恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64-shaapp02-1	2024-04-25 15:18:03	2024-04-25 15:18:44	41 秒

魔盾分数

7.875

危险的

文件详细信息

文件名	wism.dll
文件大小	45568 字节
文件类型	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	cc87ea9fe511d671d586b29de944f473
SHA1	70f606b509fe9ba598a5c80fbe66933c5c1ad264
SHA256	a1498b45c07bd5827a9ebce1a2e39ac5a97685001227680781ee1daddf72718b
SHA512	16642aab87c54f738c0462f705819c4f364e063a46cb2047acc025b2bf3df87b1944326744455bcf68c35df3369052abb4f3e3ce1daca94debba7c07dc4fa8e7
CRC32	033459BD
Ssdeep	768:tcf/awVNVLue+bKaP9FoR/RbpWuKwjmqX/gKspGxfjnokfEsAV7AO:tnqIoR5V7KwjmlnGrnSs07A
Yara	登录查看Yara规则
	找不到该样本提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x180000000
入口地址	0x180006bc8
声明校验值	0x00000000
实际校验值	0x0000d35f
最低操作系统版本要求	6.0
PDB路径	C:\Users\xxxta\VisualStudioRepos\windows_input_method_manager\x64\Release\windows_input_method_manager.pdb
编译时间	2024-04-13 22:38:30
载入哈希	ee8b2c9cac78f19ed9b3325e6c821dd7
导出DLL库名称	\x31\x31\x31\x31\x31\x31\x31\x39\x31\x31\x31\x31\x31\x39\x31\x31\x31\x31\x31\x31\x39\x31\x39\x31\x39\x31\x31\x31\x34\x31\x31\x31

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00006a94	0x00006c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.16
.rdata	0x00008000	0x0000333e	0x00003400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.33
.data	0x0000c000	0x00000818	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.06
.pdata	0x0000d000	0x00000690	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.72
.rsrc	0x0000e000	0x000000f8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.51
.reloc	0x0000f000	0x00000070	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	1.42

导入

库: libcrypto-1_1-x64.dll:

• 0x180008288 EVP_MD_CTX_new

• 0x180008290 BIO_write

• 0x180008298 EVP_PKEY_new

• 0x1800082a0 PEM_read_bio_RSAPrivateKey

• 0x1800082a8 EVP_sha256

• 0x1800082b0 EVP_DigestUpdate

• 0x1800082b8 EVP_DigestSignFinal

• 0x1800082c0 EVP_PKEY_assign

• 0x1800082c8 EVP_MD_CTX_free

• 0x1800082d0 PEM_read_bio_RSA_PUBKEY

• 0x1800082d8 EVP_DigestVerifyFinal

• 0x1800082e0 EVP_DigestSignInit

• 0x1800082e8 EVP_DigestVerifyInit

• 0x1800082f0 EVP_CIPHER_CTX_new

• 0x1800082f8 EVP_aes_256_cbc

• 0x180008300 EVP_DecryptUpdate

• 0x180008308 EVP_DecryptFinal_ex

• 0x180008310 EVP_DecryptInit_ex

• 0x180008318 EVP_CIPHER_CTX_reset

• 0x180008320 EVP_CIPHER_CTX_free

• 0x180008328 BIO_new

• 0x180008330 BIO_ctrl

• 0x180008338 BIO_push

• 0x180008340 BIO_f_base64

• 0x180008348 BIO_read

• 0x180008350 BIO_set_flags

• 0x180008358 BIO_s_mem

• 0x180008360 BIO_free_all

• 0x180008368 BIO_new_mem_buf

库: IMM32.dll:

• 0x180008000 ImmGetDefaultIMEWnd

库: KERNEL32.dll:

• 0x180008010 CloseHandle

• 0x180008018 GetLastError

• 0x180008020 WaitForSingleObject

• 0x180008028 CreatePipe

• 0x180008030 ReadFile

• 0x180008038 InitializeSListHead

• 0x180008040 GetSystemTimeAsFileTime

• 0x180008048 GetCurrentThreadId

• 0x180008050 GetCurrentProcessId

• 0x180008058 QueryPerformanceCounter

• 0x180008060 CreateProcessW

• 0x180008068 IsProcessorFeaturePresent

• 0x180008070 TerminateProcess

• 0x180008078 GetCurrentProcess

• 0x180008080 SetUnhandledExceptionFilter

• 0x180008088 UnhandledExceptionFilter

• 0x180008090 RtlVirtualUnwind

• 0x180008098 RtlLookupFunctionEntry

• 0x1800080a0 RtlCaptureContext

• 0x1800080a8 SleepConditionVariableSRW

• 0x1800080b0 WakeAllConditionVariable

• 0x1800080b8 AcquireSRWLockExclusive

• 0x1800080c0 ReleaseSRWLockExclusive

• 0x1800080c8 IsDebuggerPresent

• 0x1800080d0 MultiByteToWideChar

库: USER32.dll:

• 0x1800080f8 VkKeyScanW

• 0x180008100 SendMessageW

• 0x180008108 GetForegroundWindow

• 0x180008110 GetKeyState

• 0x180008118 keybd_event

• 0x180008120 SendInput

库: MSVCP140.dll:

• 0x1800080e0 ?_Xlength_error@std@@YAXPEBD@Z

• 0x1800080e8 ?_Xout_of_range@std@@YAXPEBD@Z

库: VCRUNTIME140_1.dll:

• 0x180008188 __CxxFrameHandler4

库: VCRUNTIME140.dll:

• 0x180008130 memchr

• 0x180008138 memmove

• 0x180008140 memcpy

• 0x180008148 memcmp

• 0x180008150 memset

• 0x180008158 __std_type_info_destroy_list

• 0x180008160 _CxxThrowException

• 0x180008168 __C_specific_handler

• 0x180008170 __std_exception_destroy

• 0x180008178 __std_exception_copy

库: api-ms-win-crt-runtime-l1-1-0.dll:

• 0x1800081e0 _execute_onexit_table

• 0x1800081e8 _invalid_parameter_noinfo_noreturn

• 0x1800081f0 _crt_atexit

• 0x1800081f8 exit

• 0x180008200 _initterm_e

• 0x180008208 _initterm

• 0x180008210 _seh_filter_dll

• 0x180008218 _configure_narrow_argv

• 0x180008220 _initialize_narrow_environment

• 0x180008228 _initialize_onexit_table

• 0x180008230 _register_onexit_function

• 0x180008238 _cexit

库: api-ms-win-crt-stdio-l1-1-0.dll:

• 0x180008248 __acrt_iob_func

• 0x180008250 __stdio_common_vfprintf

库: api-ms-win-crt-heap-l1-1-0.dll:

• 0x1800081a8 malloc

• 0x1800081b0 free

• 0x1800081b8 _callnewh

库: api-ms-win-crt-time-l1-1-0.dll:

• 0x180008278 _time64

库: api-ms-win-crt-convert-l1-1-0.dll:

• 0x180008198 atoi

库: api-ms-win-crt-string-l1-1-0.dll:

• 0x180008260 isspace

• 0x180008268 strcpy_s

库: api-ms-win-crt-math-l1-1-0.dll:

• 0x1800081c8 ceil

• 0x1800081d0 pow

导出

序列	地址	名称
1	0x180002370	Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_changeLanguage
2	0x180002530	Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getCapsLockState
3	0x180002400	Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getCurrentLanguage
4	0x180002490	Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getUuid
5	0x180002720	Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_setCapsLockState
6	0x1800020c0	Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_sign
7	0x1800024b0	Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_systemInput
8	0x180006110	changeLanguage
9	0x1800061a0	getCurrentLanguage
10	0x180006220	getUuid
11	0x180006060	swapShortSecretCode
12	0x180006250	systemInput

.text
`.rdata
@.data
.pdata
@.rsrc
@.reloc
bad allocation
Unknown exception
bad array new length
string too long
java/lang/String
GB2312
(Ljava/lang/String;)[B
getBytes
([BLjava/lang/String;)V
<init>
UTF-8
ERROR
signature verify failed!
decryption failed
failed! uuid:
failed! expired
invalid string position
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
wmic csproduct get UUID
wmic baseboard get serialnumber
wmic diskdrive get serialnumber
C:\Users\xxxta\VisualStudioRepos\windows_input_method_manager\x64\Release\windows_input_method_manager.pdb
.text$di
.text$mn
.text$mn$00
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$voltmd
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.tls$
.tls$ZZZ
.xdata
.xdata$x
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.data$rs
.pdata
.rsrc$01
.rsrc$02
windows_input_method_manager.dll
Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_changeLanguage
Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getCapsLockState
Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getCurrentLanguage
Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_getUuid
Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_setCapsLockState
Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_sign
Java_com_xxxtai_smartinputintellij_os_WindowsInputMethodManagerJni_systemInput
changeLanguage
getCurrentLanguage
getUuid
swapShortSecretCode
systemInput
BIO_new_mem_buf
BIO_write
BIO_free_all
BIO_s_mem
BIO_set_flags
BIO_read
BIO_f_base64
BIO_push
BIO_ctrl
BIO_new
EVP_CIPHER_CTX_free
EVP_CIPHER_CTX_reset
EVP_DecryptInit_ex
EVP_DecryptFinal_ex
EVP_DecryptUpdate
EVP_aes_256_cbc
EVP_CIPHER_CTX_new
EVP_DigestVerifyInit
EVP_DigestSignInit
EVP_DigestVerifyFinal
PEM_read_bio_RSA_PUBKEY
EVP_MD_CTX_free
EVP_PKEY_assign
EVP_DigestSignFinal
EVP_DigestUpdate
EVP_sha256
PEM_read_bio_RSAPrivateKey
EVP_MD_CTX_new
EVP_PKEY_new
libcrypto-1_1-x64.dll
ImmGetDefaultIMEWnd
IMM32.dll
MultiByteToWideChar
ReadFile
CreatePipe
WaitForSingleObject
GetLastError
CloseHandle
CreateProcessW
KERNEL32.dll
SendInput
VkKeyScanW
keybd_event
GetKeyState
GetForegroundWindow
SendMessageW
USER32.dll
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
MSVCP140.dll
__CxxFrameHandler4
__std_exception_destroy
__std_exception_copy
__C_specific_handler
_CxxThrowException
memset
__std_type_info_destroy_list
VCRUNTIME140_1.dll
VCRUNTIME140.dll
__acrt_iob_func
__stdio_common_vfprintf
malloc
_invalid_parameter_noinfo_noreturn
_time64
isspace
strcpy_s
_callnewh
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_cexit
_initterm
_initterm_e
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
memchr
memcmp
memcpy
memmove
api-ms-win-crt-math-l1-1-0.dll
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVbad_array_new_length@std@@
.?AVtype_info@@

没有防病毒引擎扫描信息!

进程树

rundll32.exe id: 2568

搜索
rundll32.exe (2568)

rundll32.exe, PID: 2568, 上一级进程 PID: 2240

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	23.214.95.221	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.201	49160	23.214.95.221	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.201	63246	192.168.122.1	53

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 14.341 seconds )

11.457 Suricata
1.355 NetworkAnalysis
0.904 Static
0.291 peid
0.249 TargetInfo
0.065 BehaviorAnalysis
0.013 AnalysisInfo
0.005 Strings
0.002 Memory

Signatures ( 1.481 seconds )

1.373 proprietary_url_bl
0.019 antiav_detectreg
0.008 infostealer_ftp
0.007 anomaly_persistence_autorun
0.007 proprietary_domain_bl
0.006 antiav_detectfile
0.006 ransomware_extensions
0.005 infostealer_im
0.004 antianalysis_detectreg
0.004 geodo_banking_trojan
0.004 infostealer_bitcoin
0.004 ransomware_files
0.003 api_spamming
0.003 infostealer_mail
0.003 network_http
0.002 tinba_behavior
0.002 stealth_decoy_document
0.002 stealth_timeout
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.001 rat_nanocore
0.001 betabot_behavior
0.001 kibex_behavior
0.001 cerber_behavior
0.001 antivm_parallels_keys
0.001 antivm_xen_keys
0.001 bot_drive
0.001 bot_drive2
0.001 browser_security
0.001 modify_proxy
0.001 proprietary_malicious_drop_executable_file_to_temp_folder
0.001 proprietary_bad_drop
0.001 network_cnc_http
0.001 recon_fingerprint
0.001 stealth_modify_uac_prompt

Reporting ( 0.701 seconds )

0.693 ReportHTMLSummary
0.008 Malheur


Task ID	744306
Mongo ID	662a0411dc327b93ae415a89
Cuckoo release	1.4-Maldun