魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2022-07-04 17:28:25 | 2022-07-04 17:30:36 | 131 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2022-07-04 17:28:25 | 2022-07-04 17:30:37 |
| 魔盾分数 |
|---|
5.65可疑的 |
文件详细信息
| 文件名 | MAS_1.4_AIO_CN.cmd |
|---|---|
| 文件大小 | 2363730 字节 |
| 文件类型 | ISO-8859 text, with CRLF line terminators |
| CRC32 | 653575A3 |
| MD5 | d1a8d2a9d08178685551417766cbe83b |
| SHA1 | 7362cc9e78fc327747cab0557019b0b358bcea60 |
| SHA256 | d6ec9a42b7fa0dd795963d8871a9213a62297197304a0144e4027890df8612ea |
| SHA512 | 38d6fe9dd15b1b8a038391fd4155b2248ca4ff396d2c3e7f65c56c977cb75dd8036f9937db8aebc9f38698d7c3f892d0859f0c0095482f71ee18ae39b5910af9 |
| Ssdeep | 49152:o/ay1I0JxlXsyZ63mDbR56nAfl5P/r/PU:ip/eyZ63mDlTfb0 |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
可能进行了时间有效期检查,检查本地时间后过早退出
可疑的样本异常终止
魔盾安全Yara规则检测结果 - 高危
Informational: PowerShell Detected
Critical: A non-Windows executable contains win32 API functions names
Warning: Detected function to spread Malware via desktop or autorun files
Warning: Detected function for installing itself for autorun at Windows startup
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 20.42.65.92 | United States |
域名解析
| 域名 | 响应 |
|---|---|
| watson.microsoft.com |
A 20.42.65.92
CNAME legacywatson.trafficmanager.net CNAME onedsblobprdeus17.eastus.cloudapp.azure.com |
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.223.198.226 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
- C:\Windows\system32\cmd.exe /c ver
- reg query HKU\S-1-5-19
- mode con cols=98 lines=30
- choice /C:123456789 /N /M "> \xe5\x9c\xa8\xe9\x94\xae\xe7\x9b\x98\xe4\xb8\x8a\xe8\xbe\x93\xe5\x85\xa5\xe4\xbd\xa0\xe7\x9a\x84\xe9\x80\x89\xe6\x8b\xa9 [1,2,3,4,5,6,7,8,9] : "
创建的服务
无信息
启动的服务
无信息
进程
cmd.exe PID: 2592, 上一级进程 PID: 2196
cmd.exe PID: 2744, 上一级进程 PID: 2592
cmd.exe PID: 2836, 上一级进程 PID: 2744
reg.exe PID: 2896, 上一级进程 PID: 2744
mode.com PID: 2964, 上一级进程 PID: 2744
choice.exe PID: 3044, 上一级进程 PID: 2744
访问的文件
- C:\Users\test\AppData\Local\Temp
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\
- C:\Users\test\AppData\Local\Temp\MAS_1.4_AIO_CN.cmd
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \Device\NamedPipe\
- C:\Windows\System32\cmd.exe
- C:\ProgramData\Oracle\Java\javapath\powershell.exe
- C:\Windows\System32\powershell.exe
- C:\Windows\powershell.exe
- C:\Windows\System32\wbem\powershell.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows
- C:\Windows\System32
- C:\Windows\System32\WindowsPowerShell
- C:\Windows\System32\WindowsPowerShell\v1.0
- \??\nul
- C:\Users\test\AppData\Local\Temp\reg.*
- C:\Users\test\AppData\Local\Temp\reg
- C:\ProgramData\Oracle\Java\javapath\reg.*
- C:\ProgramData\Oracle\Java\javapath\reg
- C:\Windows\System32\reg.*
- C:\Windows\System32\reg.COM
- C:\Windows\System32\reg.exe
- C:\Users\test\AppData\Local\Temp\mode.*
- C:\Users\test\AppData\Local\Temp\mode
- C:\ProgramData\Oracle\Java\javapath\mode.*
- C:\ProgramData\Oracle\Java\javapath\mode
- C:\Windows\System32\mode.*
- C:\Windows\System32\mode.com
- C:\Windows\Temp\_MAS\
- C:\Users\test\AppData\Local\Temp\
- C:\Users\test\AppData\Local\Temp\echo:
- C:\Users\test\AppData\Local\Temp\choice.*
- C:\Users\test\AppData\Local\Temp\choice
- C:\ProgramData\Oracle\Java\javapath\choice.*
- C:\ProgramData\Oracle\Java\javapath\choice
- C:\Windows\System32\choice.*
- C:\Windows\System32\choice.COM
- C:\Windows\System32\choice.exe
读取的文件
- C:\Users\test\AppData\Local\Temp\MAS_1.4_AIO_CN.cmd
- C:\Windows\Globalization\Sorting\sortdefault.nls
- \Device\NamedPipe\
修改的文件
- \??\nul
删除的文件
无信息
注册表键
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_USERS\S-1-5-19
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.SetThreadUILanguage
- kernel32.dll.CopyFileExW
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.SetConsoleInputExeNameW
- advapi32.dll.SaferIdentifyLevel
- advapi32.dll.SaferComputeTokenFromLevel
- advapi32.dll.SaferCloseLevel
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle