本帖最后由 191196846 于 2017-9-12 20:25 编辑
这是我第一次遇到被穿样本....
VT(3/59) https://www.virustotal.com/#/fil ... 4540e9f25/detection
沙盒内运行doc, 运行后反复跳了两次.... 然后HIPS就拦截了( 衍生物文件路径在沙箱外), 机智的我点了Block-all
衍生物上传云分析未知
VT(8/64) https://www.virustotal.com/#/fil ... 2a9426624/detection
难道是我操作有误才穿....
用360TSE 没检查出什么
有点怕怕...
哈勃: 高风险
[mw_shl_code=css,true]基本信息
文件名称:
1day.exe
MD5: e960ed10902d903dcf2a98233181a8ca
文件类型: EXE
上传时间: 2017-09-12 19:24:46
出品公司: N/A
版本: N/A
壳或编译器信息: COMPILER:NSIS
子文件信息:
Uninstall.exe / 8d67546632276e864ed86f26919d8e0e / EXE
539762303 / 369f55c968e66ad9dc6f4f6516b1c590 / Unknown
System.dll / 55a26d7800446f1373056064c64c3ce8 / DLL
nsDialogs.dll / ee449b0adce56fbfa433b0239f3f81be / DLL
LangDLL.dll / ea60c7bd5edd6048601729bd31362c16 / DLL
关键行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000c2c
TargetProcess = C:\Documents and Settings\Administrator\Application Data\Install\1day, WriteAddress = 0x7ffdd008, Size = 0x00000004 TargetPID = 0x00000d58
行为描述: 设置线程上下文
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
C:\Documents and Settings\Administrator\Application Data\Install\1day
行为描述: 修改注册表_启动项
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Java
进程行为
行为描述: 隐藏窗口创建进程
详情信息:
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
ImagePath = C:\Documents and Settings\Administrator\Application Data\Install\1day, CmdLine = -m "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
行为描述: 创建进程
详情信息:
[0x00000c2c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
行为描述: 创建新文件进程
详情信息:
[0x00000c34]ImagePath = C:\Documents and Settings\Administrator\Application Data\Install\1day, CmdLine = -m "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
[0x00000d58]ImagePath = C:\Documents and Settings\Administrator\Application Data\Install\1day, CmdLine = -m "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000c2c
TargetProcess = C:\Documents and Settings\Administrator\Application Data\Install\1day, WriteAddress = 0x7ffdd008, Size = 0x00000004 TargetPID = 0x00000d58
行为描述: 设置线程上下文
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
C:\Documents and Settings\Administrator\Application Data\Install\1day
行为描述: 创建本地线程
详情信息:
TargetProcess: 1day, InheritedFromPID = 3124, ProcessID = 3416, ThreadID = 3424, StartAddress = 77C0A341, Parameter = 00903C80
文件行为
行为描述: 创建文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nso3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\539762303
C:\Documents and Settings\Administrator\Local Settings\Temp\nsj4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsj4.tmp\System.dll
C:\Documents and Settings\Administrator\Application Data\Install\1day
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsm6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsm6.tmp\System.dll
C:\Documents and Settings\Administrator\Application Data\Install\.IgHiJkLiO
行为描述: 创建可执行文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsj4.tmp\System.dll
C:\Documents and Settings\Administrator\Application Data\Install\1day
C:\Documents and Settings\Administrator\Local Settings\Temp\nsm6.tmp\System.dll
行为描述: 覆盖已有文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\539762303
行为描述: 查找文件
详情信息:
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj4.tmp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings\Administrator\Application Data\Install
FileName = C:\Documents and Settings\Administrator\Application Data\Install\1day
FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp
行为描述: 删除文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nso3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsj4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsm6.tmp
行为描述: 修改文件内容
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\539762303 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\539762303 ---> Offset = 16165
C:\Documents and Settings\Administrator\Local Settings\Temp\539762303 ---> Offset = 32316
C:\Documents and Settings\Administrator\Local Settings\Temp\539762303 ---> Offset = 48474
C:\Documents and Settings\Administrator\Local Settings\Temp\539762303 ---> Offset = 64631
C:\Documents and Settings\Administrator\Local Settings\Temp\nsj4.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Install\1day ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Install\1day ---> Offset = 32768
C:\Documents and Settings\Administrator\Application Data\Install\1day ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\Install\1day ---> Offset = 98304
C:\Documents and Settings\Administrator\Application Data\Install\1day ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\nsm6.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Install\.IgHiJkLiO ---> Offset = 0
网络行为
行为描述: 建立到一个指定的套接字连接
详情信息:
IP: **.0.0.**:3380, SOCKET = 0x000000a8
注册表行为
行为描述: 修改注册表_系统动态组件
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{SU60632U-NH5E-B175-1B86-J7K6RBN22VI8}\StubPath
行为描述: 修改注册表_启动项
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Java
其他行为
行为描述: 创建互斥体
详情信息:
oleacc-msaa-loaded
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
cPSdeemG
行为描述: 创建事件对象
详情信息:
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
行为描述: 生成会话密钥
详情信息:
[CryptDeriveKey] Algorithm: CALG_AES_256 (0x00006610) Flags: 0x00000001
行为描述: 调整进程token权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
行为描述: 可执行文件签名信息
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsj4.tmp\System.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Install\1day(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsm6.tmp\System.dll(签名验证: 未通过)
行为描述: 可执行文件MD5
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsj4.tmp\System.dll ---> 55a26d7800446f1373056064c64c3ce8
C:\Documents and Settings\Administrator\Application Data\Install\1day ---> e960ed10902d903dcf2a98233181a8ca
C:\Documents and Settings\Administrator\Local Settings\Temp\nsm6.tmp\System.dll ---> 55a26d7800446f1373056064c64c3ce8
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
行为描述: 解密数据
详情信息:
[CryptDecrypt] Data: 0x00B20000, CipherTextLen: 91152, PlainTextLen: 91136, Flags: 0x00000000
行为描述: 加载新释放的文件
详情信息:
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj4.tmp\System.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsm6.tmp\System.dll.
进程树
****.exe (PID: 0x00000b50)
****.exe (PID: 0x00000c2c)
1day (PID: 0x00000c34)[/mw_shl_code]
|
发表于 2017-9-12 19:05:31
发表于 2017-9-12 19:24:07
楼主
