本帖最后由 191196846 于 2017-9-15 16:29 编辑
360TSE MISS
VT(15/62) :https://www.virustotal.com/#/fil ... a36a1d1b6/detection
Habo: 轻度风险
[mw_shl_code=css,true]基本信息
文件名称:
Samplitude.exe
MD5: af9b6d1e6b5b541a001d5d0301800f4c
文件类型: EXE
上传时间: 2017-09-15 16:24:24
出品公司: 优优音效QQ:1444585361
版本: 1.0.0.0---1.0.0.0
壳或编译器信息: PACKER:PEtite 2.x [Level 1/9] -> Ian Luck
子文件信息: 详情
关键行为
行为描述: 在桌面创建文件
详情信息:
C:\Documents and Settings\Administrator\桌面\优优SAM机架.lnk
行为描述: 获取TickCount值
详情信息:
TickCount = 246112, SleepMilliseconds = 300.
进程行为
行为描述: 隐藏窗口创建进程
详情信息:
ImagePath = , CmdLine = C:\Documents and Settings\Administrator\Local Settings\%temp%\fx-preset\TrackFX\Waves\vbvcQQ:1444585361.exe
ImagePath = , CmdLine = C:\Documents and Settings\Administrator\Local Settings\%temp%\fx-preset\TrackFX\Waves\WAVESQQ:1444585361.exe
ImagePath = , CmdLine = C:\Documents and Settings\Administrator\Local Settings\%temp%\Restart.bat
行为描述: 创建进程
详情信息:
[0x00000d48]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c "C:\Documents and Settings\Administrator\Local Settings\%temp%\Restart.bat"
[0x00000d50]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "%temp%\****.exe"
行为描述: 创建本地线程
详情信息:
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2696, ThreadID = 2708, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 3400, ProcessID = 3408, ThreadID = 3432, StartAddress = 4AEA7456, Parameter = 00000000
行为描述: 枚举进程
详情信息:
N/A
文件行为
行为描述: 创建文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\Sam_audio.ini
C:\Sam.ini
C:\Documents and Settings\Administrator\Local Settings\%temp%\yy.ico
C:\Documents and Settings\Administrator\Local Settings\%temp%\Restart.bat
行为描述: 修改脚本文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\Restart.bat ---> Offset = 0
行为描述: 查找文件
详情信息:
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\优优音效授权文件.KEY
FileName = 3优优SAM机架.lnk
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\All Users\「开始」菜单
行为描述: 删除文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\Sam_audio.ini
C:\Documents and Settings\Administrator\Local Settings\%temp%\Restart.bat
行为描述: 在桌面创建文件
详情信息:
C:\Documents and Settings\Administrator\桌面\优优SAM机架.lnk
行为描述: 修改文件内容
详情信息:
C:\Documents and Settings\Administrator\桌面\优优SAM机架.lnk ---> Offset = 0
C:\Sam.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\yy.ico ---> Offset = 0
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Classes\VIP\
\REGISTRY\MACHINE\SOFTWARE\Classes\VIP\EditFlags
\REGISTRY\MACHINE\SOFTWARE\Classes\VIP\Shell\Open\Command\
\REGISTRY\MACHINE\SOFTWARE\Classes\VIP\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\.VIP\
其他行为
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MIK
行为描述: 创建事件对象
详情信息:
EventName = DINPUTWINMM
EventName = whedgwgd
EventName = MSCTF.SendReceiveConection.Event.MIK.IC
EventName = MSCTF.SendReceive.Event.MIK.IC
EventName = Global\userenv: User Profile setup event
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
whedgwgd
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceive.Event.IOH.IC
MSCTF.SendReceiveConection.Event.IOH.IC
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
行为描述: 获取TickCount值
详情信息:
TickCount = 246112, SleepMilliseconds = 300.
行为描述: 调整进程token权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE
行为描述: 窗口信息
详情信息:
Pid = 2696, Hwnd=0x10376, Text = 确定, ClassName = Button.
Pid = 2696, Hwnd=0x1037a, Text = 对不起,程序尚未授权!机器码已复制到粘贴板,请复制给作者授权, ClassName = Static.
Pid = 2696, Hwnd=0x10374, Text = 警告, ClassName = #32770.
Pid = 2696, Hwnd=0x10370, Text = 注 册 码 :, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2696, Hwnd=0x1036e, Text = 机 器 码 :, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2696, Hwnd=0x10368, Text = 退出, ClassName = Button.
Pid = 2696, Hwnd=0x10366, Text = 注册, ClassName = Button.
Pid = 2696, Hwnd=0x10364, Text = 1112833141, ClassName = Edit.
Pid = 2696, Hwnd=0x1035e, Text = 优优音效:QQ1444585361, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2696, Hwnd=0x1035a, Text = ×, ClassName = Button.
Pid = 2696, Hwnd=0x1036c, Text = 123456, ClassName = Edit.
Pid = 3408, Hwnd=0x20364, Text = 确定, ClassName = Button.
Pid = 3408, Hwnd=0x20368, Text = 对不起,程序尚未授权!机器码已复制到粘贴板,请复制给作者授权, ClassName = Static.
Pid = 3408, Hwnd=0x20362, Text = 警告, ClassName = #32770.
行为描述: 直接操作物理设备
详情信息:
\??\PhysicalDrive0
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 200.
[2]: MilliSeconds = 300.
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,tooltips_class32]
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
进程树
****.exe (PID: 0x00000a88)
cmd.exe (PID: 0x00000d48)
****.exe (PID: 0x00000d50)[/mw_shl_code]
|
发表于 2017-9-15 16:19:36
发表于 2017-9-15 16:23:56
