分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2022-08-29 15:19:05 2022-08-29 15:19:38 33 秒

魔盾分数

0.15

正常的

文件详细信息

文件名 1.exe
文件大小 284160 字节
文件类型 PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 1495388c7e5bbc5d9b2fba7fadadeda2
SHA1 72419d6b7f0e39e9417817529d2a8bbbb215432a
SHA256 023f0d9e0650ba904b7300e11c758790bd6101725c8e73c46d52f5c41a5a511a
SHA512 bbdecd6d63956ac8b83a36677026f529dc86f7c0ea3f0939423bc1a7d16bf25cfed0d6f0580c39f213b565330db39bfb1a0ae1ef0a3f9ada82e41484a693694e
CRC32 A48D7AC7
Ssdeep 6144:BGZ3dbBmv67XYLEud7wtYD6jtaynbKW3+COMQ:BGn4g89wtYDQtBKU+CO
Yara 登录查看Yara规则
找不到该样本 提交漏报

登录查看威胁特征

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x004010ed
声明校验值 0x00047b84
实际校验值 0x00047b84
最低操作系统版本要求 4.0
编译时间 2022-08-29 10:36:35
载入哈希 0bc7f239ab63d36655be7bb7a981e081
图标
图标精确哈希值 770fda66feee9bf815829c56c82d92e8
图标相似性哈希值 9f9723dd0742521d6814a4b540d47141

版本信息

LegalCopyright Copyright (C) 2005-2018 IQIYI Inc. All Rights Reserved.
FileVersion 3.0.0.5
CompanyName IQIYI Inc.
ProductName Download Client
ProductVersion 3.0.0.5
FileDescription Download Client
Translation 0x0000 0x04b0

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000ee18 0x0000f000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_16BYTES 6.24
.data 0x00010000 0x00000170 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 1.05
.rdata 0x00011000 0x0001bc70 0x0001be00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_32BYTES 6.13
.eh_fram 0x0002d000 0x00000004 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.00
.pdata 0x0002e000 0x00000aa4 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 4.49
.xdata 0x0002f000 0x000009e4 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 4.16
.bss 0x00030000 0x00012740 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 0.00
.idata 0x00043000 0x000008f8 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 3.97
.CRT 0x00044000 0x00000068 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_8BYTES 0.27
.tls 0x00045000 0x00000010 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_8BYTES 0.00
.rsrc 0x00046000 0x00017ade 0x00017c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 2.64

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00053e18 0x000094a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00053e18 0x000094a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00053e18 0x000094a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00053e18 0x000094a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00053e18 0x000094a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00053e18 0x000094a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 dBase III DBT, version number 0, next free block index 40
RT_ICON 0x00053e18 0x000094a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.23 dBase III DBT, version number 0, next free block index 40
RT_DIALOG 0x0005d534 0x000000e2 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_DIALOG 0x0005d534 0x000000e2 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_DIALOG 0x0005d534 0x000000e2 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_DIALOG 0x0005d534 0x000000e2 LANG_ENGLISH SUBLANG_ENGLISH_US 2.88 data
RT_GROUP_ICON 0x0005d618 0x00000068 LANG_ENGLISH SUBLANG_ENGLISH_US 2.99 MS Windows icon resource - 7 icons, 16x16
RT_VERSION 0x0005d680 0x00000294 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.40 data
RT_MANIFEST 0x0005d914 0x000001ca LANG_ENGLISH SUBLANG_ENGLISH_US 5.06 XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

导入

库: KERNEL32.dll:
0x443268 FreeLibrary
0x443270 GetLastError
0x443278 GetModuleHandleA
0x443280 GetProcAddress
0x443288 GetStartupInfoA
0x443298 IsDBCSLeadByteEx
0x4432a8 LoadLibraryA
0x4432b0 MultiByteToWideChar
0x4432c0 Sleep
0x4432c8 TlsGetValue
0x4432d0 VirtualAlloc
0x4432d8 VirtualFree
0x4432e0 VirtualProtect
0x4432e8 VirtualQuery
0x4432f0 WideCharToMultiByte
库: msvcrt.dll:
0x443308 ___lc_codepage_func
0x443310 ___mb_cur_max_func
0x443318 __getmainargs
0x443320 __initenv
0x443328 __iob_func
0x443330 __lconv_init
0x443338 __set_app_type
0x443340 __setusermatherr
0x443348 _acmdln
0x443350 _amsg_exit
0x443358 _cexit
0x443360 _commode
0x443368 _errno
0x443370 _fileno
0x443378 _fmode
0x443380 _initterm
0x443388 _lock
0x443390 _onexit
0x443398 _setjmp
0x4433a0 _setmode
0x4433a8 _unlock
0x4433b0 abort
0x4433b8 calloc
0x4433c0 exit
0x4433c8 fflush
0x4433d0 fprintf
0x4433d8 fputc
0x4433e0 free
0x4433e8 fwrite
0x4433f0 localeconv
0x4433f8 longjmp
0x443400 malloc
0x443408 memcpy
0x443410 memset
0x443418 signal
0x443420 strerror
0x443428 strlen
0x443430 strncmp
0x443438 vfprintf
0x443440 wcslen
库: USER32.dll:
0x443450 MessageBoxA

.text
P`.data
.rdata
.pdata
0@.xdata
0@.bss
.idata
.rsrc
libgcc_s_dw2-1.dll
__register_frame_info
__deregister_frame_info
[GC] cannot register thread local variable; too many thread local variables
[GC] cannot register global variable; too many global variables
could not import:
inet_ntop
could not load:
(bad format; library may be wrong architecture)
virtualFree failing!
Error: unhandled exception:
OverflowDefect
fatal.nim
sysFatal
ValueError
base64.nim
decode
parent
procname
filename
trace
VirtualAllocExNuma
GetCurrentProcess
GetTickCount64
GlobalMemoryStatusEx
VirtualAlloc
Field0
Field1
zonedTimeFromTimeImpl
zonedTimeFromAdjTimeImpl
bCryptGenRandom
queryProcessCycleTime
queryUnbiasedInterruptTime
queryIdleProcessorCycleTime
coresCount
hIntel
@kernel32
@kernel32
@tfQo1G3Uw0wgjPOFwJ7k9Q==
@zcKGBLwPedioXZWuQcmq
没有防病毒引擎扫描信息!

进程树


1.exe, PID: 2608, 上一级进程 PID: 2244
时间 TID 调用内存 API 信息参数 状态 返回值 重复次数
2022-05-01 15:19:06,476 2612 0x0040130c
0x0040110e
SetUnhandledExceptionFilter 成功 0x00000001
2022-05-01 15:19:06,476 2612 0x004016ee
0x00408747
LdrGetDllHandle ModuleHandle: 0x00000000
FileName: libgcc_s_dw2-1.dll
失败 DLL_NOT_FOUND 1 time
2022-05-01 15:19:06,476 2612 0x00408068
0x004086aa
LdrLoadDll Flags: 0x00000000
BaseAddress: 0x00000000
FileName: kernel32
成功 0x00000000
2022-05-01 15:19:06,476 2612 0x00402ff7
0x00408088
LdrGetProcedureAddress Ordinal: 0
ModuleName: kernel32.dll
FunctionName: VirtualAllocExNuma
FunctionAddress: 0x77b8bba0
ModuleHandle: 0x77b40000
成功 0x00000000
2022-05-01 15:19:06,476 2612 0x00402ff7
0x004080a2
LdrGetProcedureAddress Ordinal: 0
ModuleName: kernel32.dll
FunctionName: GetCurrentProcess
FunctionAddress: 0x77b55cf0
ModuleHandle: 0x77b40000
成功 0x00000000
2022-05-01 15:19:06,476 2612 0x00402ff7
0x004080bc
LdrGetProcedureAddress Ordinal: 0
ModuleName: kernel32.dll
FunctionName: GetTickCount64
FunctionAddress: 0x77b49450
ModuleHandle: 0x77b40000
成功 0x00000000
2022-05-01 15:19:06,476 2612 0x00402ff7
0x004080d6
LdrGetProcedureAddress Ordinal: 0
ModuleName: kernel32.dll
FunctionName: GlobalMemoryStatusEx
FunctionAddress: 0x77b48920
ModuleHandle: 0x77b40000
成功 0x00000000
2022-05-01 15:19:06,476 2612 0x00402ff7
0x004080f0
LdrGetProcedureAddress Ordinal: 0
ModuleName: kernel32.dll
FunctionName: VirtualAlloc
FunctionAddress: 0x77b567a0
ModuleHandle: 0x77b40000
成功 0x00000000
2022-05-01 15:19:06,476 2612 0x0040317c
0x0040862b
LdrLoadDll Flags: 0x00000000
BaseAddress: 0x00000000
FileName: Ws2_32.dll
成功 0x00000000
2022-05-01 15:19:06,476 2612 0x0040317c
0x0040862b
NtQuerySystemTime 成功 0x00000000 30 times
2022-05-01 15:19:06,476 2612 0x00403191
0x0040862b
LdrGetProcedureAddress Ordinal: 0
ModuleName: Ws2_32.dll
FunctionName: inet_ntop
FunctionAddress: 0x7fefed29630
ModuleHandle: 0x7fefed10000
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x004070e8
0x00408648
NtAllocateVirtualMemory StackPivoted: no
Protection: PAGE_EXECUTE_READ
ProcessHandle: 0xffffffffffffffff
RegionSize: 0x00001000
BaseAddress: 0x003d0000
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x004076e1
0x00408648
GlobalMemoryStatusEx TotalPhysicalMB: 2048
MemoryLoad: 53
成功 0x00000001
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
LdrGetDllHandle ModuleHandle: 0x0022f6f0
FileName: mscoree.dll
失败 DLL_NOT_FOUND 1 time
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtTerminateProcess ProcessHandle: 0x00000000
ExitCode: 0x00000000
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtClose Handle: 0x00000068
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtClose Handle: 0x0000006c
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtClose Handle: 0x0000003c
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
GetSystemTimeAsFileTime 成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtWaitForSingleObject Status: Skipped
Handle: 0x00000034
Milliseconds: 60000
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtClose Handle: 0x00000034
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtClose Handle: 0x0000007c
成功 0x00000000
2022-05-01 15:19:06,492 2612 0x0040770c
0x00408648
NtClose Handle: 0x0000001c
成功 0x00000000
2022-05-01 15:19:06,508 2612 0x0040770c
0x00408648
NtOpenKey ObjectAttributes: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
DesiredAccess: KEY_READ
KeyHandle: 0x0000001c
ObjectAttributesHandle: 0x00000000
ObjectAttributesName: \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
成功 0x00000000
2022-05-01 15:19:06,508 2612 0x0040770c
0x00408648
NtQueryValueKey FullName: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
KeyHandle: 0x0000001c
ValueName: DisableMetaFiles
失败 OBJECT_NAME_NOT_FOUND
2022-05-01 15:19:06,508 2612 0x0040770c
0x00408648
NtClose Handle: 0x0000001c
成功 0x00000000
2022-05-01 15:19:06,508 2612 0x0040770c
0x00408648
NtTerminateProcess ProcessHandle: 0xffffffffffffffff
ExitCode: 0x00000000
成功 0x00000000

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.215.102.187 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 23.215.102.187 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 25.478 seconds )

  • 11.942 Suricata
  • 9.358 Strings
  • 1.778 VirusTotal
  • 0.951 NetworkAnalysis
  • 0.61 Static
  • 0.424 TargetInfo
  • 0.392 peid
  • 0.011 AnalysisInfo
  • 0.009 BehaviorAnalysis
  • 0.002 Memory
  • 0.001 config_decoder

Signatures ( 1.378 seconds )

  • 1.303 md_url_bl
  • 0.011 antiav_detectreg
  • 0.009 md_domain_bl
  • 0.005 anomaly_persistence_autorun
  • 0.005 infostealer_ftp
  • 0.004 antiav_detectfile
  • 0.004 ransomware_files
  • 0.003 geodo_banking_trojan
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 network_http
  • 0.003 ransomware_extensions
  • 0.002 tinba_behavior
  • 0.002 cerber_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http

Reporting ( 0.491 seconds )

  • 0.491 ReportHTMLSummary
Task ID 706123
Mongo ID 630c68b27e769a67076bfd47
Cuckoo release 1.4-Maldun