本帖最后由 191196846 于 2017-9-15 16:08 编辑
360TSE DP SAFE
VT : https://www.virustotal.com/#/fil ... 4f912f466/detection
Habo( 高度风险) :
[mw_shl_code=css,true]基本信息
文件名称:
OnlineGhost_V9.0_online.exe
MD5: c839dd07c84e4d7184cd644b045ef63e
文件类型: EXE
上传时间: 2017-09-15 16:04:13
出品公司: www.win860.com
版本: 9.0.17.5---9.0.17.5
壳或编译器信息: COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation *
关键行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000d3c
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000d3c
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll, WriteAddress = 0x7ffd3238, Size = 0x00000004 TargetPID = 0x00000d3c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ecc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ecc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ecc
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000eac
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000eac
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_, WriteAddress = 0x7ffdd238, Size = 0x00000004 TargetPID = 0x00000eac
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000efc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000efc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x00000efc
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x00000f38
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x00000f38
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000f38
行为描述: 获取硬件属性检测虚拟机
详情信息:
检测Vmware: 调用WMI接口获取硬件信息
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详情信息:
\??\SICE
\??\NTICE
行为描述: 获取TickCount值
详情信息:
TickCount = 203203, SleepMilliseconds = 60000.
TickCount = 203312, SleepMilliseconds = 60000.
TickCount = 203328, SleepMilliseconds = 60000.
TickCount = 203343, SleepMilliseconds = 60000.
TickCount = 203359, SleepMilliseconds = 60000.
TickCount = 203375, SleepMilliseconds = 60000.
TickCount = 203390, SleepMilliseconds = 60000.
TickCount = 203406, SleepMilliseconds = 60000.
TickCount = 203437, SleepMilliseconds = 60000.
TickCount = 203453, SleepMilliseconds = 60000.
TickCount = 203468, SleepMilliseconds = 60000.
TickCount = 143659, SleepMilliseconds = 50.
TickCount = 143690, SleepMilliseconds = 50.
TickCount = 144659, SleepMilliseconds = 50.
TickCount = 144690, SleepMilliseconds = 50.
行为描述: 设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0xd910dc8e, EDX = 0x00000076
EAX = 0xdbc3dc0a, EDX = 0x00000076
EAX = 0xdbc3dc56, EDX = 0x00000076
EAX = 0x00b5e183, EDX = 0x00000077
EAX = 0x9f9b3525, EDX = 0x00000077
EAX = 0xaf4ba0b8, EDX = 0x00000077
EAX = 0x7f3c5bb9, EDX = 0x00000077
EAX = 0x984c2d8d, EDX = 0x00000078
EAX = 0xbb214fdf, EDX = 0x00000078
EAX = 0xbb21502b, EDX = 0x00000078
EAX = 0xbb215077, EDX = 0x00000078
EAX = 0xbb2150c3, EDX = 0x00000078
EAX = 0xbb21510f, EDX = 0x00000078
进程行为
行为描述: 隐藏窗口创建进程
详情信息:
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_ *
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_
ImagePath = , CmdLine = C:\Windows\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Roaming\WININST~258\Getptw.dll -a/part
行为描述: 创建进程
详情信息:
[0x00000ecc]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_ *
[0x00000efc]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_
[0x00000b7c]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c C:\Users\ADMINI~1\AppData\Roaming\WININST~258\Getptw.dll -a/part
[0x00000980]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
行为描述: 创建新文件进程
详情信息:
[0x00000d3c]ImagePath = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll, CmdLine = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll
[0x00000eac]ImagePath = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_, CmdLine = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_ *
[0x00000f38]ImagePath = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_, CmdLine = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_
[0x00000e94]ImagePath = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\Getptw.dll, CmdLine = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\Getptw.dll -a/part
行为描述: 枚举进程
详情信息:
N/A
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000d3c
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000d3c
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll, WriteAddress = 0x7ffd3238, Size = 0x00000004 TargetPID = 0x00000d3c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ecc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ecc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ecc
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000eac
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000eac
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_, WriteAddress = 0x7ffdd238, Size = 0x00000004 TargetPID = 0x00000eac
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000efc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000efc
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x00000efc
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x00000f38
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x00000f38
TargetProcess = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000f38
文件行为
行为描述: 创建文件
详情信息:
C:\Users\Administrator\AppData\Local\Temp\aut2B1D.tmp
C:\Users\Administrator\AppData\Local\Temp\qnrdsol
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll
C:\Users\Administrator\AppData\Local\Temp\aut2C29.tmp
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll
C:\Users\Administrator\AppData\Local\Temp\aut2C39.tmp
C:\Users\Administrator\AppData\Roaming\WININST~258\dsptw.exe
C:\Users\Administrator\AppData\Local\Temp\aut2C4A.tmp
C:\Users\Administrator\AppData\Roaming\WININST~258\Getptw.dll
C:\Users\Administrator\AppData\Local\Temp\aut2D45.tmp
C:\Users\Administrator\AppData\Roaming\WININST~258\bt-min-1.ITMP
C:\Users\Administrator\AppData\Local\Temp\aut2D65.tmp
C:\Users\Administrator\AppData\Roaming\WININST~258\bt-min-2.ITMP
C:\Users\Administrator\AppData\Local\Temp\~DF2C261CBD908ACB2C.TMP
行为描述: 创建可执行文件
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll
C:\Users\Administrator\AppData\Local\Temp\aut2C39.tmp
C:\Users\Administrator\AppData\Roaming\WININST~258\dsptw.exe
C:\Users\Administrator\AppData\Roaming\WININST~258\Getptw.dll
C:\Users\Administrator\AppData\Roaming\WININST~258\Computer.dll
C:\Users\Administrator\AppData\Roaming\WININST~258\ShowDrive.dl_
C:\Users\Administrator\AppData\Roaming\WININST~258\ShowEFI.dl_
C:\Users\Administrator\AppData\Roaming\WININST~258\Config.ini
行为描述: 覆盖已有文件
详情信息:
C:\Users\Administrator\AppData\Local\Temp\aut2B1D.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2C29.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2C39.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2C4A.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2D45.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2D65.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2DFB.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E1C.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E31.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E42.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E4B.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E52.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E63.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E64.tmp
行为描述: 复制文件
详情信息:
C:\Users\ADMINI~1\AppData\Local\Temp\aut2C39.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\dsptw.exe
C:\Users\ADMINI~1\AppData\Local\Temp\aut2E85.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\MyGuiBotton-setup-3.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut2EA8.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\MyGuiBotton-backup-3.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut2ECA.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\MyGuiBotton-back-3.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut2EEC.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\MyGuiBotton-soft-3.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut300A.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\1_Step_1.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut30F7.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\bt-on-1.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut3107.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\bt-on-2.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut3514.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\backup_gho_1.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut3524.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\backup_gho_2.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut3545.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\restore_2_1.ITMP
C:\Users\ADMINI~1\AppData\Local\Temp\aut3556.tmp ---> C:\Users\ADMINI~1\AppData\Roaming\WININST~258\restore_2_2.ITMP
行为描述: 删除文件
详情信息:
C:\Users\Administrator\AppData\Local\Temp\aut2B1D.tmp
C:\Users\Administrator\AppData\Local\Temp\qnrdsol
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2C29.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2C39.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2C4A.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2D45.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2D65.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2DFB.tmp
C:\Users\Administrator\AppData\Local\Temp\scjghbm
C:\Users\Administrator\AppData\Local\Temp\aut2E31.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E42.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E1C.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E4B.tmp
C:\Users\Administrator\AppData\Local\Temp\aut2E52.tmp
行为描述: 查找文件
详情信息:
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\qnrdsol
FileName = C:\Users\Administrator
FileName = C:\Users\ADMINI~1\AppData\Roaming\WININST~258
FileName = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll
FileName = C:\Users\ADMINI~1
FileName = C:\Users\ADMINI~1\AppData
FileName = C:\Users\ADMINI~1\AppData\Roaming
FileName = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\*.*
FileName = C:\Users\ADMINI~1\AppData\Roaming\WININST~258\DataIcon.dll
行为描述: 设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
行为描述: 修改文件内容
详情信息:
C:\Users\Administrator\AppData\Local\Temp\aut2B1D.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\aut2B1D.tmp ---> Offset = 12288
C:\Users\Administrator\AppData\Local\Temp\qnrdsol ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\qnrdsol ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\qnrdsol ---> Offset = 86016
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp ---> Offset = 131072
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp ---> Offset = 196608
C:\Users\Administrator\AppData\Local\Temp\aut2B6C.tmp ---> Offset = 262144
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll ---> Offset = 65536
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll ---> Offset = 131072
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll ---> Offset = 196608
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll ---> Offset = 262144
行为描述: 修改新生成的可执行文件
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll
网络行为
行为描述: 下载文件
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258\Config.ini
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行为描述: 打开HTTP连接
详情信息:
InternetOpenA: UserAgent: AutoIt, hSession = 0x00cc0004
行为描述: 建立到一个指定的套接字连接
详情信息:
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000354
行为描述: 读取网络文件
详情信息:
hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
行为描述: 发送HTTP包
详情信息:
GET /xitong_xbc/Config.asp?zhuban=&cpu=X64&Company=&Battery=%30&Manufacturer=&SerialNumber=&OS_Version=%57%69%6E%64%6F%77%73%20%37&OS_ServicePack=%20%53%50%31&OS_bit=%28%33%32%62%69%74%29&isuefi= HTTP/1.1 User-Agent: AutoIt Host: ww****om Cache-Control: no-cache
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: ww****om:80/xitong_xbc/config.asp?zhuban=&cpu=x64&company=&battery=%30&manufacturer=&serialnumber=&os_version=%57%69%6e%64%6f%77%73%20%37&os_servicepack=%20%53%50%31&os_bit=%28%33%32%62%69%74%29&isuefi=, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80000000
行为描述: 按名称获取主机地址
详情信息:
GetAddrInfoW: ww****om
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
行为描述: 删除注册表键值
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
其他行为
行为描述: 检测自身是否被调试
详情信息:
IsDebuggerPresent
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [,Static]
[Window,Class] = [下载更新,Static]
[Window,Class] = [,AutoIt v3 GUI]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,CtrlNotifySink]
行为描述: 获取光标位置
详情信息:
CursorPos = (806,18728), SleepMilliseconds = 50.
CursorPos = (7099,26761), SleepMilliseconds = 50.
CursorPos = (19934,15985), SleepMilliseconds = 50.
CursorPos = (12243,29619), SleepMilliseconds = 50.
CursorPos = (27727,24725), SleepMilliseconds = 50.
CursorPos = (6470,28406), SleepMilliseconds = 50.
CursorPos = (24046,17088), SleepMilliseconds = 50.
CursorPos = (10726,752), SleepMilliseconds = 50.
CursorPos = (3760,12203), SleepMilliseconds = 50.
CursorPos = (5592,5697), SleepMilliseconds = 50.
CursorPos = (33156,14865), SleepMilliseconds = 50.
CursorPos = (4667,414), SleepMilliseconds = 50.
CursorPos = (1057,12643), SleepMilliseconds = 50.
CursorPos = (18186,18977), SleepMilliseconds = 50.
CursorPos = (20483,20156), SleepMilliseconds = 50.
行为描述: 直接操作物理设备
详情信息:
\??\PhysicalDrive0
行为描述: 可执行文件签名信息
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\aut2C39.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\WININST~258\dsptw.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\WININST~258\Getptw.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\WININST~258\Computer.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\WININST~258\ShowDrive.dl_(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\WININST~258\ShowEFI.dl_(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\WININST~258\Config.ini(签名验证: 未通过)
行为描述: 加载新释放的文件
详情信息:
Image: C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ComInfo.dll.
Image: C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowDrive.dl_.
Image: C:\Users\ADMINI~1\AppData\Roaming\WININST~258\ShowEFI.dl_.
Image: C:\Users\ADMINI~1\AppData\Roaming\WININST~258\Getptw.dll.
行为描述: 修改后的可执行文件签名信息
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll(签名验证: 未通过)
行为描述: 可执行文件MD5
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258\ComInfo.dll ---> 21b0345bde3fd0a5ef01e493f83ae784
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll ---> 3aaae11720c12e147d5104dcf5f41565
C:\Users\Administrator\AppData\Local\Temp\aut2C39.tmp ---> c3429879521305de064a0952dab5eb6a
C:\Users\Administrator\AppData\Roaming\WININST~258\dsptw.exe ---> c3429879521305de064a0952dab5eb6a
C:\Users\Administrator\AppData\Roaming\WININST~258\Getptw.dll ---> 94d297ccb80b1f7940ea98ffdfc25257
C:\Users\Administrator\AppData\Roaming\WININST~258\Computer.dll ---> 3aaae11720c12e147d5104dcf5f41565
C:\Users\Administrator\AppData\Roaming\WININST~258\ShowDrive.dl_ ---> 63f0697283a67db3f50b440f142044ed
C:\Users\Administrator\AppData\Roaming\WININST~258\ShowEFI.dl_ ---> 616735739f6c8bcbc7dab0fa26e5b2e1
C:\Users\Administrator\AppData\Roaming\WININST~258\Config.ini ---> d0966601ecd6239a9ce0241c9aa21571
行为描述: 创建互斥体
详情信息:
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!IETld!Mutex
Local\WERReportingForProcess3388
Local\_!MSFTHISTORY!_LOW!_
行为描述: 获取硬件属性检测虚拟机
详情信息:
检测Vmware: 调用WMI接口获取硬件信息
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详情信息:
\??\SICE
\??\NTICE
行为描述: 获取TickCount值
详情信息:
TickCount = 203203, SleepMilliseconds = 60000.
TickCount = 203312, SleepMilliseconds = 60000.
TickCount = 203328, SleepMilliseconds = 60000.
TickCount = 203343, SleepMilliseconds = 60000.
TickCount = 203359, SleepMilliseconds = 60000.
TickCount = 203375, SleepMilliseconds = 60000.
TickCount = 203390, SleepMilliseconds = 60000.
TickCount = 203406, SleepMilliseconds = 60000.
TickCount = 203437, SleepMilliseconds = 60000.
TickCount = 203453, SleepMilliseconds = 60000.
TickCount = 203468, SleepMilliseconds = 60000.
TickCount = 143659, SleepMilliseconds = 50.
TickCount = 143690, SleepMilliseconds = 50.
TickCount = 144659, SleepMilliseconds = 50.
TickCount = 144690, SleepMilliseconds = 50.
行为描述: 窗口信息
详情信息:
Pid = 3064, Hwnd=0x901aa, Text = 正在检测电脑配置,请稍等……, ClassName = Static.
Pid = 3064, Hwnd=0xc01ca, Text = 程序版本: 9.0.17.5, ClassName = Static.
Pid = 3064, Hwnd=0x3013c, Text = 目前为最新版, ClassName = Static.
Pid = 3064, Hwnd=0xd01ba, Text = 下载更新, ClassName = Static.
Pid = 3064, Hwnd=0x4013e, Text = 当前系统 Windows 7 SP1(32bit), ClassName = Static.
Pid = 3064, Hwnd=0x40138, Text = 正在检查网络连接……, ClassName = Static.
Pid = 3064, Hwnd=0xb0186, Text = 系统之家一键重装系统, ClassName = AutoIt v3 GUI.
Pid = 3064, Hwnd=0x901aa, Text = 当前电脑配置:, ClassName = Static.
Pid = 3064, Hwnd=0x701f6, Text = 本机品牌:, ClassName = Static.
Pid = 3064, Hwnd=0x1601a2, Text = 主板型号:, ClassName = Static.
Pid = 3064, Hwnd=0x30242, Text = 启动键:, ClassName = Static.
Pid = 3064, Hwnd=0xc01a4, Text = 内存大小:, ClassName = Static.
Pid = 3064, Hwnd=0x701de, Text = CPU架构:, ClassName = Static.
Pid = 3064, Hwnd=0x3024c, Text = 显卡类型:, ClassName = Static.
Pid = 3064, Hwnd=0x3024e, Text = CPU 型号:, ClassName = Static.
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0xd910dc8e, EDX = 0x00000076
EAX = 0xdbc3dc0a, EDX = 0x00000076
EAX = 0xdbc3dc56, EDX = 0x00000076
EAX = 0x00b5e183, EDX = 0x00000077
EAX = 0x9f9b3525, EDX = 0x00000077
EAX = 0xaf4ba0b8, EDX = 0x00000077
EAX = 0x7f3c5bb9, EDX = 0x00000077
EAX = 0x984c2d8d, EDX = 0x00000078
EAX = 0xbb214fdf, EDX = 0x00000078
EAX = 0xbb21502b, EDX = 0x00000078
EAX = 0xbb215077, EDX = 0x00000078
EAX = 0xbb2150c3, EDX = 0x00000078
EAX = 0xbb21510f, EDX = 0x00000078
行为描述: 创建事件对象
详情信息:
EventName = OleDfRoot481B6FB006B8D6B3
EventName = DbgEngEvent_00000864
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.3388
MSFT.VSA.IEC.STATUS.6c736db0
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\KernelObjects\SystemErrorPortReady
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
3388-AppRecorderEnabled
行为描述: 调整进程token权限
详情信息:
SE_DEBUG_PRIVILEGE
行为描述: 枚举窗口
详情信息:
N/A
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
[3]: MilliSeconds = 50.
[4]: MilliSeconds = 50.
[5]: MilliSeconds = 50.
[6]: MilliSeconds = 50.
[7]: MilliSeconds = 50.
[8]: MilliSeconds = 50.
[9]: MilliSeconds = 50.
[10]: MilliSeconds = 50.
行为描述: 打开互斥体
详情信息:
Local\MSCTF.Asm.MutexDefault1
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_LOW!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!low!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!low!history.ie5!
RasPbFile
行为描述: 修改后的可执行文件MD5
详情信息:
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll ---> dd84d5e9a76325fe60cafb572860325b
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll ---> 3aa3870ae4ad97447640532d1a5f6a31
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll ---> 02364eea4f85bf4d0ef614b794a9f845
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll ---> 264f00a8bce3268066d536e8293a2a4a
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll ---> 43b769e0fb6dc7bd0819c2112f61f4b3
C:\Users\Administrator\AppData\Roaming\WININST~258\DataIcon.dll ---> 22a9b91dd6dc4200010305f8e1a42df7
进程树
cmd.exe (PID: 0x00000ae8)
****.exe (PID: 0x00000bf8)
cominfo.dll (PID: 0x00000d3c)
cmd.exe (PID: 0x00000ecc)
showdrive.dl_ (PID: 0x00000eac)
cmd.exe (PID: 0x00000efc)
showefi.dl_ (PID: 0x00000f38)
cmd.exe (PID: 0x00000b7c)
getptw.dll (PID: 0x00000e94)
rundll32.exe (PID: 0x00000980)
[/mw_shl_code]
|
发表于 2017-9-15 15:59:23
发表于 2017-9-15 16:03:43
