带有恶意代码的程序

显示全部楼层 · 发表于 2018-11-19 09:27:29

下载地址:
http://www.66608.com/soft/wangcai7setup.exe

显示全部楼层 · 发表于 2018-11-19 11:18:39

eset

日志
正在扫描日志
检测引擎的版本: 18403 (20181118)
日期: 2018/11/19 时间: 11:18:19
已扫描的磁盘、文件夹和文件: C:\Users\joesonsu\Desktop\wangcai7setup.exe
已扫描的对象数: 19
发现的威胁数: 0
完成时间: 11:18:20 总扫描时间: 1 秒 (00:00:01)

复制代码

显示全部楼层 · 发表于 2018-11-19 11:19:11

eset

日志
正在扫描日志
检测引擎的版本: 18403P (20181118)
日期: 2018-11-19 时间: 11:18:22
已扫描的磁盘、文件夹和文件: D:\样本\wangcai7setup.exe
已扫描的对象数: 17
发现的威胁数: 0
完成时间: 11:18:25 总扫描时间: 3 秒 (00:00:03)

复制代码

显示全部楼层 · 发表于 2018-11-19 12:16:35

AVAST监控KILL：Win32:Evo-gen[Susp]
下载被拦截

显示全部楼层 · 发表于 2018-11-19 12:26:40

comodo

下載後就查到

显示全部楼层 · 发表于 2018-11-19 13:26:01

avira

'HEUR/APC'

显示全部楼层 · 发表于 2018-11-19 13:39:59

GD
Win32.Trojan.FlyStudio.A

显示全部楼层 · 发表于 2018-11-19 13:50:01

6666666

显示全部楼层 · 发表于 2018-11-19 14:50:03

https://habo.qq.com/file/showdetail?pk=ADQGb11sB2EIOFs1U2c%3D

基本信息
文件名称：
wangcai7setup.exe

MD5： 6e4a1add68a16d0a559109d1e9015870
文件类型： EXE
上传时间： 2018-11-19 14:48:41
出品公司： N/A
版本： N/A
壳或编译器信息： COMPILER:NSIS
子文件信息：详情
关键行为
行为描述：在桌面创建文件
详情信息：
C:\Documents and Settings\All Users\桌面\旺财流水账.lnk

进程行为
行为描述：创建新文件进程
详情信息：
[0x00000eac]ImagePath = C:\DiskD\WangcaiM\wangcai.exe, CmdLine = "D:\WangcaiM\Wangcai.exe"

行为描述：创建本地线程
详情信息：
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3244, ThreadID = 3464, StartAddress = 7C947EBB, Parameter = 00000000

TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3244, ThreadID = 3468, StartAddress = 7C930230, Parameter = 00000000

TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3244, ThreadID = 3496, StartAddress = 00404FE4, Parameter = 0002036E

文件行为
行为描述：创建文件
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp7.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\System.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\modern-wizard.bmp

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\InstallOptions.dll

C:\DiskD\WangcaiM\wangcai.exe

C:\DiskD\WangcaiM\FlexCell.ocx

C:\DiskD\WangcaiM\Config\Images.edb

C:\DiskD\WangcaiM\Config\Images.edt

C:\DiskD\WangcaiM\Config\Systemrss.edb

C:\WINDOWS\system32\xls.dll

C:\WINDOWS\system32\Vb6chs.dll

C:\WINDOWS\system32\iobjsafe.tlb

C:\DiskD\WangcaiM\uninst.exe

行为描述：在系统敏感位置（如开始菜单等)释放链接或快捷方式
详情信息：
C:\Documents and Settings\All Users\「开始」菜单\程序\旺财流水账\旺财流水账.lnk

C:\Documents and Settings\All Users\「开始」菜单\程序\旺财流水账\卸载旺财流水账.lnk

行为描述：创建可执行文件
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\System.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\InstallOptions.dll

C:\DiskD\WangcaiM\wangcai.exe

C:\DiskD\WangcaiM\FlexCell.ocx

C:\WINDOWS\system32\xls.dll

C:\WINDOWS\system32\Vb6chs.dll

C:\DiskD\WangcaiM\uninst.exe

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\krnln.fne

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext.fne

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\eGrid.fne

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\SqliteDB.fne

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\shell.fne

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext5.fne

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\dp1.fne

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext2.fne

行为描述：查找文件
详情信息：
FileName = C:\Documents and Settings

FileName = C:\Documents and Settings\Administrator

FileName = C:\Documents and Settings\Administrator\Local Settings

FileName = C:\Documents and Settings\Administrator\Local Settings\Temp

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%

FileName = D:\NUL

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsk8.tmp

FileName = D:\WangcaiM

FileName = D:\WangcaiM\wangcai.exe

FileName = D:\WangcaiM\Wangcai.exe

FileName = C:\Documents and Settings\Administrator\My Documents

FileName = C:\Documents and Settings\All Users

FileName = C:\Documents and Settings\All Users\Documents

FileName = C:\Documents and Settings\Administrator\桌面

FileName = C:\Documents and Settings\All Users\桌面

行为描述：删除文件
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp7.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\InstallOptions.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\modern-wizard.bmp

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\System.dll

行为描述：在桌面创建文件
详情信息：
C:\Documents and Settings\All Users\桌面\旺财流水账.lnk

行为描述：修改文件内容
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\System.dll ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 36

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\modern-wizard.bmp ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 124

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 33

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 43

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 60

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 277

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 316

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 371

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 379

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 391

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\InstallOptions.dll ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\ioSpecial.ini ---> Offset = 225

注册表行为
行为描述：修改注册表
详情信息：
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{722F4E97-2959-43F9-81F1-84443EC1E240}\1.0\

\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{722F4E97-2959-43F9-81F1-84443EC1E240}\1.0\FLAGS\

\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{722F4E97-2959-43F9-81F1-84443EC1E240}\1.0\0\win32\

\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{722F4E97-2959-43F9-81F1-84443EC1E240}\1.0\HELPDIR\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C31CF31-8EAC-49E1-87CA-AB9F8533D74F}\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C31CF31-8EAC-49E1-87CA-AB9F8533D74F}\ProxyStubClsid\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C31CF31-8EAC-49E1-87CA-AB9F8533D74F}\ProxyStubClsid32\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C31CF31-8EAC-49E1-87CA-AB9F8533D74F}\TypeLib\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C31CF31-8EAC-49E1-87CA-AB9F8533D74F}\TypeLib\Version

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E29C0F99-8BC0-4731-BCF3-5E7F033A6371}\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E29C0F99-8BC0-4731-BCF3-5E7F033A6371}\ProxyStubClsid\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E29C0F99-8BC0-4731-BCF3-5E7F033A6371}\ProxyStubClsid32\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E29C0F99-8BC0-4731-BCF3-5E7F033A6371}\TypeLib\

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E29C0F99-8BC0-4731-BCF3-5E7F033A6371}\TypeLib\Version

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{989973B9-8471-4CDD-B745-42AA83A52AD4}\

行为描述：修改注册表_延迟重命名项
详情信息：
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations

其他行为
行为描述：创建互斥体
详情信息：
oleacc-msaa-loaded

CTF.LBES.MutexDefaultS-*

CTF.Compart.MutexDefaultS-*

CTF.Asm.MutexDefaultS-*

CTF.Layouts.MutexDefaultS-*

CTF.TMD.MutexDefaultS-*

CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*

MSCTF.Shared.MUTEX.IOH

MSCTF.Shared.MUTEX.ALM

行为描述：创建事件对象
详情信息：
EventName = Global\userenv: User Profile setup event

EventName = MSCTF.SendReceive.Event.ALM.IC

EventName = MSCTF.SendReceiveConection.Event.ALM.IC

EventName = DINPUTWINMM

EventName = boerf001

行为描述：查找指定窗口
详情信息：
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]

NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]

行为描述：窗口信息
详情信息：
Pid = 3244, Hwnd=0x10342, Text = 下一步(&N) >, ClassName = Button.

Pid = 3244, Hwnd=0x10344, Text = 取消(&C), ClassName = Button.

Pid = 3244, Hwnd=0x10350, Text = Zhikey.COM , ClassName = Static.

Pid = 3244, Hwnd=0x10352, Text = Zhikey.COM, ClassName = Static.

Pid = 3244, Hwnd=0x10362, Text = 欢迎使用旺财流水账 7.0 安装向导, ClassName = Static.

Pid = 3244, Hwnd=0x10364, Text = 这个向导将指引你完成旺财流水账 7.0 的安装进程。在开始安装之前，建议先关闭其他所有应用程序。这将允许“安装程序”更新指定的系统文件，而不需要重新启动你的计算机。单击 [下一步(N)] 继续。, ClassName = Static.

Pid = 3244, Hwnd=0x1033c, Text = 旺财流水账 7.0 安装, ClassName = #32770.

Pid = 3244, Hwnd=0x10340, Text = < 上一步(&P), ClassName = Button.

Pid = 3244, Hwnd=0x10342, Text = 安装(&I), ClassName = Button.

Pid = 3244, Hwnd=0x10356, Text = 选定安装位置, ClassName = Static.

Pid = 3244, Hwnd=0x10358, Text = 选定旺财流水账 7.0 要安装的文件夹。, ClassName = Static.

Pid = 3244, Hwnd=0x20364, Text = D:\WangcaiM, ClassName = Edit.

Pid = 3244, Hwnd=0x20362, Text = 浏览(&B)..., ClassName = Button.

Pid = 3244, Hwnd=0x20360, Text = 可用空间: 4.8GB, ClassName = Static.

Pid = 3244, Hwnd=0x1036c, Text = 所需空间: 7.9MB, ClassName = Static.

行为描述：调整进程token权限
详情信息：
SE_LOAD_DRIVER_PRIVILEGE

行为描述：打开事件
详情信息：
HookSwitchHookEnabledEvent

_fCanRegisterWithShellService

CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010

CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010

MSCTF.SendReceiveConection.Event.IOH.IC

MSCTF.SendReceive.Event.IOH.IC

boerf001

CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011

CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011

行为描述：可执行文件签名信息
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\System.dll(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\InstallOptions.dll(签名验证: 未通过)

C:\DiskD\WangcaiM\wangcai.exe(签名验证: 未通过)

C:\DiskD\WangcaiM\FlexCell.ocx(签名验证: 未通过)

C:\WINDOWS\system32\xls.dll(签名验证: 未通过)

C:\WINDOWS\system32\Vb6chs.dll(签名验证: 未通过)

C:\DiskD\WangcaiM\uninst.exe(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\krnln.fne(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext.fne(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\eGrid.fne(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\SqliteDB.fne(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\shell.fne(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext5.fne(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\dp1.fne(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext2.fne(签名验证: 未通过)

行为描述：隐藏指定窗口
详情信息：
[Window,Class] = [,Button]

[Window,Class] = [Zhikey.COM,Static]

[Window,Class] = [Zhikey.COM ,Static]

[Window,Class] = [,Static]

[Window,Class] = [,Auto-Suggest Dropdown]

[Window,Class] = [显示细节(&D),Button]

[Window,Class] = [安装完成,Static]

[Window,Class] = [安装程序已成功地运行完成。,Static]

行为描述：可执行文件MD5
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\System.dll ---> 2ae993a2ffec0c137eb51c8832691bcb

C:\Documents and Settings\Administrator\Local Settings\Temp\nsk8.tmp\InstallOptions.dll ---> b66e186190c780830d5adf4c8097afb4

C:\DiskD\WangcaiM\wangcai.exe ---> 文件过大!

C:\DiskD\WangcaiM\FlexCell.ocx ---> ebaaeb4d503956933016c795691b09e9

C:\WINDOWS\system32\xls.dll ---> cf3003c6c8c1340aa0864fd2bbdc20ad

C:\WINDOWS\system32\Vb6chs.dll ---> 4eb560ad85cc7924f507fbe5a901577a

C:\DiskD\WangcaiM\uninst.exe ---> 49fa0de961d30a371446ebfe4ccd7fcf

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\krnln.fne ---> 03061448199dc38621d9eb223c3d6260

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext.fne ---> 3d08c2cb79654236497e341283fe636a

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\eGrid.fne ---> 9c80fda2e1e98f3ab0873a2ea3e6be7f

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\SqliteDB.fne ---> fdfe80c77db20fd42ccfe532d4857ed4

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\shell.fne ---> 98174c8c2995000efbda01e1b86a1d4d

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext5.fne ---> 9d06808df2f2c7b12f13e29ad5758e1e

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\dp1.fne ---> 07201b1fd5f8925dd49a4556ac3b5bab

C:\Documents and Settings\Administrator\Local Settings\Temp\eb_5w\iext2.fne ---> dba5fdbe7ec94463b3f6fdf2162c9f95

行为描述：打开互斥体
详情信息：
ShimCacheMutex

行为描述：加载新释放的文件
详情信息：
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsk8.tmp\System.dll.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsk8.tmp\InstallOptions.dll.

Image: C:\DiskD\WangcaiM\FlexCell.ocx.

Image: C:\WINDOWS\system32\xls.dll.

Image: C:\WINDOWS\system32\Vb6chs.dll.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eb_5w\krnln.fne.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eb_5w\SqliteDB.fne.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eb_5w\shell.fne.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eb_5w\dp1.fne.

Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eb_5w\iext.fne.

进程树
****.exe (PID: 0x00000cac)
wangcai.exe (PID: 0x00000eac)

显示全部楼层 · 发表于 2018-11-19 15:20:56

FSP

[可疑文件] 带有恶意代码的程序

本帖子中包含更多资源

评分

本帖子中包含更多资源

浏览过的版块