魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2022-05-27 19:37:20 2022-05-27 19:38:05 45 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2022-05-27 19:37:20 2022-05-27 19:38:06
魔盾分数

10.0

恶意的

文件详细信息

文件名 启动1 mysql数据库关闭.exe
文件大小 50688 字节
文件类型 PE32 executable (console) Intel 80386, for MS Windows
CRC32 AE7E1E46
MD5 3153f9a33d21af7e2ff4b1166b0ddc47
SHA1 899db581d76b5d6e389eb9f536177b250a51de5f
SHA256 715f7f5e40202cf455e018be65e056c75334c95b14cb1417c0885ee2eb68f3a5
SHA512 9fd45e4ebba0451b07ae6611ef472f1e356a2a21dc4792ba9431f0926a18e8744d76a8b027180bff1060ac382bdba3101ca39db8cff29e832e768a5cd4d256c2
Ssdeep 768:A9J8NowRheD8/3rJiUqyet8w9abyzm5E50kyoVonvzRiZljBwiwo5sW3LhaNIC4T:A9wvQUreUbyzABq2mLha2OCXx
PEiD 无匹配
Yara
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • win_files_operation (Affect private profile)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsConsole (Detected a console program sample)
  • RC6_Constants (Look for RC6 magic constants in binary)
  • Borland (Detects Borland program)
VirusTotal VirusTotal查询失败

特征

魔盾安全Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Warning: Look for RC6 magic constants in binary
创建一个隐藏文件或系统文件
file: C:\Users\test\AppData\Local\Temp\~2DD.bat
异常的二进制特征
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year
可疑的样本异常终止
样本投放可执行文件到临时目录然后抹除
Anomaly: C:\Users\test\AppData\Local\Temp\~2DD.bat deleted
检测到样本尝试异常命令
Anomaly: cmd.exe /c C:\Users\test\AppData\Local\Temp\~2DD.bat "C:\Users\test\AppData\Local\Temp\______1 mysql_______________.exe" executed
异常的多次调用CMD
Command: cmd.exe /c c:\users\test\appdata\local\temp\~2dd.bat "c:\users\test\appdata\local\temp\______1 mysql_______________.exe"

运行截图

网络分析

TCP连接

IP地址 端口
104.99.238.89 80

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0040a0c0
声明校验值 0x00000000
实际校验值 0x0000db02
最低操作系统版本要求 4.0
编译时间 1992-06-20 06:22:17
载入哈希 1754bc2d288533008a4f1472fc626401

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
CODE 0x00001000 0x00009558 0x00009600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.36
DATA 0x0000b000 0x0000045c 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.09
BSS 0x0000c000 0x00000965 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0000d000 0x000008ca 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.23
.tls 0x0000e000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0000f000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x00010000 0x00000ed8 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.00
.rsrc 0x00011000 0x000018b0 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 5.20

导入

库 kernel32.dll:
0x40d0a0 - DeleteCriticalSection
0x40d0a4 - LeaveCriticalSection
0x40d0a8 - EnterCriticalSection
0x40d0ac - InitializeCriticalSection
0x40d0b0 - VirtualFree
0x40d0b4 - VirtualAlloc
0x40d0b8 - LocalFree
0x40d0bc - LocalAlloc
0x40d0c0 - GetVersion
0x40d0c4 - GetCurrentThreadId
0x40d0c8 - WideCharToMultiByte
0x40d0cc - lstrlenA
0x40d0d0 - lstrcpynA
0x40d0d4 - LoadLibraryExA
0x40d0d8 - GetThreadLocale
0x40d0dc - GetStartupInfoA
0x40d0e0 - GetProcAddress
0x40d0e4 - GetModuleHandleA
0x40d0e8 - GetModuleFileNameA
0x40d0ec - GetLocaleInfoA
0x40d0f0 - GetCommandLineA
0x40d0f4 - FreeLibrary
0x40d0f8 - FindFirstFileA
0x40d0fc - FindClose
0x40d100 - ExitProcess
0x40d104 - WriteFile
0x40d108 - UnhandledExceptionFilter
0x40d10c - RtlUnwind
0x40d110 - RaiseException
0x40d114 - GetStdHandle
库 user32.dll:
0x40d11c - GetKeyboardType
0x40d120 - LoadStringA
0x40d124 - MessageBoxA
0x40d128 - CharNextA
库 advapi32.dll:
0x40d130 - RegQueryValueExA
0x40d134 - RegOpenKeyExA
0x40d138 - RegCloseKey
库 oleaut32.dll:
0x40d140 - SysFreeString
库 kernel32.dll:
0x40d148 - TlsSetValue
0x40d14c - TlsGetValue
0x40d150 - LocalAlloc
0x40d154 - GetModuleHandleA
库 kernel32.dll:
0x40d15c - WriteFile
0x40d160 - WaitForSingleObject
0x40d164 - VirtualQuery
0x40d168 - SizeofResource
0x40d16c - SetFilePointer
0x40d170 - SetFileAttributesA
0x40d174 - SetEnvironmentVariableA
0x40d178 - SetEndOfFile
0x40d17c - ReadFile
0x40d180 - LockResource
0x40d184 - LoadResource
0x40d188 - GlobalUnlock
0x40d18c - GlobalReAlloc
0x40d190 - GlobalHandle
0x40d194 - GlobalLock
0x40d198 - GlobalFree
0x40d19c - GlobalAlloc
0x40d1a0 - GetWindowsDirectoryA
0x40d1a4 - GetVersionExA
0x40d1a8 - GetThreadLocale
0x40d1ac - GetTempFileNameA
0x40d1b0 - GetStringTypeExA
0x40d1b4 - GetStdHandle
0x40d1b8 - GetShortPathNameA
0x40d1bc - GetProcAddress
0x40d1c0 - GetModuleHandleA
0x40d1c4 - GetModuleFileNameA
0x40d1c8 - GetLocaleInfoA
0x40d1cc - GetLastError
0x40d1d0 - GetFullPathNameA
0x40d1d4 - GetFileAttributesA
0x40d1d8 - GetExitCodeProcess
0x40d1dc - GetEnvironmentVariableA
0x40d1e0 - GetDiskFreeSpaceA
0x40d1e4 - GetCommandLineA
0x40d1e8 - GetCPInfo
0x40d1ec - GetACP
0x40d1f0 - FreeResource
0x40d1f4 - FormatMessageA
0x40d1f8 - FindResourceA
0x40d1fc - EnumCalendarInfoA
0x40d200 - DeleteFileA
0x40d204 - CreateProcessA
0x40d208 - CreateFileA
0x40d20c - CloseHandle
库 user32.dll:
0x40d214 - MessageBoxA
0x40d218 - LoadStringA
0x40d21c - GetSystemMetrics
0x40d220 - CharPrevA
0x40d224 - CharNextA
0x40d228 - CharToOemA

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令
  • cmd.exe /c C:\Users\test\AppData\Local\Temp\~2DD.bat "C:\Users\test\AppData\Local\Temp\______1 mysql_______________.exe"
创建的服务 无信息
启动的服务 无信息

进程

______1 mysql_______________.exe PID: 2384, 上一级进程 PID: 2240

cmd.exe PID: 2464, 上一级进程 PID: 2384

访问的文件
  • C:\Users\test\AppData\Local\Temp\______1 mysql_______________.exe
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • C:\Users\test\AppData\Local\Temp
  • C:\Users\test\AppData\Local\Temp\______1 mysql_______________.CHS
  • C:\Users\test\AppData\Local\Temp\______1 mysql_______________.CHS.DLL
  • C:\Users\test\AppData\Local\Temp\______1 mysql_______________.CH
  • C:\Users\test\AppData\Local\Temp\______1 mysql_______________.CH.DLL
  • C:\Users\test\AppData\Local\Temp\
  • C:\Users\test\AppData\Local\Temp\~2DD.tmp
  • C:\Users\test\AppData\Local\Temp\~2DD.bat
  • C:\
  • C:\Users\test\AppData\Local\Temp\mysql\bin\pskill.exe
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
读取的文件
  • C:\Users\test\AppData\Local\Temp\~2DD.tmp
  • C:\Users\test\AppData\Local\Temp\~2DD.bat
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
修改的文件
  • C:\Users\test\AppData\Local\Temp\~2DD.bat
删除的文件
  • C:\Users\test\AppData\Local\Temp\~2DD.bat
注册表键
  • HKEY_CURRENT_USER\Software\Borland\Locales
  • HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\______1 mysql_______________.exe
  • HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
读取的注册表键
  • HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\______1 mysql_______________.exe
  • HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.GetLongPathNameA
  • kernel32.dll.GetDiskFreeSpaceExA
  • kernel32.dll.SetThreadUILanguage
  • kernel32.dll.CopyFileExW
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.SetConsoleInputExeNameW
  • advapi32.dll.SaferIdentifyLevel
  • advapi32.dll.SaferComputeTokenFromLevel
  • advapi32.dll.SaferCloseLevel