[mw_shl_code=sql,true]文件检测评级:
高度风险
文件名称: 855658.rar
基本信息
文件名称:
855658.rar
MD5: 0a5a8991c335a0fb3549535846d7bfa2
文件类型: Rar
上传时间: 2017-07-07 10:17:32
出品公司: N/A
版本: N/A
壳或编译器信息: PACKER:UPolyX v0.5
子文件信息:
855658.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
855658.exe / 86d10b27f80f1a1f82c3b93625b6f4e2 / EXE
关键行为
行为描述: 获取文件属性探测虚拟机
详情信息:
GetFileAttributes: FileName = c:\documents and settings\administrator\「开始」菜单\程序\oracle vm virtualbox guest additions\
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\favorites
C:\Documents and Settings\Administrator\Favorites\链接
C:\Documents and Settings\Administrator\my documents
C:\Documents and Settings\Administrator\My Documents\My Music
C:\Documents and Settings\Administrator\My Documents\my pictures
C:\Documents and Settings\Administrator\UserData
C:\Documents and Settings\Administrator\UserData\01Q7WLAR
C:\Documents and Settings\Administrator\UserData\KL238XQ7
C:\Documents and Settings\Administrator\UserData\OH67GPIF
C:\Documents and Settings\Administrator\UserData\OX6JK5YB
C:\Documents and Settings\Administrator\「开始」菜单
C:\Documents and Settings\Administrator\「开始」菜单\程序
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动
C:\Documents and Settings\Administrator\「开始」菜单\程序\附件
C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\娱乐
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0x0578e668, EDX = 0x000000b8
行为描述: 在桌面创建文件
详情信息:
C:\Documents and Settings\Administrator\桌面\_R_E_A_D___T_H_I_S___IV9G0_.hta
C:\Documents and Settings\Administrator\桌面\_R_E_A_D___T_H_I_S___0HTC3EZ_.txt
行为描述: 获取TickCount值
详情信息:
TickCount = 223531, SleepMilliseconds = 1000.
TickCount = 223578, SleepMilliseconds = 1000.
TickCount = 223593, SleepMilliseconds = 1000.
TickCount = 223734, SleepMilliseconds = 1000.
TickCount = 223765, SleepMilliseconds = 1000.
TickCount = 223781, SleepMilliseconds = 1000.
TickCount = 223796, SleepMilliseconds = 1000.
TickCount = 223875, SleepMilliseconds = 1000.
TickCount = 223921, SleepMilliseconds = 1000.
TickCount = 223937, SleepMilliseconds = 1000.
TickCount = 223968, SleepMilliseconds = 1000.
TickCount = 224015, SleepMilliseconds = 1000.
TickCount = 224031, SleepMilliseconds = 1000.
TickCount = 224078, SleepMilliseconds = 1000.
TickCount = 224515, SleepMilliseconds = 1000.
进程行为
行为描述: 创建本地线程
详情信息:
TargetProcess: 855658.exe, InheritedFromPID = 2000, ProcessID = 2616, ThreadID = 2728, StartAddress = 00406980, Parameter = 00000000
TargetProcess: 855658.exe, InheritedFromPID = 2000, ProcessID = 2616, ThreadID = 2760, StartAddress = 004066A5, Parameter = 00B463B0
TargetProcess: 855658.exe, InheritedFromPID = 2000, ProcessID = 2616, ThreadID = 3000, StartAddress = 004066A5, Parameter = 00B463B0
TargetProcess: 855658.exe, InheritedFromPID = 2000, ProcessID = 2616, ThreadID = 3004, StartAddress = 004066A5, Parameter = 00B46390
文件行为
行为描述: 创建文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\dcff734b\43cb.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\dcff734b\bc3f.tmp
C:\Documents and Settings\Administrator\_R_E_A_D___T_H_I_S___WR15S_.hta
C:\Documents and Settings\Administrator\_R_E_A_D___T_H_I_S___GOC044_.txt
C:\Documents and Settings\Administrator\My Documents\_R_E_A_D___T_H_I_S___9GIR928S_.hta
C:\Documents and Settings\Administrator\My Documents\_R_E_A_D___T_H_I_S___CAJ12Y_.txt
C:\Documents and Settings\Administrator\UserData\_R_E_A_D___T_H_I_S___FCMR6JHB_.hta
C:\Documents and Settings\Administrator\UserData\_R_E_A_D___T_H_I_S___R31UAR_.txt
C:\Documents and Settings\root\Cookies\_R_E_A_D___T_H_I_S___D4I6_.hta
C:\Documents and Settings\root\Cookies\_R_E_A_D___T_H_I_S___4JCY51_.txt
C:\_R_E_A_D___T_H_I_S___OTE5ICI_.hta
C:\_R_E_A_D___T_H_I_S___YXJC9S_.txt
C:\Python27\Doc\_R_E_A_D___T_H_I_S___TUPKUJA_.hta
C:\Python27\Doc\_R_E_A_D___T_H_I_S___ZXL2METZ_.txt
C:\Python27\include\_R_E_A_D___T_H_I_S___AA5MQ_.hta
行为描述: 获取文件属性探测虚拟机
详情信息:
GetFileAttributes: FileName = c:\documents and settings\administrator\「开始」菜单\程序\oracle vm virtualbox guest additions\
行为描述: 查找文件
详情信息:
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\Documents and Settings\Administrator\Recent\*.lnk
FileName = C:\Program Files
FileName = c:\*
FileName = c:\222c25ed\*
FileName = c:\222c25ed\ie8-setup-full\*
FileName = c:\222c25ed\ie8-setup-full\log\*
FileName = c:\analyzecontrol\*
FileName = c:\diskd\*
FileName = c:\diskx\*
FileName = c:\documents and settings\*
FileName = c:\documents and settings\administrator\*
FileName = c:\documents and settings\administrator\.oracle_jre_usage\*
FileName = c:\documents and settings\administrator\cmb\*
行为描述: 在桌面创建文件
详情信息:
C:\Documents and Settings\Administrator\桌面\_R_E_A_D___T_H_I_S___IV9G0_.hta
C:\Documents and Settings\Administrator\桌面\_R_E_A_D___T_H_I_S___0HTC3EZ_.txt
行为描述: 重命名文件
详情信息:
C:\Documents and Settings\Administrator\UserData\index.dat ---> c:\documents and settings\administrator\userdata\FKJejI3E-Q.8911
C:\Documents and Settings\root\Cookies\index.dat ---> c:\documents and settings\root\cookies\9WNEjMTWdL.8911
C:\eula.2052.txt ---> c:\BlnsbwFRSv.8911
C:\Python27\Doc\license-openssl.txt ---> c:\python27\doc\XUQk6PplQI.8911
C:\Python27\Doc\license-python.txt ---> c:\python27\doc\iat9nBGKM5.8911
C:\Python27\Doc\license-tcltk.txt ---> c:\python27\doc\WajWyzoflM.8911
C:\Python27\Doc\LICENSE.txt ---> c:\python27\doc\mloEswG5vA.8911
C:\Python27\include\abstract.h ---> c:\python27\include\z1buGc8yta.8911
C:\Python27\include\bytes_methods.h ---> c:\python27\include\-UsGkrevV4.8911
C:\Python27\include\ceval.h ---> c:\python27\include\a8EGOOtZX2.8911
C:\Python27\include\classobject.h ---> c:\python27\include\sy6S2PAGwr.8911
C:\Python27\include\cobject.h ---> c:\python27\include\dfmQ01g58O.8911
C:\Python27\include\code.h ---> c:\python27\include\8OmofzQkkG.8911
C:\Python27\include\codecs.h ---> c:\python27\include\t8lWBVgAM9.8911
C:\Python27\include\cstringio.h ---> c:\python27\include\Mnb0FR4NSn.8911
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\favorites
C:\Documents and Settings\Administrator\Favorites\链接
C:\Documents and Settings\Administrator\my documents
C:\Documents and Settings\Administrator\My Documents\My Music
C:\Documents and Settings\Administrator\My Documents\my pictures
C:\Documents and Settings\Administrator\UserData
C:\Documents and Settings\Administrator\UserData\01Q7WLAR
C:\Documents and Settings\Administrator\UserData\KL238XQ7
C:\Documents and Settings\Administrator\UserData\OH67GPIF
C:\Documents and Settings\Administrator\UserData\OX6JK5YB
C:\Documents and Settings\Administrator\「开始」菜单
C:\Documents and Settings\Administrator\「开始」菜单\程序
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动
C:\Documents and Settings\Administrator\「开始」菜单\程序\附件
C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\娱乐
行为描述: 修改文件内容
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\dcff734b\43cb.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\dcff734b\bc3f.tmp ---> Offset = 0
C:\222c25ed\installer.zip ---> Offset = 1860
C:\222c25ed\installer.zip ---> Offset = 264004
C:\222c25ed\installer.zip ---> Offset = 526148
C:\222c25ed\installer.zip ---> Offset = 788292
C:\222c25ed\installer.zip ---> Offset = 1050436
C:\Documents and Settings\Administrator\_R_E_A_D___T_H_I_S___WR15S_.hta ---> Offset = 0
C:\Documents and Settings\Administrator\_R_E_A_D___T_H_I_S___GOC044_.txt ---> Offset = 0
C:\Documents and Settings\Administrator\My Documents\_R_E_A_D___T_H_I_S___9GIR928S_.hta ---> Offset = 0
C:\Documents and Settings\Administrator\My Documents\_R_E_A_D___T_H_I_S___CAJ12Y_.txt ---> Offset = 0
C:\Documents and Settings\Administrator\UserData\index.dat ---> Offset = 1860
C:\Documents and Settings\Administrator\UserData\index.dat ---> Offset = 1800
C:\Documents and Settings\Administrator\UserData\index.dat ---> Offset = 32768
C:\Documents and Settings\Administrator\UserData\index.dat ---> Offset = 32818
其他行为
行为描述: 创建互斥体
详情信息:
shell.{D66352C0-6C91-24D8-E1A2-94E37DAFC593}
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
行为描述: 创建事件对象
详情信息:
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
行为描述: 加密数据
详情信息:
[CryptEncrypt] Data: 0x00B34A98, PlainTextLen: 107218, CipherTextLen: 107218, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B35FC8, PlainTextLen: 256, CipherTextLen: 256, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B3E598, PlainTextLen: 110, CipherTextLen: 110, Flags: 0x00000000
[CryptEncrypt] Data: 0x00C3AC50, PlainTextLen: 262144, CipherTextLen: 262144, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B3E730, PlainTextLen: 110, CipherTextLen: 110, Flags: 0x00000000
[CryptEncrypt] Data: 0x014D0050, PlainTextLen: 21180, CipherTextLen: 21180, Flags: 0x00000000
[CryptEncrypt] Data: 0x00C35E60, PlainTextLen: 50, CipherTextLen: 50, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B3E6A8, PlainTextLen: 110, CipherTextLen: 110, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B5F488, PlainTextLen: 50, CipherTextLen: 50, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B3E7B8, PlainTextLen: 110, CipherTextLen: 110, Flags: 0x00000000
[CryptEncrypt] Data: 0x014D0050, PlainTextLen: 30908, CipherTextLen: 30908, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B5F518, PlainTextLen: 50, CipherTextLen: 50, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B3E840, PlainTextLen: 110, CipherTextLen: 110, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B5F5A8, PlainTextLen: 50, CipherTextLen: 50, Flags: 0x00000000
[CryptEncrypt] Data: 0x00B3E950, PlainTextLen: 110, CipherTextLen: 110, Flags: 0x00000000
行为描述: 获取TickCount值
详情信息:
TickCount = 223531, SleepMilliseconds = 1000.
TickCount = 223578, SleepMilliseconds = 1000.
TickCount = 223593, SleepMilliseconds = 1000.
TickCount = 223734, SleepMilliseconds = 1000.
TickCount = 223765, SleepMilliseconds = 1000.
TickCount = 223781, SleepMilliseconds = 1000.
TickCount = 223796, SleepMilliseconds = 1000.
TickCount = 223875, SleepMilliseconds = 1000.
TickCount = 223921, SleepMilliseconds = 1000.
TickCount = 223937, SleepMilliseconds = 1000.
TickCount = 223968, SleepMilliseconds = 1000.
TickCount = 224015, SleepMilliseconds = 1000.
TickCount = 224031, SleepMilliseconds = 1000.
TickCount = 224078, SleepMilliseconds = 1000.
TickCount = 224515, SleepMilliseconds = 1000.
行为描述: 调整进程token权限
详情信息:
SE_SHUTDOWN_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
行为描述: 打开事件
详情信息:
Global\crypt32LogoffEvent
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 1000.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 1000.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[9]: MilliSeconds = 1.
[10]: MilliSeconds = 1.
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0x0578e668, EDX = 0x000000b8
行为描述: 导入密钥
详情信息:
[CryptImportKey] Algorithm: CALG_RC4 (0x00006801), Data: 0x0012FCA0, DataLen: 28, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x001920B0, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00B34EB0, DataLen: 130, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RC4 (0x00006801), Data: 0x014CF750, DataLen: 28, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RC4 (0x00006801), Data: 0x0118F750, DataLen: 28, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RC4 (0x00006801), Data: 0x0118F77C, DataLen: 28, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RC4 (0x00006801), Data: 0x014CF77C, DataLen: 28, Flags: 0x00000000
Copyright©1998 - 2017 Tencent.All Rights Reserved
腾讯公司 版权所有[/mw_shl_code]
|
楼主: 墨家小子
[复制链接]
发表于 2017-6-15 19:03:00
