魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2024-03-27 11:02:44 | 2024-03-27 11:04:56 | 132 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2024-03-27 11:02:44 | 2024-03-27 11:04:58 |
| 魔盾分数 |
|---|
1.4正常的 |
文件详细信息
| 文件名 | consolepauser.exe |
|---|---|
| 文件大小 | 1380864 字节 |
| 文件类型 | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows |
| CRC32 | FF4DF5C0 |
| MD5 | 3a0b0a9ee4d120e3c5683146e0f28703 |
| SHA1 | e0c2c758e202a11519b89c9556ecfbc9f32daf40 |
| SHA256 | 33557796498640deb62aea66ddb9695e8e5acdd0cbda7c588b5259c1724207ab |
| SHA512 | 9d953a322a99f91aa1c2be8ec70624bdeb160016fc1ec6fff5cf11f4c04a205f18754b714ce0ad6eb0417b21c2d6a5ba533a4dbd121877d2b34078cbab4bcd86 |
| Ssdeep | 12288:UBoncKZh8wmPysudst/DR1y5/wImwyCcsPwJ7+jIVsNMhttgdryNDRx9feLCDpOr:UycKZawkysu+t/l1y5/qwQtgdryxBe6 |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
专有的Yara规则检测结果 - 安全告警
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 2.22.89.27 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x1400013f0 |
| 声明校验值 | 0x00152b06 |
| 实际校验值 | 0x00152b06 |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2024-03-26 20:51:04 |
| 载入哈希 | de0b7e072ad4f18aabbae04f43d0ff7c |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000cf2b0 | 0x000cf400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.20 |
| .data | 0x000d1000 | 0x00002f20 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.32 |
| .rdata | 0x000d4000 | 0x000605f0 | 0x00060600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.38 |
| .pdata | 0x00135000 | 0x0000b658 | 0x0000b800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.93 |
| .xdata | 0x00141000 | 0x0000f7c4 | 0x0000f800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.88 |
| .bss | 0x00151000 | 0x00000da0 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .idata | 0x00152000 | 0x0000172c | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.52 |
| .CRT | 0x00154000 | 0x00000068 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.41 |
| .tls | 0x00155000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .reloc | 0x00156000 | 0x00001648 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.34 |
导入
库 ADVAPI32.dll:
• 0x140152580 - RegCloseKey
• 0x140152588 - RegOpenKeyExA
• 0x140152590 - RegQueryValueExA
库 KERNEL32.dll:
• 0x1401525a0 - AddVectoredExceptionHandler
• 0x1401525a8 - AssignProcessToJobObject
• 0x1401525b0 - CloseHandle
• 0x1401525b8 - CreateEventA
• 0x1401525c0 - CreateFileA
• 0x1401525c8 - CreateJobObjectA
• 0x1401525d0 - CreateProcessA
• 0x1401525d8 - CreateSemaphoreA
• 0x1401525e0 - DeleteCriticalSection
• 0x1401525e8 - DuplicateHandle
• 0x1401525f0 - EnterCriticalSection
• 0x1401525f8 - FlushConsoleInputBuffer
• 0x140152600 - FormatMessageA
• 0x140152608 - GetConsoleOutputCP
• 0x140152610 - GetCurrentProcess
• 0x140152618 - GetCurrentProcessId
• 0x140152620 - GetCurrentThread
• 0x140152628 - GetCurrentThreadId
• 0x140152630 - GetExitCodeProcess
• 0x140152638 - GetHandleInformation
• 0x140152640 - GetLastError
• 0x140152648 - GetModuleHandleW
• 0x140152650 - GetProcAddress
• 0x140152658 - GetProcessAffinityMask
• 0x140152660 - GetProcessTimes
• 0x140152668 - GetStdHandle
• 0x140152670 - GetSystemTimeAsFileTime
• 0x140152678 - GetThreadContext
• 0x140152680 - GetThreadPriority
• 0x140152688 - GetTickCount64
• 0x140152690 - InitializeCriticalSection
• 0x140152698 - IsDBCSLeadByteEx
• 0x1401526a0 - IsDebuggerPresent
• 0x1401526a8 - K32GetProcessMemoryInfo
• 0x1401526b0 - LeaveCriticalSection
• 0x1401526b8 - LoadLibraryW
• 0x1401526c0 - LocalFree
• 0x1401526c8 - MapViewOfFile
• 0x1401526d0 - MultiByteToWideChar
• 0x1401526d8 - OpenFileMappingA
• 0x1401526e0 - OpenProcess
• 0x1401526e8 - OutputDebugStringA
• 0x1401526f0 - QueryPerformanceCounter
• 0x1401526f8 - QueryPerformanceFrequency
• 0x140152700 - RaiseException
• 0x140152708 - ReleaseSemaphore
• 0x140152710 - RemoveVectoredExceptionHandler
• 0x140152718 - ResetEvent
• 0x140152720 - ResumeThread
• 0x140152728 - RtlCaptureContext
• 0x140152730 - RtlLookupFunctionEntry
• 0x140152738 - RtlUnwindEx
• 0x140152740 - RtlVirtualUnwind
• 0x140152748 - SetConsoleTitleA
• 0x140152750 - SetEvent
• 0x140152758 - SetInformationJobObject
• 0x140152760 - SetLastError
• 0x140152768 - SetProcessAffinityMask
• 0x140152770 - SetStdHandle
• 0x140152778 - SetThreadContext
• 0x140152780 - SetThreadPriority
• 0x140152788 - SetUnhandledExceptionFilter
• 0x140152790 - Sleep
• 0x140152798 - SuspendThread
• 0x1401527a0 - TlsAlloc
• 0x1401527a8 - TlsGetValue
• 0x1401527b0 - TlsSetValue
• 0x1401527b8 - TryEnterCriticalSection
• 0x1401527c0 - UnmapViewOfFile
• 0x1401527c8 - VirtualProtect
• 0x1401527d0 - VirtualQuery
• 0x1401527d8 - WaitForMultipleObjects
• 0x1401527e0 - WaitForSingleObject
• 0x1401527e8 - WideCharToMultiByte
库 msvcrt.dll:
• 0x1401527f8 - __C_specific_handler
• 0x140152800 - ___lc_codepage_func
• 0x140152808 - ___mb_cur_max_func
• 0x140152810 - __getmainargs
• 0x140152818 - __initenv
• 0x140152820 - __iob_func
• 0x140152828 - __set_app_type
• 0x140152830 - __setusermatherr
• 0x140152838 - _amsg_exit
• 0x140152840 - _beginthreadex
• 0x140152848 - _cexit
• 0x140152850 - _commode
• 0x140152858 - _endthreadex
• 0x140152860 - _errno
• 0x140152868 - _fdopen
• 0x140152870 - _filelengthi64
• 0x140152878 - _fileno
• 0x140152880 - _fileno
• 0x140152888 - _fmode
• 0x140152890 - _fstat64
• 0x140152898 - _getch
• 0x1401528a0 - _initterm
• 0x1401528a8 - _lock
• 0x1401528b0 - _lseeki64
• 0x1401528b8 - _onexit
• 0x1401528c0 - _read
• 0x1401528c8 - _setjmp
• 0x1401528d0 - _strdup
• 0x1401528d8 - _ultoa
• 0x1401528e0 - _unlock
• 0x1401528e8 - _wfopen
• 0x1401528f0 - _write
• 0x1401528f8 - abort
• 0x140152900 - atoi
• 0x140152908 - calloc
• 0x140152910 - exit
• 0x140152918 - fclose
• 0x140152920 - fflush
• 0x140152928 - fgetpos
• 0x140152930 - fopen
• 0x140152938 - fprintf
• 0x140152940 - fputc
• 0x140152948 - fputs
• 0x140152950 - fread
• 0x140152958 - free
• 0x140152960 - freopen
• 0x140152968 - fsetpos
• 0x140152970 - fwrite
• 0x140152978 - getc
• 0x140152980 - getenv
• 0x140152988 - getwc
• 0x140152990 - isspace
• 0x140152998 - iswctype
• 0x1401529a0 - localeconv
• 0x1401529a8 - longjmp
• 0x1401529b0 - malloc
• 0x1401529b8 - memchr
• 0x1401529c0 - memcmp
• 0x1401529c8 - memcpy
• 0x1401529d0 - memmove
• 0x1401529d8 - memset
• 0x1401529e0 - printf
• 0x1401529e8 - putc
• 0x1401529f0 - putwc
• 0x1401529f8 - realloc
• 0x140152a00 - setlocale
• 0x140152a08 - setvbuf
• 0x140152a10 - signal
• 0x140152a18 - strchr
• 0x140152a20 - strcmp
• 0x140152a28 - strcoll
• 0x140152a30 - strerror
• 0x140152a38 - strftime
• 0x140152a40 - strlen
• 0x140152a48 - strncmp
• 0x140152a50 - strtoul
• 0x140152a58 - strxfrm
• 0x140152a60 - towlower
• 0x140152a68 - towupper
• 0x140152a70 - ungetwc
• 0x140152a78 - ungetc
• 0x140152a80 - vfprintf
• 0x140152a88 - wcscoll
• 0x140152a90 - wcsftime
• 0x140152a98 - wcslen
• 0x140152aa0 - wcsxfrm
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
consolepauser.exe PID: 2604, 上一级进程 PID: 2256
访问的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
无信息
读取的注册表键
无信息
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle