收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 0336675092D0FBAE0FC16B9151A36920
12
返回列表 发新帖
楼主: petr0vic
 收起左侧

[病毒样本] 0336675092D0FBAE0FC16B9151A36920

[复制链接]
amocken
发表于 2018-2-26 12:12:50 | 显示全部楼层
火绒miss
回复

举报

桑德尔
头像被屏蔽
发表于 2018-2-26 14:00:03 | 显示全部楼层
文件名: 1.scr
威胁名称: W32.Golroted完整路径: c:\users\administrator\desktop\1\1.scr

____________________________

____________________________


在电脑上 
2018/2/26 ( 14:00:09 )

上次使用时间 
2018/2/26 ( 14:00:09 )

启动项 


已启动 


威胁类型: 病毒。 将自身插入或附加到其他程序、文件或电脑区域以感染这些媒介的程序。

____________________________


1.scr 威胁名称: W32.Golroted
定位


极少用户信任的文件
Norton 社区中有不到 5 名用户 使用了此文件。

极新的文件
该文件已在 不到 1 周 前发行。


此文件具有高风险。


____________________________


https://att.kafan.cn/forum.php?mo ... jM0ODd8MjExNjgxMg==
已下载文件 从 att.kafan.cn
来源: 外部介质


____________________________

文件操作

文件: c:\users\administrator\desktop\1\ 1.scr 已阻止
____________________________


文件指纹 - SHA:
不可用
文件指纹 - MD5:
不可用
回复

举报

毛可多来
发表于 2018-2-26 18:42:47 | 显示全部楼层
本帖最后由 毛可多来 于 2018-2-26 18:45 编辑

原文件为.exe可执行文件

修改文件名后分析认为:高度风险
基本信息
文件名称:
34555.exe
MD5:0336675092d0fbae0fc16b9151a36920
文件类型:EXE
上传时间:2018-02-26 18:37:28
出品公司:Hillenbrand Industries Inc.
版本:11.8.2.1---11.8.2.1
壳或编译器信息:COMPILER:Microsoft Visual C# / Basic .NET


关键行为
行为描述:跨进程写入数据
详情信息:
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x00150000, Size = 0x00000200 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x00152000, Size = 0x00063200 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x001b6000, Size = 0x00000600 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x001b8000, Size = 0x00000200 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x7ffd8008, Size = 0x00000004 TargetPID = 0x00000bac
行为描述:获取TickCount值
详情信息:
TickCount = 219046, SleepMilliseconds = 750.
TickCount = 219062, SleepMilliseconds = 750.
TickCount = 219140, SleepMilliseconds = 750.
TickCount = 219203, SleepMilliseconds = 750.
TickCount = 219218, SleepMilliseconds = 750.
TickCount = 219234, SleepMilliseconds = 750.
TickCount = 219250, SleepMilliseconds = 750.
TickCount = 219265, SleepMilliseconds = 750.
TickCount = 219281, SleepMilliseconds = 750.
TickCount = 219296, SleepMilliseconds = 750.
TickCount = 223281, SleepMilliseconds = 750.
TickCount = 223328, SleepMilliseconds = 750.
TickCount = 223375, SleepMilliseconds = 750.
TickCount = 223390, SleepMilliseconds = 750.
TickCount = 223406, SleepMilliseconds = 750.
行为描述:直接获取CPU时钟
详情信息:
EAX = 0xda299123, EDX = 0x000000b4
EAX = 0xdcdc909f, EDX = 0x000000b4
EAX = 0xe2175f58, EDX = 0x000000b4
EAX = 0xe2175fa4, EDX = 0x000000b4
EAX = 0x2bd039bf, EDX = 0x000000b5
EAX = 0x2bd03a0b, EDX = 0x000000b5
EAX = 0x1679c3b4, EDX = 0x000000b6
EAX = 0x1679c400, EDX = 0x000000b6
EAX = 0x651ce89b, EDX = 0x000000b8
行为描述:设置线程上下文
详情信息:
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe
行为描述:设置启动项
详情信息:
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\steamerrorreporter.ajs1gbij.lnk


进程行为
行为描述:隐藏窗口创建进程
详情信息:
ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
行为描述:跨进程写入数据
详情信息:
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x00150000, Size = 0x00000200 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x00152000, Size = 0x00063200 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x001b6000, Size = 0x00000600 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x001b8000, Size = 0x00000200 TargetPID = 0x00000bac
TargetProcess = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, WriteAddress = 0x7ffd8008, Size = 0x00000004 TargetPID = 0x00000bac
行为描述:创建本地线程
详情信息:
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2660, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2664, StartAddress = 79F91FCF, Parameter = 001A5780
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2720, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2864, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2868, StartAddress = 79F91FCF, Parameter = 001A5480
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2888, StartAddress = 77E56C7D, Parameter = 00204A28
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2896, StartAddress = 769AE43B, Parameter = 0020D7D8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2908, StartAddress = 79FDA29C, Parameter = 00000000
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2912, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2916, StartAddress = 79F91FCF, Parameter = 0019F560
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2928, StartAddress = 79F91FCF, Parameter = 0019F560
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2932, StartAddress = 79F91FCF, Parameter = 0019F560
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2940, StartAddress = 79F91FCF, Parameter = 0019F560
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2944, StartAddress = 79F91FCF, Parameter = 001DF620
TargetProcess: steamerrorreporter.exe, InheritedFromPID = 2648, ProcessID = 2856, ThreadID = 2984, StartAddress = 79F91FCF, Parameter = 001E0EA8
行为描述:创建进程
详情信息:
[0x00000bac]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
行为描述:设置线程上下文
详情信息:
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe
行为描述:枚举进程
详情信息:
N/A
行为描述:创建新文件进程
详情信息:
[0x00000b28]ImagePath = C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe, CmdLine = "C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe"
[0x00000ba0]ImagePath = C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe, CmdLine = "C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe"


文件行为
行为描述:创建文件
详情信息:
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe
行为描述:创建可执行文件
详情信息:
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe
行为描述:查找文件
详情信息:
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
行为描述:设置启动项
详情信息:
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\steamerrorreporter.ajs1gbij.lnk
行为描述:复制文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe
行为描述:修改文件内容
详情信息:
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe ---> Offset = 196608
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe ---> Offset = 262144
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\steamerrorreporter.ajs1gbij.lnk ---> Offset = 0


注册表行为
行为描述:修改注册表
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe
行为描述:删除注册表键值
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
行为描述:删除注册表键
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\


其他行为
行为描述:检测自身是否被调试
详情信息:
IsDebuggerPresent
行为描述:创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
284011b8-65b2-454a-80b6-07cf74c422f7
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
014d1e71-fe42-4f6c-a68d-2173d070c2d1
行为描述:创建事件对象
详情信息:
EventName = Global\CorDBIPCSetupSyncEvent_2648
EventName = d8760917-f519-452b-b4fb-148ac9862c33
EventName = Global\CorDBIPCSetupSyncEvent_2856
EventName = Global\userenv: User Profile setup event
EventName = Global\CorDBIPCSetupSyncEvent_2976
行为描述:打开互斥体
详情信息:
ShimCacheMutex
Global\CLR_CASOFF_MUTEX
Local\!IETld!Mutex
行为描述:查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
行为描述:获取TickCount值
详情信息:
TickCount = 219046, SleepMilliseconds = 750.
TickCount = 219062, SleepMilliseconds = 750.
TickCount = 219140, SleepMilliseconds = 750.
TickCount = 219203, SleepMilliseconds = 750.
TickCount = 219218, SleepMilliseconds = 750.
TickCount = 219234, SleepMilliseconds = 750.
TickCount = 219250, SleepMilliseconds = 750.
TickCount = 219265, SleepMilliseconds = 750.
TickCount = 219281, SleepMilliseconds = 750.
TickCount = 219296, SleepMilliseconds = 750.
TickCount = 223281, SleepMilliseconds = 750.
TickCount = 223328, SleepMilliseconds = 750.
TickCount = 223375, SleepMilliseconds = 750.
TickCount = 223390, SleepMilliseconds = 750.
TickCount = 223406, SleepMilliseconds = 750.
行为描述:调整进程token权限
详情信息:
SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
行为描述:打开事件
详情信息:
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2648
MSFT.VSA.IEC.STATUS.6c736db0
行为描述:可执行文件签名信息
详情信息:
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe(签名验证: 未通过)
行为描述:调用Sleep函数
详情信息:
[1]: MilliSeconds = 750.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 500.
[4]: MilliSeconds = 500.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 500.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = -1.
[7]: MilliSeconds = 15.
[8]: MilliSeconds = 1600.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 1000.
[5]: MilliSeconds = 15.
行为描述:可执行文件MD5
详情信息:
C:\Documents and Settings\Administrator\Templates\steamerrorreporter.exe ---> 0336675092d0fbae0fc16b9151a36920
行为描述:直接获取CPU时钟
详情信息:
EAX = 0xda299123, EDX = 0x000000b4
EAX = 0xdcdc909f, EDX = 0x000000b4
EAX = 0xe2175f58, EDX = 0x000000b4
EAX = 0xe2175fa4, EDX = 0x000000b4
EAX = 0x2bd039bf, EDX = 0x000000b5
EAX = 0x2bd03a0b, EDX = 0x000000b5
EAX = 0x1679c3b4, EDX = 0x000000b6
EAX = 0x1679c400, EDX = 0x000000b6
EAX = 0x651ce89b, EDX = 0x000000b8


进程树
  • [url=]****.exe (PID: 0x00000a58)[/url]
    • [url=]steamerrorreporter.exe (PID: 0x00000b28)[/url]
      • [url=]steamerrorreporter.exe (PID: 0x00000ba0)[/url]
      • [url=]regasm.exe (PID: 0x00000bac)[/url]



[tr][/tr]


文件分析图谱(PortEx)



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

心醉咖啡
发表于 2018-2-26 19:46:28 | 显示全部楼层
管家miss
回复

举报

ELOHIM
发表于 2018-2-26 22:04:31 | 显示全部楼层
金山毒霸 安全。
回复

举报

ELOHIM
发表于 2018-2-27 14:13:23 | 显示全部楼层
Dolby123 发表于 2018-2-26 01:24
WD 云杀

Trojan:Win32/Azden.B!cl

SCEP 已经更新为:Trojan:Win32/Dynamer!rfn
回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-1 23:19 , Processed in 0.108127 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表