魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2024-04-22 19:59:49 | 2024-04-22 20:00:46 | 57 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp02-1 | win7-sp1-x64-shaapp02-1 | KVM | 2024-04-22 19:59:51 | 2024-04-22 20:00:48 |
| 魔盾分数 |
|---|
1.4正常的 |
文件详细信息
| 文件名 | 附件.exe |
|---|---|
| 文件大小 | 8667536 字节 |
| 文件类型 | PE32+ executable (GUI) x86-64, for MS Windows |
| CRC32 | 0F4850B3 |
| MD5 | 997529fc403a23644c79b12935d2cc96 |
| SHA1 | 90dcf069bdca0c81042c057a855be71c99feed40 |
| SHA256 | a5e88c0e5cad02222695d024957e525459cb7f575c21e41c29deff7889312f14 |
| SHA512 | 27832fdfb35cb2149c9b31a66ec56b30a495003fe8cd7b04ee51890cb3e5ab5def74b1b264407cc11de6ca3a0a83cdbfd1691dd5f5771d90ad855ec749c8fe86 |
| Ssdeep | 24576:JWuyFUXsn15uysu4uJPp5ylu2LXK6DVpjMEtiijfc+Wc9/6MlhED5izzpg6ySY8f:ouyFUXsn15uysu/Pp5ysBxIZ |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
专有的Yara规则检测结果 - 安全告警
Informational: Possibly employs anti-virtualization techniques
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
运行截图
网络分析
TCP连接
| IP地址 | 端口 |
|---|---|
| 23.63.242.91 | 80 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
静态分析
PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x1400013d0 |
| 声明校验值 | 0x009dab46 |
| 实际校验值 | 0x00851bbe |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2024-04-15 12:15:25 |
| 载入哈希 | 8f6ad62a33a89fad40981d224725251e |
版本信息
| LegalCopyright: | Copyright\xa92024 Kingsoft Corporation. All rights reserved. |
| FileVersion: | 12.1.0.16729 |
| CompanyName: | Zhuhai Kingsoft Office Software Co.,Ltd |
| ProductName: | WPS Office |
| ProductVersion: | 12.1.0.16729 |
| FileDescription: | WPS Office |
| OriginalFilename: | ksolaunch |
| Translation: | 0x0000 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000c4008 | 0x000c4200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.16 |
| .data | 0x000c6000 | 0x000032a0 | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.51 |
| .rdata | 0x000ca000 | 0x00744ca0 | 0x00744e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.74 |
| .pdata | 0x0080f000 | 0x0000bc04 | 0x0000be00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.98 |
| .xdata | 0x0081b000 | 0x0001081c | 0x00010a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.90 |
| .bss | 0x0082c000 | 0x00000cb0 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .idata | 0x0082d000 | 0x00001f9c | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.65 |
| .CRT | 0x0082f000 | 0x00000060 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.27 |
| .tls | 0x00830000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .rsrc | 0x00831000 | 0x000052d4 | 0x00005400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.84 |
| .reloc | 0x00837000 | 0x00001664 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.34 |
| /4 | 0x00839000 | 0x00000140 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.13 |
| /19 | 0x0083a000 | 0x000076b5 | 0x00007800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.86 |
| /31 | 0x00842000 | 0x00001222 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.69 |
| /45 | 0x00844000 | 0x0000136e | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.85 |
| /57 | 0x00846000 | 0x000008f0 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 3.81 |
| /70 | 0x00847000 | 0x000001ef | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.10 |
| /81 | 0x00848000 | 0x00000c6c | 0x00000e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.81 |
| /97 | 0x00849000 | 0x00000f0d | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.77 |
| /113 | 0x0084a000 | 0x00000114 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 2.98 |
导入
库 GDI32.dll:
• 0x14082d7d8 - AddFontResourceExA
• 0x14082d7e0 - BitBlt
• 0x14082d7e8 - CombineRgn
• 0x14082d7f0 - CreateBitmap
• 0x14082d7f8 - CreateCompatibleDC
• 0x14082d800 - CreateDIBSection
• 0x14082d808 - CreateFontIndirectA
• 0x14082d810 - CreateRectRgn
• 0x14082d818 - CreateRectRgnIndirect
• 0x14082d820 - DeleteDC
• 0x14082d828 - DeleteObject
• 0x14082d830 - EnumFontFamiliesExA
• 0x14082d838 - ExcludeClipRect
• 0x14082d840 - GetDeviceCaps
• 0x14082d848 - GetGlyphIndicesA
• 0x14082d850 - GetGlyphOutlineA
• 0x14082d858 - GetKerningPairsA
• 0x14082d860 - GetObjectA
• 0x14082d868 - GetOutlineTextMetricsA
• 0x14082d870 - GetRegionData
• 0x14082d878 - GetTextMetricsA
• 0x14082d880 - RemoveFontResourceExA
• 0x14082d888 - RestoreDC
• 0x14082d890 - SaveDC
• 0x14082d898 - SelectObject
• 0x14082d8a0 - SetBrushOrgEx
• 0x14082d8a8 - SetMapMode
• 0x14082d8b0 - SetMapperFlags
• 0x14082d8b8 - SetStretchBltMode
• 0x14082d8c0 - StretchBlt
• 0x14082d8c8 - StretchDIBits
库 KERNEL32.dll:
• 0x14082d8d8 - CloseHandle
• 0x14082d8e0 - CreateProcessW
• 0x14082d8e8 - CreateThread
• 0x14082d8f0 - DeleteCriticalSection
• 0x14082d8f8 - DuplicateHandle
• 0x14082d900 - EnterCriticalSection
• 0x14082d908 - EnumSystemFirmwareTables
• 0x14082d910 - ExitThread
• 0x14082d918 - FormatMessageA
• 0x14082d920 - GetCurrentProcess
• 0x14082d928 - GetCurrentThread
• 0x14082d930 - GetCurrentThreadId
• 0x14082d938 - GetExitCodeThread
• 0x14082d940 - GetLastError
• 0x14082d948 - GetModuleHandleA
• 0x14082d950 - GetProcAddress
• 0x14082d958 - GetSystemInfo
• 0x14082d960 - GetSystemTimeAsFileTime
• 0x14082d968 - GetTempPathW
• 0x14082d970 - GetThreadId
• 0x14082d978 - GetTimeZoneInformation
• 0x14082d980 - InitializeConditionVariable
• 0x14082d988 - InitializeCriticalSection
• 0x14082d990 - LeaveCriticalSection
• 0x14082d998 - LocalFree
• 0x14082d9a0 - MultiByteToWideChar
• 0x14082d9a8 - RaiseException
• 0x14082d9b0 - ResumeThread
• 0x14082d9b8 - RtlCaptureContext
• 0x14082d9c0 - RtlLookupFunctionEntry
• 0x14082d9c8 - RtlUnwindEx
• 0x14082d9d0 - RtlVirtualUnwind
• 0x14082d9d8 - SetLastError
• 0x14082d9e0 - SetUnhandledExceptionFilter
• 0x14082d9e8 - Sleep
• 0x14082d9f0 - SleepConditionVariableCS
• 0x14082d9f8 - TlsAlloc
• 0x14082da00 - TlsFree
• 0x14082da08 - TlsGetValue
• 0x14082da10 - TlsSetValue
• 0x14082da18 - TryEnterCriticalSection
• 0x14082da20 - VirtualProtect
• 0x14082da28 - VirtualQuery
• 0x14082da30 - WaitForSingleObject
• 0x14082da38 - WakeAllConditionVariable
• 0x14082da40 - WakeConditionVariable
• 0x14082da48 - WideCharToMultiByte
库 api-ms-win-crt-convert-l1-1-0.dll:
• 0x14082da58 - mbrtowc
• 0x14082da60 - strtoul
• 0x14082da68 - wcrtomb
库 api-ms-win-crt-environment-l1-1-0.dll:
• 0x14082da78 - __p__environ
• 0x14082da80 - __p__wenviron
• 0x14082da88 - getenv
库 api-ms-win-crt-filesystem-l1-1-0.dll:
• 0x14082da98 - _fstat64
库 api-ms-win-crt-heap-l1-1-0.dll:
• 0x14082daa8 - _set_new_mode
• 0x14082dab0 - calloc
• 0x14082dab8 - free
• 0x14082dac0 - malloc
• 0x14082dac8 - realloc
库 api-ms-win-crt-locale-l1-1-0.dll:
• 0x14082dad8 - ___lc_codepage_func
• 0x14082dae0 - ___mb_cur_max_func
• 0x14082dae8 - localeconv
• 0x14082daf0 - setlocale
库 api-ms-win-crt-math-l1-1-0.dll:
• 0x14082db00 - __setusermatherr
• 0x14082db08 - _fdopen
库 api-ms-win-crt-private-l1-1-0.dll:
• 0x14082db18 - __C_specific_handler
• 0x14082db20 - memchr
• 0x14082db28 - memcmp
• 0x14082db30 - memcpy
• 0x14082db38 - memmove
• 0x14082db40 - strchr
库 api-ms-win-crt-runtime-l1-1-0.dll:
• 0x14082db50 - __p___argc
• 0x14082db58 - __p___argv
• 0x14082db60 - __p___wargv
• 0x14082db68 - _cexit
• 0x14082db70 - _configure_narrow_argv
• 0x14082db78 - _configure_wide_argv
• 0x14082db80 - _crt_at_quick_exit
• 0x14082db88 - _crt_atexit
• 0x14082db90 - _errno
• 0x14082db98 - _exit
• 0x14082dba0 - _initialize_narrow_environment
• 0x14082dba8 - _initialize_wide_environment
• 0x14082dbb0 - _initterm
• 0x14082dbb8 - _set_app_type
• 0x14082dbc0 - _set_invalid_parameter_handler
• 0x14082dbc8 - abort
• 0x14082dbd0 - exit
• 0x14082dbd8 - signal
• 0x14082dbe0 - strerror
库 api-ms-win-crt-stdio-l1-1-0.dll:
• 0x14082dbf0 - __acrt_iob_func
• 0x14082dbf8 - __p__commode
• 0x14082dc00 - __p__fmode
• 0x14082dc08 - __stdio_common_vfprintf
• 0x14082dc10 - __stdio_common_vfwprintf
• 0x14082dc18 - __stdio_common_vsprintf
• 0x14082dc20 - _fileno
• 0x14082dc28 - _fseeki64
• 0x14082dc30 - _ftelli64
• 0x14082dc38 - _lseeki64
• 0x14082dc40 - _read
• 0x14082dc48 - _wfopen
• 0x14082dc50 - _write
• 0x14082dc58 - fclose
• 0x14082dc60 - fflush
• 0x14082dc68 - fopen
• 0x14082dc70 - fputc
• 0x14082dc78 - fputs
• 0x14082dc80 - fread
• 0x14082dc88 - fwrite
• 0x14082dc90 - getc
• 0x14082dc98 - getwc
• 0x14082dca0 - putc
• 0x14082dca8 - putwc
• 0x14082dcb0 - setvbuf
• 0x14082dcb8 - ungetc
• 0x14082dcc0 - ungetwc
库 api-ms-win-crt-string-l1-1-0.dll:
• 0x14082dcd0 - iswctype
• 0x14082dcd8 - memset
• 0x14082dce0 - strcmp
• 0x14082dce8 - strcoll
• 0x14082dcf0 - strlen
• 0x14082dcf8 - strncmp
• 0x14082dd00 - strxfrm
• 0x14082dd08 - towlower
• 0x14082dd10 - towupper
• 0x14082dd18 - wcscoll
• 0x14082dd20 - wcslen
• 0x14082dd28 - wcsxfrm
库 api-ms-win-crt-time-l1-1-0.dll:
• 0x14082dd38 - __daylight
• 0x14082dd40 - __timezone
• 0x14082dd48 - __tzname
• 0x14082dd50 - _tzset
• 0x14082dd58 - strftime
• 0x14082dd60 - wcsftime
库 api-ms-win-crt-utility-l1-1-0.dll:
• 0x14082dd70 - rand_s
库 USER32.dll:
• 0x14082dd80 - CallNextHookEx
• 0x14082dd88 - CreateIconIndirect
• 0x14082dd90 - DestroyCursor
• 0x14082dd98 - DestroyIcon
• 0x14082dda0 - DrawIcon
• 0x14082dda8 - EnumChildWindows
• 0x14082ddb0 - EnumDisplayMonitors
• 0x14082ddb8 - GetAncestor
• 0x14082ddc0 - GetDesktopWindow
• 0x14082ddc8 - GetIconInfo
• 0x14082ddd0 - GetMonitorInfoA
• 0x14082ddd8 - GetParent
• 0x14082dde0 - GetRawInputDeviceInfoA
• 0x14082dde8 - GetRawInputDeviceList
• 0x14082ddf0 - GetWindowInfo
• 0x14082ddf8 - GetWindowLongA
• 0x14082de00 - LoadCursorA
• 0x14082de08 - LoadIconA
• 0x14082de10 - MapWindowPoints
• 0x14082de18 - MessageBoxW
• 0x14082de20 - MonitorFromWindow
• 0x14082de28 - SetCaretPos
• 0x14082de30 - SetWindowLongA
• 0x14082de38 - SetWindowsHookExA
• 0x14082de40 - ShowCaret
• 0x14082de48 - ShowWindow
• 0x14082de50 - SystemParametersInfoA
• 0x14082de58 - UnhookWindowsHookEx
• 0x14082de60 - WindowFromPoint
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
______.exe PID: 2696, 上一级进程 PID: 2320
访问的文件
- C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
读取的文件
- C:\Users\test\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-1.DLL
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- api-ms-win-appmodel-runtime-l1-1-1.dll.GetCurrentPackageId