- 文件检测评级:
- 高度风险
- 文件名称: sysdiag-all-4.0.52.4.exe
- 基本信息
- 文件名称:
- sysdiag-all-4.0.52.4.exe
- MD5: 9093c1b7b7f8be0ec42c64cb2c101801
- 文件类型: EXE
- 上传时间: 2018-03-10 08:45:30
- 出品公司: N/A
- 版本: 1.0.0.0
- 壳或编译器信息: PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser *
- 子文件信息: upx30_49a31d62dumpFile / 97322e3e74cb50b82afe1f100ca8bbde / EXE
- 关键行为
- 行为描述:添加新用户帐号
- 详情信息: ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net user worm /add
- 进程行为
- 行为描述:隐藏窗口创建进程
- 详情信息: ImagePath = C:\\WINDOWS\\system32\\cmd.exe, CmdLine = "C:\\WINDOWS\\system32\\cmd.exe" /c
- ""C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp\\6.bat"
- "C:\\Documents and Settings\\Administrator\\Local Settings\\%temp%\\****.exe""
- 行为描述:创建进程
- 详情信息: [0x00000ae8]ImagePath = C:\\WINDOWS\\system32\\cmd.exe, CmdLine =
- "C:\\WINDOWS\\system32\\cmd.exe" /c ""C:\\Documents and Settings\\Administrator\\Local
- Settings\\Temp\\4.tmp\\5.tmp\\6.bat" "C:\\Documents and Settings\\Administrator\\Local
- Settings\\%temp%\\****.exe""
- [0x00000b28]ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net share ipc$
- [0x00000b4c]ImagePath = C:\\WINDOWS\\system32\\net1.exe, CmdLine = net1 share ipc$
- [0x00000b60]ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net share admin$
- [0x00000b80]ImagePath = C:\\WINDOWS\\system32\\net1.exe, CmdLine = net1 share admin$
- [0x00000b88]ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net share C$=c:\\
- [0x00000b90]ImagePath = C:\\WINDOWS\\system32\\net1.exe, CmdLine = net1 share C$=c:\\
- [0x00000b98]ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net share D$=d:\\
- [0x00000ba0]ImagePath = C:\\WINDOWS\\system32\\net1.exe, CmdLine = net1 share D$=d:\\
- [0x00000ba8]ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net share E$=e:\\
- [0x00000bb0]ImagePath = C:\\WINDOWS\\system32\\net1.exe, CmdLine = net1 share E$=e:\\
- [0x00000bb8]ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net share F$=f:\\
- [0x00000bc0]ImagePath = C:\\WINDOWS\\system32\\net1.exe, CmdLine = net1 share F$=f:\\
- 文件行为
- 行为描述:创建文件
- 详情信息: C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp
- C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp
- C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp\\6.tmp
- C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp\\7.tmp
- C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp\\6.bat
- 行为描述:修改脚本文件
- 详情信息: C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp\\6.bat ---> Offset =
- 0
- 行为描述:删除文件
- 详情信息: C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp
- C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp
- C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\4.tmp\\5.tmp\\6.tmp
- C:\\WINDOWS\\OEWABLog.txt
- C:\\WINDOWS\\setuplog.txt
- C:\\WINDOWS\\0.log
- C:\\WINDOWS\\bitssetup.log
- C:\\WINDOWS\\cmsetacl.log
- C:\\WINDOWS\\comsetup.log
- C:\\WINDOWS\\DtcInstall.log
- C:\\WINDOWS\\KB2412687.log
- C:\\WINDOWS\\msmqinst.log
- C:\\WINDOWS\\ntdtcsetup.log
- C:\\WINDOWS\\ocgen.log
- C:\\WINDOWS\\regopt.log
- 行为描述:查找文件
- 详情信息: FileName = C:\\DOCUME~1
- FileName = C:\\DOCUME~1\\ADMINI~1
- FileName = C:\\DOCUME~1\\ADMINI~1\\LOCALS~1
- FileName = C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp
- FileName = C:\\Documents and Settings
- FileName = C:\\Documents and Settings\\Administrator
- FileName = C:\\Documents and Settings\\Administrator\\Local Settings
- FileName = C:\\WINDOWS\\system32\\cmd.*
- FileName = C:\\Documents and Settings\\Administrator\\My Documents
- FileName = C:\\Documents and Settings\\All Users
- FileName = C:\\Documents and Settings\\All Users\\Documents
- FileName = C:\\Documents and Settings\\Administrator\\桌面
- FileName = C:\\Documents and Settings\\All Users\\桌面
- FileName = C:\\WINDOWS
- FileName = C:\\WINDOWS\\system32
- 其他行为
- 行为描述:创建互斥体
- 详情信息: CTF.LBES.MutexDefaultS-*
- CTF.Compart.MutexDefaultS-*
- CTF.Asm.MutexDefaultS-*
- CTF.Layouts.MutexDefaultS-*
- CTF.TMD.MutexDefaultS-*
- CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
- Local\\ZonesCounterMutex
- Local\\ZoneAttributeCacheCounterMutex
- Local\\ZonesCacheCounterMutex
- Local\\ZonesLockedCacheCounterMutex
- 行为描述:创建事件对象
- 详情信息: EventName = DINPUTWINMM
- 行为描述:调整进程token权限
- 详情信息: SE_LOAD_DRIVER_PRIVILEGE
- 行为描述:打开事件
- 详情信息: HookSwitchHookEnabledEvent
- _fCanRegisterWithShellService
- \\SECURITY\\LSA_AUTHENTICATION_INITIALIZED
- Global\\SvcctrlStartEvent_A3752DX
- 行为描述:添加新用户帐号
- 详情信息: ImagePath = C:\\WINDOWS\\system32\\net.exe, CmdLine = net user worm /add
- 行为描述:调用Sleep函数
- 详情信息: [1]: MilliSeconds = 25.
- [2]: MilliSeconds = 25.
- [3]: MilliSeconds = 25.
- [4]: MilliSeconds = 25.
- [5]: MilliSeconds = 25.
- [6]: MilliSeconds = 25.
- [7]: MilliSeconds = 25.
- [8]: MilliSeconds = 25.
- [9]: MilliSeconds = 25.
- [10]: MilliSeconds = 25.
- 行为描述:打开互斥体
- 详情信息: Local\\!IETld!Mutex
- ShimCacheMutex
- Powered by TCPD F (www.tcpdf.org)
复制代码
|