基本信息文件名称: | tpmagentservice.dll | MD5: | 61c49acb542f5fa5ea9f2efcd534d720 | 文件类型: | DLL | 上传时间: | 2018-02-18 10:56:49 | 出品公司: | Microsoft Corporation | 版本: | 1.0.0.1---6.3.9600.16384 | 壳或编译器信息: | COMPILER:PE+(64) |
关键行为行为描述: | 进程提权信息 | 详情信息: | NT AUTHORITY\SYSTEM | 行为描述: | 篡改父进程 | 详情信息: | Child: svchost.exe, Parent: svchost.exe(True) ---> DllLoader.exe(Fake) |
进程行为行为描述: | 隐藏窗口创建进程 | 详情信息: | ImagePath = C:\Windows\system32\schtasks.exe, CmdLine = /Delete /TN "\Microsoft\Windows\UPnP\Services" /F ImagePath = C:\Windows\system32\sc.exe, CmdLine = stop vmichapagentsrv ImagePath = C:\Windows\system32\sc.exe, CmdLine = delete vmichapagentsrv ImagePath = C:\Windows\system32\schtasks.exe, CmdLine = /End /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices" ImagePath = C:\Windows\system32\schtasks.exe, CmdLine = /Delete /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices" /F | 行为描述: | 创建进程 | 详情信息: | [0x00000b9c]ImagePath = C:\Windows\System32\regsvr32.exe, CmdLine = Regsvr32.exe c:\users\administrator\appdata\local\%temp%\%temp%\****.dll [0x00000ba4]ImagePath = C:\Windows\System32\schtasks.exe, CmdLine = /Delete /TN "\Microsoft\Windows\UPnP\Services" /F [0x00000e50]ImagePath = C:\Windows\System32\conhost.exe, CmdLine = \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 [0x0000077c]ImagePath = C:\Windows\System32\conhost.exe, CmdLine = \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 [0x00000f3c]ImagePath = C:\Windows\System32\sc.exe, CmdLine = stop vmichapagentsrv [0x0000081c]ImagePath = C:\Windows\System32\conhost.exe, CmdLine = \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 [0x00000b74]ImagePath = C:\Windows\System32\%temp%\****.exe, CmdLine = %temp%\**** --machinereadable -- C:/StaticAnalyze/%temp%\****.exe.json [0x00000520]ImagePath = C:\Windows\System32\sc.exe, CmdLine = delete vmichapagentsrv [0x00000c2c]ImagePath = C:\Windows\System32\%temp%\****.exe, CmdLine = %temp%\**** --machinereadable -- C:/07c18980de59b70b44f118fe7e28dc64_Finished.txt [0x00000d34]ImagePath = C:\Windows\System32\schtasks.exe, CmdLine = /End /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices" [0x00000734]ImagePath = C:\Windows\System32\conhost.exe, CmdLine = \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 [0x00000938]ImagePath = C:\Windows\System32\schtasks.exe, CmdLine = /Delete /TN "\Microsoft\Windows\Tcpip\TcpipReportingServices" /F [0x00000cdc]ImagePath = C:\Windows\System32\conhost.exe, CmdLine = \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | 行为描述: | 进程提权信息 | 详情信息: | NT AUTHORITY\SYSTEM | 行为描述: | 创建本地线程 | 详情信息: | ProcessId = 2972, ThreadId = 1324. ProcessId = 3664, ThreadId = 760. ProcessId = 3664, ThreadId = 3032. ProcessId = 1916, ThreadId = 1424. ProcessId = 1916, ThreadId = 3380. ProcessId = 2276, ThreadId = 3248. ProcessId = 2276, ThreadId = 956. ProcessId = 2076, ThreadId = 304. ProcessId = 2076, ThreadId = 2088. ProcessId = 3256, ThreadId = 3200. ProcessId = 3256, ThreadId = 3524. ProcessId = 3256, ThreadId = 1344. ProcessId = 2724, ThreadId = 3884. ProcessId = 2724, ThreadId = 3104. ProcessId = 460, ThreadId = 2556. | 行为描述: | 篡改父进程 | 详情信息: | Child: svchost.exe, Parent: svchost.exe(True) ---> DllLoader.exe(Fake) |
文件行为行为描述: | 创建文件 | 详情信息: | C:\Windows\System32\NetTraceDiagnostics.ini | 行为描述: | 查找文件 | 详情信息: | FileName = C:\Windows\IME\Microsoft\\*.* FileName = C:\Windows\IME\Crypt\\*.* FileName = C:\Windows\IME\Daps\\*.* FileName = C:\Windows\SysprepThemes\\*.* FileName = C:\Windows\system32\SysprepThemes\\*.* |
网络行为行为描述: | 按名称获取主机地址 | 详情信息: | GetAddrInfoW: **.0.0.**:128 |
其他行为行为描述: | 检测自身是否被调试 | 详情信息: | IsDebuggerPresent | 行为描述: | 创建互斥体 | 详情信息: | {F86E2D648-EF7B-6054-D43FC41} Local\SessionImmersiveColorMutex {5EC0AC33D-E23D-C8A2-A92C833} {CI59C45E-F19A-Z07C-565B17CO} {6B2089804-F412-CB72-7C027E6} {3EC1AC33D-E55D-C8A2-A92C822} DBWinMutex | 行为描述: | 隐藏指定窗口 | 详情信息: | [Window,Class] = [C:\Windows\system32\Regsvr32.exe,ConsoleWindowClass] [Window,Class] = [C:\Windows\System32\%temp%\****.exe,ConsoleWindowClass] | 行为描述: | 调整进程token权限 | 详情信息: | SE_LOAD_DRIVER_PRIVILEGE SE_DEBUG_PRIVILEGE | 行为描述: | 打开事件 | 详情信息: | Global\TermSrvReadyEvent Global\SvcctrlStartEvent_A3752DX \KernelObjects\MaximumCommitCondition \SECURITY\LSA_AUTHENTICATION_INITIALIZED MSFT.VSA.COM.DISABLE.3256 MSFT.VSA.IEC.STATUS.6c736db0 Local\99b25af4-39cf-4c83-ad07-3c133e6d3135 | 行为描述: | 打开互斥体 | 详情信息: | Local\MSCTF.Asm.MutexDefault0S-1-5-18 CicLoadWinStaService-0x0-3e7$ |
进程树- [url=]schtasks.exe (PID: 0x00000f64)[/url]
- [url=]conhost.exe 0xffffffff -ForceV1 (PID: 0x0000077c)[/url]
- [url=]conhost.exe (PID: 0x000008a0)[/url]
- [url=]werfault.exe (PID: 0x00000d40)[/url]
- [url=]dllloader.exe (PID: 0x00000b78)[/url]
- [url=]regsvr32.exe ****.dll (PID: 0x00000b9c)[/url]
- [url=]schtasks.exe (PID: 0x00000ba4)[/url]
- [url=]sc.exe (PID: 0x00000f3c)[/url]
- [url=]sc.exe (PID: 0x00000520)[/url]
- [url=]schtasks.exe (PID: 0x00000d34)[/url]
- [url=]schtasks.exe (PID: 0x00000938)[/url]
- [url=]conhost.exe (PID: 0x00000cb8)[/url]
- [url=]****.exe **** --machinereadable -- ****.exe.json (PID: 0x00000b74)[/url]
[tr][/tr][/table]
文件分析图谱(PortEx)
基本信息[table=98%]
文件名称:mssecsvc.exe
MD5:0c694193ceac8bfb016491ffb534eb7c
文件类型:EXE
上传时间:2018-02-18 10:55:22
出品公司:N/A
版本:N/A
壳或编译器信息:COMPILER:Microsoft Visual C++ 6.0
关键行为行为描述: | 设置特殊文件夹属性 | 详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 C:\Documents and Settings\Administrator\Local Settings\History C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 C:\Documents and Settings\Administrator\Cookies C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 C:\Documents and Settings\LocalService\Local Settings\History C:\Documents and Settings\LocalService\Local Settings\History\History.IE5 C:\Documents and Settings\LocalService\Cookies | 行为描述: | 查找PE资源信息 | 详情信息: | (FindResourceA) hModule = 0x00000000, ResName: , ResType: R | 行为描述: | 创建系统服务 | 详情信息: | [服务创建成功]: mssecsvc2.0, C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe -m security | 行为描述: | 获取TickCount值 | 详情信息: | TickCount = 222718, SleepMilliseconds = 2000. TickCount = 222734, SleepMilliseconds = 2000. TickCount = 223031, SleepMilliseconds = 2000. TickCount = 221393, SleepMilliseconds = 50. TickCount = 223656, SleepMilliseconds = 2000. TickCount = 222018, SleepMilliseconds = 50. TickCount = 224281, SleepMilliseconds = 2000. TickCount = 224593, SleepMilliseconds = 2000. TickCount = 224906, SleepMilliseconds = 2000. TickCount = 226218, SleepMilliseconds = 3000. TickCount = 223284, SleepMilliseconds = 50. TickCount = 225531, SleepMilliseconds = 2000. TickCount = 226531, SleepMilliseconds = 3000. TickCount = 223893, SleepMilliseconds = 50. TickCount = 224206, SleepMilliseconds = 50. | 行为描述: | 杀掉进程 | 详情信息: | C:\WINDOWS\tasksche.exe |
进程行为行为描述: | 隐藏窗口创建进程 | 详情信息: | ImagePath = , CmdLine = C:\WINDOWS\tasksche.exe /i | 行为描述: | 创建本地线程 | 详情信息: | TargetProcess: %temp%\****.exe, InheritedFromPID = 2300, ProcessID = 2748, ThreadID = 2784, StartAddress = 77DC845A, Parameter = 00000000 TargetProcess: %temp%\****.exe, InheritedFromPID = 2300, ProcessID = 2748, ThreadID = 2788, StartAddress = 7C947EBB, Parameter = 00000000 TargetProcess: %temp%\****.exe, InheritedFromPID = 2300, ProcessID = 2748, ThreadID = 2792, StartAddress = 7C930230, Parameter = 00000000 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2808, StartAddress = 77DC845A, Parameter = 00000000 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2812, StartAddress = 7C947EBB, Parameter = 00000000 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2816, StartAddress = 7C930230, Parameter = 00000000 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2820, StartAddress = 77DC3519, Parameter = 0019EA30 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2824, StartAddress = 77C0A341, Parameter = 003F4B08 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2828, StartAddress = 77C0A341, Parameter = 003F4B98 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2832, StartAddress = 77C0A341, Parameter = 003F4C28 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2860, StartAddress = 77C0A341, Parameter = 003F4C28 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2864, StartAddress = 77C0A341, Parameter = 003F4C28 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2868, StartAddress = 77C0A341, Parameter = 003F4B98 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2888, StartAddress = 77C0A341, Parameter = 003F4B98 TargetProcess: %temp%\****.exe, InheritedFromPID = 652, ProcessID = 2800, ThreadID = 2892, StartAddress = 77C0A341, Parameter = 003F4B98 | 行为描述: | 创建新文件进程 | 详情信息: | [0x00000b50]ImagePath = C:\WINDOWS\tasksche.exe, CmdLine = C:\WINDOWS\tasksche.exe /i | 行为描述: | 杀掉进程 | 详情信息: | C:\WINDOWS\tasksche.exe |
文件行为行为描述: | 创建文件 | 详情信息: | C:\WINDOWS\tasksche.exe | 行为描述: | 创建可执行文件 | 详情信息: | C:\WINDOWS\tasksche.exe | 行为描述: | 修改文件内容 | 详情信息: | C:\WINDOWS\tasksche.exe ---> Offset = 0 | 行为描述: | 设置特殊文件夹属性 | 详情信息: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 C:\Documents and Settings\Administrator\Local Settings\History C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 C:\Documents and Settings\Administrator\Cookies C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 C:\Documents and Settings\LocalService\Local Settings\History C:\Documents and Settings\LocalService\Local Settings\History\History.IE5 C:\Documents and Settings\LocalService\Cookies | 行为描述: | 查找文件 | 详情信息: | FileName = C:\Documents and Settings FileName = C:\Documents and Settings\Administrator FileName = C:\Documents and Settings\Administrator\Local Settings FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk FileName = C:\WINDOWS\system32\Ras\*.pbk FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk FileName = C:\WINDOWS\system32\config\systemprofile\Local Settings FileName = C:\WINDOWS\system32\config\systemprofile FileName = C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Network\Connections\Pbk\*.pbk FileName = C:\WINDOWS FileName = C:\WINDOWS\tasksche.exe |
网络行为行为描述: | 发送SMB数据包 | 详情信息: | Cmd: 0x00000072, SOCKET = 0x00000264, IP: **.101.249.**:445 Cmd: 0x00000073, SOCKET = 0x00000264, IP: **.101.249.**:445 Cmd: 0x00000075, SOCKET = 0x00000264, IP: **.101.249.**:445 Cmd: 0x00000025, SOCKET = 0x00000264, IP: **.101.249.**:445 Cmd: 0x00000072, SOCKET = 0x00000278, IP: **.101.249.**:445 Cmd: 0x00000073, SOCKET = 0x00000278, IP: **.101.249.**:445 Cmd: 0x00000075, SOCKET = 0x00000278, IP: **.101.249.**:445 Cmd: 0x00000032, SOCKET = 0x00000278, IP: **.101.249.**:445 | 行为描述: | 联网打开网址 | 详情信息: | InternetOpenUrlA: http://ww****om, hInternet = 0x00cc0004, Flags = 0x84000000 | 行为描述: | 连接指定站点 | 详情信息: | InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000 | 行为描述: | 建立到一个指定的套接字连接 | 详情信息: | URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000240 URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000238 IP: **.101.249.**:445, SOCKET = 0x00000258 IP: **.101.249.**:445, SOCKET = 0x00000264 IP: **.156.245.**:445, SOCKET = 0x0000026c IP: **.156.245.**:445, SOCKET = 0x00000278 IP: **.101.249.**:445, SOCKET = 0x00000278 IP: **.104.187.**:445, SOCKET = 0x00000274 IP: **.104.187.**:445, SOCKET = 0x00000280 IP: **.156.245.**:445, SOCKET = 0x00000280 IP: **.156.245.**:445, SOCKET = 0x0000028c IP: **.101.249.**:445, SOCKET = 0x0000028c IP: **.104.187.**:445, SOCKET = 0x0000028c IP: **.55.28.**:445, SOCKET = 0x00000278 IP: **.55.28.**:445, SOCKET = 0x00000294 | 行为描述: | 发送HTTP包 | 详情信息: | GET / HTTP/1.1 Host: ww****om Cache-Control: no-cache | 行为描述: | 按名称获取主机地址 | 详情信息: | GetAddrInfoW: ww****om |
注册表行为行为描述: | 修改注册表 | 详情信息: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect | 行为描述: | 删除注册表键值 | 详情信息: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL |
其他行为行为描述: | 创建互斥体 | 详情信息: | RasPbFile Local\ZonesCounterMutex Local\ZoneAttributeCacheCounterMutex Local\ZonesCacheCounterMutex Local\ZonesLockedCacheCounterMutex | 行为描述: | 创建事件对象 | 详情信息: | EventName = DINPUTWINMM EventName = Global\userenv: User Profile setup event | 行为描述: | 启动系统服务 | 详情信息: | [服务启动成功]: LocalSystem, Microsoft Security Center (2.0) Service, C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe -m security | 行为描述: | 获取TickCount值 | 详情信息: | TickCount = 222718, SleepMilliseconds = 2000. TickCount = 222734, SleepMilliseconds = 2000. TickCount = 223031, SleepMilliseconds = 2000. TickCount = 221393, SleepMilliseconds = 50. TickCount = 223656, SleepMilliseconds = 2000. TickCount = 222018, SleepMilliseconds = 50. TickCount = 224281, SleepMilliseconds = 2000. TickCount = 224593, SleepMilliseconds = 2000. TickCount = 224906, SleepMilliseconds = 2000. TickCount = 226218, SleepMilliseconds = 3000. TickCount = 223284, SleepMilliseconds = 50. TickCount = 225531, SleepMilliseconds = 2000. TickCount = 226531, SleepMilliseconds = 3000. TickCount = 223893, SleepMilliseconds = 50. TickCount = 224206, SleepMilliseconds = 50. | 行为描述: | 打开事件 | 详情信息: | HookSwitchHookEnabledEvent \SECURITY\LSA_AUTHENTICATION_INITIALIZED Global\SvcctrlStartEvent_A3752DX \INSTALLATION_SECURITY_HOLD | 行为描述: | 查找PE资源信息 | 详情信息: | (FindResourceA) hModule = 0x00000000, ResName: , ResType: R | 行为描述: | 可执行文件签名信息 | 详情信息: | C:\WINDOWS\tasksche.exe(签名验证: 未通过) | 行为描述: | 调用Sleep函数 | 详情信息: | [1]: MilliSeconds = 2000. [2]: MilliSeconds = 3000. [3]: MilliSeconds = 2000. [4]: MilliSeconds = 3000. [5]: MilliSeconds = 50. [6]: MilliSeconds = 3000. [7]: MilliSeconds = 2000. [8]: MilliSeconds = 50. [9]: MilliSeconds = 3000. [10]: MilliSeconds = 3000. | 行为描述: | 可执行文件MD5 | 详情信息: | C:\WINDOWS\tasksche.exe ---> 7f7ccaa16fb15eb1c7399d422f8363e8 | 行为描述: | 打开互斥体 | 详情信息: | Local\_!MSFTHISTORY!_ Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! Local\c:!documents and settings!administrator!cookies! Local\c:!documents and settings!administrator!local settings!history!history.ie5! Local\WininetStartupMutex Local\WininetConnectionMutex Local\WininetProxyRegistryMutex RasPbFile Local\!IETld!Mutex Local\c:!documents and settings!localservice!local settings!temporary internet files!content.ie5! Local\c:!documents and settings!localservice!cookies! Local\c:!documents and settings!localservice!local settings!history!history.ie5! ShimCacheMutex | 行为描述: | 创建系统服务 | 详情信息: | [服务创建成功]: mssecsvc2.0, C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe -m security |
进程树- [url=]****.exe (PID: 0x00000abc)[/url]
- [url=]tasksche.exe (PID: 0x00000b50)[/url]
文件分析图谱(PortEx)
基本信息文件名称: | TrustedHostServices.exe | MD5: | 1e0022c02030f2b4353b583beffbade9 | 文件类型: | EXE | 上传时间: | 2018-02-18 10:56:56 | 出品公司: | N/A | 版本: | N/A | 壳或编译器信息: | COMPILER:PE+(64) |
进程行为行为描述: | 创建本地线程 | 详情信息: | ProcessId = 2084, ThreadId = 3440. |
其他行为行为描述: | 打开互斥体 | 详情信息: | Local\ShimViewer |
进程树- [url=]****.exe (PID: 0x00000824)[/url]
文件分析图谱(PortEx)
|