基本信息
文件名称:
SafeDrvse1.zip
MD5: d62676b5bd23d147cac1267f24844f3e
文件类型: zip
上传时间: 2020-05-02 19:53:16
出品公司: N/A
版本: N/A
壳或编译器信息: N/A
子文件信息: 详情
关键行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\WINDOWS\system32\rundll32.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000a70
TargetProcess = C:\WINDOWS\system32\rundll32.exe, WriteAddress = 0x00400000, Size = 0x00012000 TargetPID = 0x00000a70
TargetProcess = C:\WINDOWS\system32\rundll32.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000b1c
TargetProcess = C:\WINDOWS\system32\rundll32.exe, WriteAddress = 0x00400000, Size = 0x00012000 TargetPID = 0x00000b1c
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x7ffd7008, Size = 0x00000004 TargetPID = 0x00000b38
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x00400000, Size = 0x00022000 TargetPID = 0x00000b38
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x7ffd5008, Size = 0x00000004 TargetPID = 0x00000bb0
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00400000, Size = 0x00022000 TargetPID = 0x00000bb0
TargetProcess = C:\WINDOWS\system32\rundll32.exe, WriteAddress = 0x7ffdd008, Size = 0x00000004 TargetPID = 0x00000c18
TargetProcess = C:\WINDOWS\system32\rundll32.exe, WriteAddress = 0x00400000, Size = 0x00012000 TargetPID = 0x00000c18
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 修改注册表_镜像劫持
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgaurd.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arvmon.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoGuarder.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger
行为描述: 常规加载驱动
详情信息:
\??\C:\Documents and Settings\Administrator\Application Data\~ivgmf.txt
\??\C:\Documents and Settings\Administrator\Application Data\~ffetm.txt
\??\C:\Documents and Settings\Administrator\Application Data\~dpwdl.txt
行为描述: 设置线程上下文
详情信息:
C:\Documents and Settings\Administrator\SafeDrvse1.exe
C:\Program Files\Common Files\SafeDrvse1.exe
C:\WINDOWS\system32\svchost.exe
行为描述: 杀掉进程
详情信息:
C:\WINDOWS\system32\360tray.exe
C:\WINDOWS\system32\RavMon.exe
行为描述: 设置特殊文件属性
详情信息:
C:\Program Files\Common Files\SafeDrvse1.exe
C:\SafeDrvse1.exe
C:\DiskD\SafeDrvse1.exe
C:\DiskX\SafeDrvse1.exe
行为描述: 修改注册表_系统防火墙可信进程列表
详情信息:
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Common Files\SafeDrvse1.exe
行为描述: 在根目录创建自运行文件
详情信息:
C:\AutoRun.inf
C:\DiskD\AutoRun.inf
C:\DiskX\AutoRun.inf
行为描述: 获取TickCount值
详情信息:
TickCount = 217253, SleepMilliseconds = 300.
TickCount = 217628, SleepMilliseconds = 300.
TickCount = 217643, SleepMilliseconds = 300.
TickCount = 217690, SleepMilliseconds = 300.
TickCount = 217753, SleepMilliseconds = 300.
TickCount = 217784, SleepMilliseconds = 300.
TickCount = 217815, SleepMilliseconds = 300.
TickCount = 217831, SleepMilliseconds = 300.
TickCount = 217846, SleepMilliseconds = 300.
TickCount = 217878, SleepMilliseconds = 300.
TickCount = 218003, SleepMilliseconds = 300.
TickCount = 218096, SleepMilliseconds = 300.
TickCount = 218143, SleepMilliseconds = 300.
TickCount = 218159, SleepMilliseconds = 300.
TickCount = 218753, SleepMilliseconds = 300.
行为描述: 修改注册表_启动项
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\SafeDrvse1
进程行为
隐藏窗口创建进程
创建进程
创建新文件进程
跨进程写入数据
设置线程上下文
枚举进程
杀掉进程
创建本地线程
文件行为
创建文件
创建可执行文件
复制文件
设置特殊文件属性
删除文件
查找文件
在根目录创建自运行文件
设置特殊文件夹属性
修改文件内容
修改新生成的可执行文件
网络行为
联网打开网址
连接指定站点
打开HTTP连接
建立到一个指定的套接字连接
读取网络文件
发送HTTP包
打开HTTP请求
注册表行为
删除注册表键
修改注册表_镜像劫持
修改注册表
修改注册表_系统防火墙可信进程列表
删除注册表键值
修改注册表_启动项
更多>>
其他行为
创建互斥体
创建事件对象
常规加载驱动
修改后的可执行文件MD5
获取TickCount值
调整进程token权限
打开事件
修改后的可执行文件签名信息
可执行文件签名信息
调用Sleep函数
可执行文件MD5
打开互斥体 |
楼主: IC9
发表于 2020-5-2 15:44:18
楼主
