14082da58 mbrtowc
• 0x14082da60 strtoul
• 0x14082da68 wcrtomb
库: api-ms-win-crt-environment-l1-1-0.dll:
• 0x14082da78 __p__environ
• 0x14082da80 __p__wenviron
• 0x14082da88 getenv
库: api-ms-win-crt-filesystem-l1-1-0.dll:
• 0x14082da98 _fstat64
库: api-ms-win-crt-heap-l1-1-0.dll:
• 0x14082daa8 _set_new_mode
• 0x14082dab0 calloc
• 0x14082dab8 free
• 0x14082dac0 malloc
• 0x14082dac8 realloc
库: api-ms-win-crt-locale-l1-1-0.dll:
• 0x14082dad8 ___lc_codepage_func
• 0x14082dae0 ___mb_cur_max_func
• 0x14082dae8 localeconv
• 0x14082daf0 setlocale
库: api-ms-win-crt-private-l1-1-0.dll:
• 0x14082db18 __C_specific_handler
• 0x14082db20 memchr
• 0x14082db28 memcmp
• 0x14082db30 memcpy
• 0x14082db38 memmove
• 0x14082db40 strchr
库: api-ms-win-crt-runtime-l1-1-0.dll:
• 0x14082db50 __p___argc
• 0x14082db58 __p___argv
• 0x14082db60 __p___wargv
• 0x14082db68 _cexit
• 0x14082db70 _configure_narrow_argv
• 0x14082db78 _configure_wide_argv
• 0x14082db80 _crt_at_quick_exit
• 0x14082db88 _crt_atexit
• 0x14082db90 _errno
• 0x14082db98 _exit
• 0x14082dba0 _initialize_narrow_environment
• 0x14082dba8 _initialize_wide_environment
• 0x14082dbb0 _initterm
• 0x14082dbb8 _set_app_type
• 0x14082dbc0 _set_invalid_parameter_handler
• 0x14082dbc8 abort
• 0x14082dbd0 exit
• 0x14082dbd8 signal
• 0x14082dbe0 strerror
库: api-ms-win-crt-stdio-l1-1-0.dll:
• 0x14082dbf0 __acrt_iob_func
• 0x14082dbf8 __p__commode
• 0x14082dc00 __p__fmode
• 0x14082dc08 __stdio_common_vfprintf
• 0x14082dc10 __stdio_common_vfwprintf
• 0x14082dc18 __stdio_common_vsprintf
• 0x14082dc20 _fileno
• 0x14082dc28 _fseeki64
• 0x14082dc30 _ftelli64
• 0x14082dc38 _lseeki64
• 0x14082dc40 _read
• 0x14082dc48 _wfopen
• 0x14082dc50 _write
• 0x14082dc58 fclose
• 0x14082dc60 fflush
• 0x14082dc68 fopen
• 0x14082dc70 fputc
• 0x14082dc78 fputs
• 0x14082dc80 fread
• 0x14082dc88 fwrite
• 0x14082dc90 getc
• 0x14082dc98 getwc
• 0x14082dca0 putc
• 0x14082dca8 putwc
• 0x14082dcb0 setvbuf
• 0x14082dcb8 ungetc
• 0x14082dcc0 ungetwc
库: api-ms-win-crt-string-l1-1-0.dll:
• 0x14082dcd0 iswctype
• 0x14082dcd8 memset
• 0x14082dce0 strcmp
• 0x14082dce8 strcoll
• 0x14082dcf0 strlen
• 0x14082dcf8 strncmp
• 0x14082dd00 strxfrm
• 0x14082dd08 towlower
• 0x14082dd10 towupper
• 0x14082dd18 wcscoll
• 0x14082dd20 wcslen
• 0x14082dd28 wcsxfrm
库: api-ms-win-crt-time-l1-1-0.dll:
• 0x14082dd38 __daylight
• 0x14082dd40 __timezone
• 0x14082dd48 __tzname
• 0x14082dd50 _tzset
• 0x14082dd58 strftime
• 0x14082dd60 wcsftime
库: api-ms-win-crt-utility-l1-1-0.dll:
• 0x14082dd70 rand_s
库: USER32.dll:
• 0x14082dd80 CallNextHookEx
• 0x14082dd88 CreateIconIndirect
• 0x14082dd90 DestroyCursor
• 0x14082dd98 DestroyIcon
• 0x14082dda0 DrawIcon
• 0x14082dda8 EnumChildWindows
• 0x14082ddb0 EnumDisplayMonitors
• 0x14082ddb8 GetAncestor
• 0x14082ddc0 GetDesktopWindow
• 0x14082ddc8 GetIconInfo
• 0x14082ddd0 GetMonitorInfoA
• 0x14082ddd8 GetParent
• 0x14082dde0 GetRawInputDeviceInfoA
• 0x14082dde8 GetRawInputDeviceList
• 0x14082ddf0 GetWindowInfo
• 0x14082ddf8 GetWindowLongA
• 0x14082de00 LoadCursorA
• 0x14082de08 LoadIconA
• 0x14082de10 MapWindowPoints
• 0x14082de18 MessageBoxW
• 0x14082de20 MonitorFromWindow
• 0x14082de28 SetCaretPos
• 0x14082de30 SetWindowLongA
• 0x14082de38 SetWindowsHookExA
• 0x14082de40 ShowCaret
• 0x14082de48 ShowWindow
• 0x14082de50 SystemParametersInfoA
• 0x14082de58 UnhookWindowsHookEx
• 0x14082de60 WindowFromPoint
.text
`.data
.rdata
@.pdata
@.xdata
@.bss
.idata
.rsrc
@.reloc
B/113
t&fD;
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49158 | 23.63.242.91 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 63246 | 192.168.122.1 | 53 |
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 49158 | 23.63.242.91 | 80 |
UDP
| 源地址 | 源端口 | 目标地址 | 目标端口 |
|---|---|---|---|
| 192.168.122.201 | 63246 | 192.168.122.1 | 53 |
HTTP 请求
| URI | HTTP数据 |
|---|---|
| URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 53.715 seconds )
- 18.627 VirusTotal
- 17.288 Static
- 11.443 Suricata
- 4.464 NetworkAnalysis
- 1.54 TargetInfo
- 0.294 peid
- 0.027 config_decoder
- 0.011 Strings
- 0.01 AnalysisInfo
- 0.009 BehaviorAnalysis
- 0.002 Memory
Signatures ( 1.375 seconds )
- 1.3 proprietary_url_bl
- 0.011 antiav_detectreg
- 0.008 proprietary_domain_bl
- 0.005 anomaly_persistence_autorun
- 0.005 antiav_detectfile
- 0.005 infostealer_ftp
- 0.004 geodo_banking_trojan
- 0.004 ransomware_extensions
- 0.004 ransomware_files
- 0.003 infostealer_bitcoin
- 0.003 infostealer_im
- 0.003 network_http
- 0.002 tinba_behavior
- 0.002 antianalysis_detectreg
- 0.002 antivm_vbox_files
- 0.002 disables_browser_warn
- 0.002 infostealer_mail
- 0.001 rat_nanocore
- 0.001 betabot_behavior
- 0.001 cerber_behavior
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 browser_security
- 0.001 modify_proxy
- 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
- 0.001 proprietary_bad_drop
- 0.001 network_cnc_http
Reporting ( 0.448 seconds )
- 0.442 ReportHTMLSummary
- 0.006 Malheur
| Task ID | 744218 |
|---|---|
| Mongo ID | 662651b7dc327b2e01ad97f6 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号