本帖最后由 claudgreen 于 2017-2-17 10:26 编辑
【第二弹28个可疑文件】链接: http://pan.baidu.com/s/1dFxcTtZ 密码: t66u
SHA256: f0cb4f2b3dacb3d6aad8edb98447637a0c36183c3685b5b246b888f8eef2e8ae
File name: virs.rar
Detection ratio: 29 / 55
Analysis date: 2017-02-17 01:59:06 UTC ( 0 minutes ago )
https://www.virustotal.com/en/fi ... nalysis/1487296746/
----------------------------------------------------------------------------------------------------------
【第一弹】链接: http://pan.baidu.com/s/1jIc9MRG 密码: h66w
Iyyesms.exe Portable Executable 12051888 Bytes
SHA256 4abd26e8e31617d6664f3a98cd3c6fc3b2341ea1ae663780ea76b9b4f3e7f7e4
Datetime 2016-08-14 20:56:08
Detection ratio Unknown when this report was generated
Antivirus scan for eb61b7f8537f486335b3e8135970072595fdda6dd0e819ffbcd7feaa0777567c at UTC - VirusTotal https://www.virustotal.com/en/fi ... analysis/1487215861
腾讯哈勃分析了一个最可疑对象:
https://habo.qq.com/file/showdetail?pk=ADYGb11sB2QIMVs7
基本信息
文件名称:
Iyyesms.exe
MD5: 87f8f1661f3d90983269ca3a86627734
文件类型: EXE
上传时间: 2017-02-15 09:57:39
出品公司: Thunder Network
版本: 1.0.0.1---1
壳或编译器信息: PACKER:UPolyX v0.5
关键行为
行为描述: 探测 Virtual PC是否存在
详情信息:
N/A
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0x131b0148, EDX = 0x00001197
EAX = 0x131b0194, EDX = 0x00001197
EAX = 0x131b01e0, EDX = 0x00001197
EAX = 0x131b022c, EDX = 0x00001197
EAX = 0x131b0278, EDX = 0x00001197
EAX = 0x131b02c4, EDX = 0x00001197
EAX = 0x131b0310, EDX = 0x00001197
EAX = 0x131b035c, EDX = 0x00001197
EAX = 0x131b03a8, EDX = 0x00001197
EAX = 0x131b03f4, EDX = 0x00001197
EAX = 0x87a730ea, EDX = 0x0000119b
EAX = 0x87a73136, EDX = 0x0000119b
EAX = 0x87a73182, EDX = 0x0000119b
EAX = 0x87a731ce, EDX = 0x0000119b
EAX = 0x87a7321a, EDX = 0x0000119b
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详情信息:
\??\SICE
\??\SIWVID
\??\NTICE
行为描述: 自删除
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
行为描述: 打开注册表_检测虚拟机相关
详情信息:
\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行为描述: 创建系统服务
详情信息:
[服务创建成功]: Thunqwk Programc, C:\Program Files\Windows NT\Iyyesms.exe
行为描述: 获取TickCount值
详情信息:
TickCount = 5443796, SleepMilliseconds = 5000.
TickCount = 5441265, SleepMilliseconds = 500.
TickCount = 5441281, SleepMilliseconds = 500.
TickCount = 5441296, SleepMilliseconds = 500.
TickCount = 5456031, SleepMilliseconds = 15000.
TickCount = 5456093, SleepMilliseconds = 15000.
TickCount = 5441282, SleepMilliseconds = 1.
TickCount = 5441376, SleepMilliseconds = 1.
TickCount = 5441751, SleepMilliseconds = 1.
TickCount = 5444907, SleepMilliseconds = 1.
行为描述: 查询注册表_检测虚拟机相关
详情信息:
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
行为描述: 查找指定内核模块
详情信息:
lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行为描述: 查找反病毒常用工具窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行为描述: VMWare特殊指令检测虚拟机
详情信息:
N/A
|