魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2024-03-27 16:43:41 | 2024-03-27 16:44:32 | 51 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2024-03-27 16:43:43 | 2024-03-27 16:44:38 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | setup查询名单_6013.exe |
|---|---|
| 文件大小 | 721792 字节 |
| 文件类型 | PE32+ executable (GUI) x86-64, for MS Windows |
| CRC32 | 1040D118 |
| MD5 | 377d00f0bb133a6415ce7e94208dfe33 |
| SHA1 | 656b839cab1bdc7691a465551ed5cf42f15c3134 |
| SHA256 | a46f5b1f41ec592fb1dff1fa413d42389d463644d6059a3abb1c721da674cd82 |
| SHA512 | 2719743251c2c57cd914f65961f63dc38586f377c82a12994d7530522ca9f54b4047ce00c9f0282e9482f16b4e5bc8c67af3481bdc113dfc7fa896a4b473ac59 |
| Ssdeep | 12288:9MSAsW4M7oeBM/FcccQqR0mGfUyCcR4TAPCNvSmurqV7V2L:IZ7XMtlcQCW9CcfmurW70L |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
创建RWX内存
wping.org IP地址信誉系统
Greylist: 152.195.38.76
发起了一些HTTP请求
URL: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
二进制文件可能包含加密或压缩数据
section: name: .text, entropy: 7.76, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000a4c00, virtual_size: 0x000a4b30
专有的Yara规则检测结果 - 安全告警
检查系统制造商,可能被用来实现反虚拟机
异常的二进制特征
anomaly: Found duplicated section names
检测到网络活动但没有显示在API日志中
country_name: United States
ip: 152.195.38.76
inaddrarpa:
hostname: cacerts.digicert.com
score: 5
ip: 152.195.38.76
domain: cacerts.digicert.com
可疑的样本异常终止
检查Bios版本,可能被用来实现反虚拟机
检查注册表中的磁盘驱动器,可能被用来实现反虚拟机
通过ACPI技术检测VirtualBox系统
通过注册表键检测VirtualBox系统
通过注册表键检测VMware系统
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 152.195.38.76 | United States |
域名解析
| 域名 | 响应 |
|---|---|
| cacerts.digicert.com |
CNAME fp2e7a.wpc.2be4.phicdn.net
CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76 |
TCP连接
| IP地址 | 端口 |
|---|---|
| 152.195.38.76 | 80 |
| 23.206.188.19 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
| http://cacerts.digicert.com/DigiCertTrustedRootG4.crt | GET /DigiCertTrustedRootG4.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: cacerts.digicert.com |
静态分析
PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x1400f8ce8 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x000b2937 |
| 最低操作系统版本要求 | 5.2 |
| 编译时间 | 2024-03-21 21:15:36 |
| 载入哈希 | 5cd32662644b1a1517a29bd9fbaf6101 |
| 图标 |  |
| 图标精确哈希值 | f851536d8642eb81a4eb2fdc1dba3641 |
| 图标相似性哈希值 | 7c9ba2bdd2a8c45d5149ee6b6821ea21 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0001ed22 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x00020000 | 0x000079aa | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x00028000 | 0x000039a0 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .pdata | 0x0002c000 | 0x00001f44 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .vdata | 0x0002e000 | 0x00000536 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .vdata | 0x0002f000 | 0x00009000 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .text | 0x00038000 | 0x000a8550 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x000e1000 | 0x000096d8 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .text | 0x000eb000 | 0x000a4b30 | 0x000a4c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 7.76 |
| .data | 0x00190000 | 0x000002b8 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.32 |
| .reloc | 0x00191000 | 0x00000048 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.90 |
| .rsrc | 0x00192000 | 0x00008f54 | 0x00009000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.74 |
覆盖
| 偏移量: | 0x000ae600 |
| 大小: | 0x00001d80 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x00196388 | 0x0000485d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.97 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced |
| RT_ICON | 0x00196388 | 0x0000485d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.97 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced |
| RT_ICON | 0x00196388 | 0x0000485d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.97 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced |
| RT_ICON | 0x00196388 | 0x0000485d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.97 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced |
| RT_ICON | 0x00196388 | 0x0000485d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.97 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced |
| RT_GROUP_ICON | 0x0019ac25 | 0x0000004c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.63 | MS Windows icon resource - 5 icons, 16x16 |
| RT_VERSION | 0x0019acb1 | 0x000002a0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.32 | data |
导入
库 WININET.dll:
• 0x140190290 - InternetCloseHandle
库 GDI32.dll:
• 0x140190298 - EnumFontsW
库 USER32.dll:
• 0x1401902a0 - GetDC
库 KERNEL32.dll:
• 0x1401902a8 - CreateFileW
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
setup_____________6013.exe PID: 2868, 上一级进程 PID: 2328
访问的文件
- C:\Users\test\AppData\Local\Temp\MSCVRT.DLL
- C:\Windows\sysnative\MSCVRT.DLL
- C:\Windows\system\MSCVRT.DLL
- C:\Windows\MSCVRT.DLL
- C:\ProgramData\Oracle\Java\javapath\MSCVRT.DLL
- C:\Windows\sysnative\wbem\MSCVRT.DLL
- C:\Windows\sysnative\WindowsPowerShell\v1.0\MSCVRT.DLL
- C:\Program Files (x86)\WinRAR\MSCVRT.DLL
- C:\Windows\Globalization\Sorting\sortdefault.nls
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
- HKEY_LOCAL_MACHINE\HARDWARE\Description\System
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
- HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
- HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
- HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__
- HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxSF
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vioscsi
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\viostor
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VirtIO-FS Service
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VirtioSerial
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BALLOON
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BalloonService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netkvm
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
- HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
- HKEY_LOCAL_MACHINE\SOFTWARE\Wine
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\IDE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- wininet.dll.InternetCloseHandle
- gdi32.dll.EnumFontsW
- user32.dll.GetDC
- kernel32.dll.CreateFileW
- kernel32.dll.SetStdHandle
- kernel32.dll.WriteConsoleW
- kernel32.dll.VirtualAlloc
- kernel32.dll.GetLastError
- kernel32.dll.Sleep
- kernel32.dll.CloseHandle
- kernel32.dll.SetFilePointer
- kernel32.dll.FlushFileBuffers
- kernel32.dll.GetConsoleMode
- kernel32.dll.GetConsoleCP
- kernel32.dll.GetCommandLineW
- kernel32.dll.GetStartupInfoW
- kernel32.dll.RaiseException
- kernel32.dll.RtlPcToFileHeader
- kernel32.dll.HeapAlloc
- kernel32.dll.HeapFree
- kernel32.dll.GetCPInfo
- kernel32.dll.GetACP
- kernel32.dll.GetOEMCP
- kernel32.dll.IsValidCodePage
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.SetLastError
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.GetCurrentThread
- kernel32.dll.FlsAlloc
- kernel32.dll.HeapSize
- kernel32.dll.GetProcAddress
- kernel32.dll.GetModuleHandleW
- kernel32.dll.ExitProcess
- kernel32.dll.RtlUnwindEx
- kernel32.dll.EnterCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.RtlVirtualUnwind
- kernel32.dll.RtlLookupFunctionEntry
- kernel32.dll.RtlCaptureContext
- kernel32.dll.TerminateProcess
- kernel32.dll.GetCurrentProcess
- kernel32.dll.WriteFile
- kernel32.dll.GetStdHandle
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.SetHandleCount
- kernel32.dll.InitializeCriticalSectionAndSpinCount
- kernel32.dll.GetFileType
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.HeapSetInformation
- kernel32.dll.GetVersion
- kernel32.dll.HeapCreate
- kernel32.dll.HeapDestroy
- kernel32.dll.QueryPerformanceCounter
- kernel32.dll.GetTickCount
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.GetSystemTimeAsFileTime
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.LCMapStringW
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.GetStringTypeW
- kernel32.dll.FatalAppExitA
- kernel32.dll.GetUserDefaultLCID
- kernel32.dll.GetLocaleInfoW
- kernel32.dll.GetLocaleInfoA
- kernel32.dll.EnumSystemLocalesA
- kernel32.dll.IsValidLocale
- kernel32.dll.HeapReAlloc
- kernel32.dll.SetConsoleCtrlHandler
- kernel32.dll.FreeLibrary
- kernel32.dll.LoadLibraryW
- wininet.dll.InternetOpenW
- wininet.dll.InternetOpenUrlW
- wininet.dll.InternetReadFile
- ntdll.dll.NtSetContextThread
- ntdll.dll.NtClose
- ntdll.dll.NtGetContextThread
- ntdll.dll.NtOpenThread
- ntdll.dll.NtQuerySystemInformation
- ntdll.dll.NtFreeVirtualMemory
- ntdll.dll.NtAllocateVirtualMemory
- kernel32.dll.CheckRemoteDebuggerPresent
- kernel32.dll.RegEnumKeyExA
- kernel32.dll.RegQueryInfoKeyA
- shlwapi.dll.PathCombineA
- kernel32.dll.GetWindowsDirectoryA
- kernel32.dll.GetFileAttributesA
- kernel32.dll.RegCloseKey
- shell32.dll.StrStrIA
- kernel32.dll.RegQueryValueExA
- kernel32.dll.RegOpenKeyExA
- ntdll.dll.NtSetInformationThread
- kernel32.dll.RemoveVectoredExceptionHandler
- kernel32.dll.AddVectoredExceptionHandler
- kernel32.dll.GetThreadContext
- ntdll.dll.NtQueryInformationProcess
- kernel32.dll.GetModuleHandleA
- winmm.dll.timeSetEvent
- winmm.dll.timeKillEvent
- kernel32.dll.VirtualProtect
- kernel32.dll.IsProcessorFeaturePresent
- kernel32.dll.InitializeSListHead
- kernel32.dll.InterlockedFlushSList
- kernel32.dll.TlsAlloc
- kernel32.dll.TlsGetValue
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsFree
- kernel32.dll.LoadLibraryExW
- kernel32.dll.GetModuleHandleExW
- kernel32.dll.FindClose
- kernel32.dll.FindFirstFileExW
- kernel32.dll.FindNextFileW
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetProcessHeap
- kernel32.dll.GetConsoleOutputCP
- kernel32.dll.SetFilePointerEx
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.LCMapStringEx
- kernel32.dll.AreFileApisANSI
- kernel32.dll.EnumSystemFirmwareTables
- kernel32.dll.GetSystemFirmwareTable
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle