4.3
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.80
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Unruy-AA [Trj] | 20200307 | 18.4.3895.0 |
| Baidu | Win32.Trojan-Clicker.Cycler.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200307 | 2013.8.14.323 |
| McAfee | Downloader-BPA.d | 20200304 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b4e32c | 20200307 | 1.0.0.1 |
静态指标
查询计算机名称
(4 个事件)
动态指标
一个进程试图延迟分析任务。
(1 个事件)
| description | wmpscfgs.exe 试图睡眠 208.5 秒,实际延迟分析时间 208.5 秒 | |||
在文件系统上创建可执行文件
(6 个事件)
| file | c:\program files (x86)\internet explorer\wmpscfgs.exe |
| file | c:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe |
| file | c:\program files (x86)\360\360tptmon\360tptmon.exe |
| file | c:\program files (x86)\360\360drvmgr\360drvmgr.exe |
| file | c:\program files (x86)\Adobe\acrotray .exe |
| file | c:\program files (x86)\Adobe\acrotray.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe |
搜索运行中的进程,可能用于识别沙箱规避、代码注入或内存转储的进程
(7 个事件)
将读写内存保护更改为可读执行(可能是为了避免在同时设置所有 RWX 标志时被检测)
(5 个事件)
检查系统上可疑权限的本地唯一标识符
(5 个事件)
重复搜索未找到的进程,您可能希望在分析期间运行一个网络浏览器
(8 个事件)
使用 Windows 工具进行基本 Windows 功能
(1 个事件)
| cmdline | C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 94.75.229.248 | |||
在 Windows 启动时自我安装以实现自动运行
(2 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader | reg_value | c:\users\admini~1\appdata\local\temp\\wmpscfgs.exe | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader | reg_value | c:\users\admini~1\appdata\local\temp\\wmpscfgs.exe | ||||||
生成一些 ICMP 流量
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Trojan.GenericKD.30969350 |
| APEX | Malicious |
| AVG | Win32:Unruy-AA [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.30969350 |
| AhnLab-V3 | Win-Trojan/Unruy.1355704 |
| Antiy-AVL | Trojan[Clicker]/Win32.Cycler |
| Arcabit | Trojan.Generic.D1D88E06 |
| Avast | Win32:Unruy-AA [Trj] |
| Avira | TR/Crypt.XPACK.Gen |
| Baidu | Win32.Trojan-Clicker.Cycler.a |
| BitDefender | Trojan.GenericKD.30969350 |
| BitDefenderTheta | AI:Packer.4B292C381D |
| Bkav | W32.DownloaderV2MT26G.Trojan |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| ClamAV | Win.Downloader.Unruy-6988793-0 |
| Comodo | TrojWare.Win32.TrojanSpy.BZub.~IP@f810f |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.f6279d |
| Cylance | Unsafe |
| Cyren | W32/S-a9385d94!Eldorado |
| DrWeb | Trojan.Siggen8.10300 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Unruy.BK |
| Emsisoft | Trojan.GenericKD.30969350 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-a9385d94!Eldorado |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen |
| FireEye | Generic.mg.5d63639f6279dbf3 |
| Fortinet | W32/UNRUY.BK!tr |
| GData | Trojan.GenericKD.30969350 |
| Ikarus | Trojan-Downloader.Win32.Unruy |
| Invincea | heuristic |
| Jiangmin | Trojan/Cosmu.euy |
| K7AntiVirus | Trojan-Downloader ( 0054e0831 ) |
| K7GW | Trojan-Downloader ( 0054e0831 ) |
| Kaspersky | Trojan-Clicker.Win32.Cycler.amiz |
| MAX | malware (ai score=81) |
| Malwarebytes | Trojan.Unruy |
| McAfee | Downloader-BPA.d |
| McAfee-GW-Edition | BehavesLike.Win32.Downloader.fm |
| MicroWorld-eScan | Trojan.GenericKD.30969350 |
| Microsoft | TrojanDownloader:Win32/Unruy.F |
| NANO-Antivirus | Trojan.Win32.GenKryptik.fnqfhw |
| Panda | Generic Suspicious |
| Qihoo-360 | HEUR/QVM07.1.B829.Malware.Gen |
| Rising | Trojan.Unruy!1.AE5E (CLASSIC) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Unruy-O |
| Tencent | Malware.Win32.Gencirc.10b4e32c |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(3 个事件)
| dead_host | 74.63.241.30:80 |
| dead_host | 199.59.243.227:80 |
| dead_host | 94.75.229.248:80 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2009-12-12 05:31:37
PE Imphash
53b338a5a343440770be2403e59415fb
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000062a4 | 0x00006400 | 6.4033273491094755 |
| .rdata | 0x00008000 | 0x000008ec | 0x00000a00 | 5.307814456580207 |
| .data | 0x00009000 | 0x00017738 | 0x00007400 | 6.786513762481173 |
Imports
Library KERNEL32.dll:
• 0x408000 GetFileAttributesExA
• 0x408004 HeapDestroy
• 0x408008 HeapFree
• 0x40800c QueryPerformanceCounter
• 0x408010 Sleep
• 0x408014 HeapCreate
• 0x408018 HeapAlloc
• 0x40801c GetProcessHeap
• 0x408020 ExitProcess
• 0x408024 GetModuleFileNameA
• 0x408028 GetTickCount
• 0x40802c GetProcAddress
• 0x408030 LoadLibraryA
• 0x408034 VirtualAlloc
• 0x408038 VirtualFree
• 0x40803c IsBadReadPtr
• 0x408040 lstrcmpiA
• 0x408044 FreeLibrary
• 0x408048 HeapReAlloc
• 0x40804c GetModuleHandleA
• 0x408050 GetStartupInfoA
• 0x408054 GetCommandLineA
• 0x408058 GetVersion
• 0x40805c TerminateProcess
• 0x408060 GetCurrentProcess
• 0x408064 UnhandledExceptionFilter
• 0x408068 FreeEnvironmentStringsA
• 0x40806c FreeEnvironmentStringsW
• 0x408070 WideCharToMultiByte
• 0x408074 GetEnvironmentStrings
• 0x408078 GetEnvironmentStringsW
• 0x40807c SetHandleCount
• 0x408080 GetStdHandle
• 0x408084 GetFileType
• 0x408088 RtlUnwind
• 0x40808c WriteFile
• 0x408090 GetLastError
• 0x408094 SetFilePointer
• 0x408098 GetCPInfo
• 0x40809c GetACP
• 0x4080a0 GetOEMCP
• 0x4080a4 SetStdHandle
• 0x4080a8 MultiByteToWideChar
• 0x4080ac LCMapStringA
• 0x4080b0 LCMapStringW
• 0x4080b4 GetStringTypeA
• 0x4080b8 GetStringTypeW
• 0x4080bc FlushFileBuffers
• 0x4080c0 CloseHandle
L!This program cannot be run in DOS mode.
HHHmHH
HHmHHHHHHmHHRichH
`.rdata
@.data
;u^;Ms
EEMM?}
;ujM+M;Us
EpPEp4
EM+H4M@@
E@EE(EE
E@EE(EE
E@EE@@EE@
EE@@EEM;H
E@EEM;H
E@EE;E}
E@EEUQ}
E@EE;E
E@EE;E
E@EE;E}
uYYEU E
Yu3Vt$
Yt$CH;r
tACH;r
PSWrSU
_^][Vt$
It.ht lt
HHtpHHtl
YAE t!E@E
t;ERPWVEU
~;E]xf
YY~2MQu
E_^[<@
KVW~&|$
j?UIZ;
r;]uy;
;uY;]s
pD#U#ue
j #M_|
]#\D\D
VW3;u0DP
YtF>"u
< v^S39
P,Y;5$A
8 t9UWM
YE?=t"U;Y
8 u]5A
[UQQS39
EPEPSSWM
YEPEPE
@"t)t%
F8"uF@C
@C8"u,
VW333;u3
SS@SSPVSSD$4
;t2U;YD$
t#SSUPt$$VSS
;t<8 t
u+@U]Y;u
3_^][YY
DSUVWh
_^][DUSVWUj
t.;t$$t(4v
VC20XC00U
]_^[]UL$
YY\WP\&
@Y<v)\P
tAt2t$
DDDDDDDDDDDDDD
90tr0B=
@j@3YA
@;vAA9
Wj@Y3A
t7SWU
BBBu_[j
VPVPV5A
@AA;rI3
VWuBhh@
;tg5,@
GIt%t)
Gt/KuD$
GKu[^D$
t78t2=@
SYu+Vj
_^[3VWj
|_^Vt$
3^SVt$
>+~&WPv
YSVW33395
SVWe39=A
"WWSht@
M]9}tfSuu
tMWWSuu
Mu;tVSuuu
3;u>EPj
EPVht@
E;tc]<
e33M;t)uVu
_^[Vt$
:t4VnVl
PSUVW|$
tiW)Yt<
_^][Vt$
'w-J'w&w
'wI'wV
'wu)w>'w4'wn wE
'wQ'wgD'w
'w/w)wI'wQ'w
'wa'wQ'w)'wQ'w15'w)w
'w)wOE/w.
'wf)wF
`h````
ppxxxx
(null)
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetFileAttributesExA
HeapDestroy
HeapFree
QueryPerformanceCounter
HeapCreate
HeapAlloc
GetProcessHeap
ExitProcess
GetModuleFileNameA
GetTickCount
GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree
IsBadReadPtr
lstrcmpiA
FreeLibrary
KERNEL32.dll
HeapReAlloc
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
RtlUnwind
WriteFile
GetLastError
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
SetStdHandle
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
FlushFileBuffers
CloseHandle
ppppppppp'pppppppDbDD
7'hm7|R
}bb}bDD8X-DD
j9ppmhp
Mhppppp;Vppp:ppp
}:}f:xJ
bbpph8ppp-DT:bbDJppppp
ppaxppj}::
DbMtpp
pmpppD8b
8r]v*]]
JJvJvJ
p:p`f{\
p:ppb:8
fppp9V9Op:
p:ppp~JOphpp\U~-e
v|:vbv
Pppypy|Dg
ppppjQgpp fg}D
p:V>}~}p$h\
p:jp:}
p: :pppp-p-ppp@
|\~h=Dv
hpp\J}{v
phpppv6vey~vDvD
p:>}`]ce
*hppop:{
p:cppp{:}
~Qc`ppV9
hpe-euVucj\j2
p:~2b%ffDG
pppg9wppcpg9 cp:92V9
pEpp9'j\
Dxf~bQfpp
}v@~D9
xDv`92pa6
hhV9e-eELtDLT$p
Dhppp-Q*ppVg
8hpp}j_Q}@
*ppGVEe
Z}v}|e-e>QNN>pY}n2jQDb~1~b`r
pp\|}c}v
pM\j}6
Rfx_~sbx_
ZZ}x':ppQvspp5~b\ov@pppP
V9b~bQ0jQ<
abppyQ#}
c(pppg
2jVU#}~b\V}D\
}x>}``-e.V2};}\}v
DvGfppy
}vG2pp0jp-ppQp:hpp\}<~f@Q<f\a}L
p:-L:LG
p:Q2|M}MM
}MM>}M`M
}MM4MDvppp
b,}Vm>
}V}}Vy]y`DD
ppnpb@}VNh
hm}]p}V2~bQ
}bG>p*59b
bV2e-e)~2Q
tx}vqn
jDJppc~
V5b,,,1VQUp2p
_'hpppWDM
QppdQ9U
bb$9Uh.,'
1}`Hppp1ppv}}
eT9jp}n
92D%U}}na@ppyalQ}MfQD\
b:]c-pp
M~fbJ}~}L}]c$} Dv
p}vN}9j~2
}~-e`ppp\
p:H:pp#
a}q1x::pp9b
pp:9:V9:9fV
Q}pp}Yf}lfp}
phpp]c}9b9f}Xv
:hppg92h}
}XTjWppp
jDx92jpO
]ce-DvSvu9b
}Y`S6.}N:
_Qgpppbx}
`]J~btp:p`6XcEhp;}K-ex-e$}xbDz
Wf_fv]ceg9Qhppp9V9
p}zW:9QbV:
Dz}pp}
-\b}Kh|
p:QF f
p^p:h~}Q
CQ3YD2#-KQbxQs
p~}Qfpp
D(DQ bpp{%pp
Qp:c`l:b*M
RtMpKg}p:hpppQlv
!MMQ8Dpp
Dp3Bv\`}m
f2pp:\
p:Q5p}
a@p}o#
9j}y\}
>p~bhEhpp_c
jDG~bQ?m}/6}*hhpp
~-e-eiD
GDXjQXmpp
}zMw#}
}x~sT},p'
c`]~bQ0:}xG}x-e
bqeb,~b
M6}vmv!}
N\DvJ~b
p:vNvlz
2zbpp},PjQB}N:wjQT:g9w}
}V~J}S~b\n}xuPD~
D8y`D9bV
ly@DnD}BDb%-pp1}
Q0j~DV
bp`_9bqc
9fcQppV9e9fqc
hV92U9jpQ
ppV0>p~
1}x:(\
xh}?pQ6
}?ppp}]
D@QQ%XD:
v{f`T:.
>}x}`b~Q
bx~:Q+ fea
Jj2sJbf
fJJ'Jb:`
b{{Z{Q{
I{-fpbQl2b
bay2}4L>}`S
SrbWpp
]p}z,f}Y
`bB-xvmQ
}p'}D1
}Yvf}O>p}Ha
p:]HQpp#]V}
DbpbfQ
DPGbG>p*8}v
}xsDvMo}mP2`
.Dw:}nRD.}\
BHb:Mv}'L}D,W}2
,9bV9292nppp92'pppc2Vv}f
}Mcppj{Jp:\t
O\V2b4o
.~byD.}B`vKfv2
ppp}v:,6p~}c}
bQ1pppppK}
ppp:W'WK}ppp
R2peD92x9fRrrfv1m2Vv_~b:
8V8[bbpppjQ|1ppenD
hvBppR}ppCp9bpn9
bhn9!9
_p/p:Q
c~j9bc
v>:ppRM}
w-ppbKb
ppp*_fQ
Fhppmb|D
hMvm}j~b
,yp:J9b9&
9_9}X6}TbT DT}M
BDv.Dx
Q2py}e
cG2pe-e^
2p~-ejyp:`x|b:~2Y-e:QDvp
D5,mV92f
zMJ;M`bML`bM`bM`
bMt`bM
`rbM`ubM`ObMW`bM`bM
`MbM~9
2nbDH:e}h29
}b{a+_y
b(hV}D}
~bQcj}.Rw0D.`
~O92}}|Ds
2Z-ppKpem2pnTD9
b9bOn9b
9fbfDfD
?}DcV9e}QJV929
`~b?5~D
hc~-em92hjDpjQ
nhDue5bBT~b9$pe
D'R:M\}T
}mDvr9
bfnbe}
bw<bpp
Ms}fwDpD-DwM
}'D`}`=
}(pfa}5MabfM/}vBG}vB}
bvB}:vB}v}QH}vBnM/}
vB\vGD3
fv9Lv9O}nt8
jbDDy{fpp1Qpp} }
p9j9b}jGc
J:pp9jp:9
jtU}UV9U9U9
_p9UV99j
2yyyyffmOcM}jn}v_a:[-2j
Qp`}g-}
52jb2p9jjc
:}hPfTDo-s
}nQ9QV
Dvl\pp}
hppDu\pp9 v
Qpppc5}Y
}8bvEf\
Dfx;9U
T9U}<~f
fJh{5bDf:Q`
p`MZb}i?Mf
DgJD:ppQG}
VZtVb}
j\/p:\U}
`/p:Lb~2
e]chpp\
vR3MvRj}vR`
v}hpp`eDv"?}v
}tfp~fjGV9
ppcc`g9
jtbvbg9 <Q
cd}'|2b4}QF}
EQpp9Uj_
RP9Pp~P
g9wEQrQ}bQ
QH}bQ^
pp9weu'};OD;tD;
D;nD;D;
B24p:}pn4}wW}
} <}4:ppp4p:Q
Ea:ppM>cb
}bb1n}
::v }):PJw
-a4p:U
p:}}Jo
QdfvWjO]
cnwDTppD
pp6c`?vy
}x1/}M}xuT5e
Gyp:cppjcu
fbx;Dz}v
fVQ!lpp]c
QV9QQ;9QR{}t9Q
Mkr}5D
hpp12p
qvPuAb>f
v}\Pf]#^LFb}P
y}^Ob^r^rDQcW}
}c?e-e}xW
qvp:.D
V@}MppM>'fV@bV@}u
}ppj~b}nhb}V)b_V
}V}TvbppD
}M}xRbppe
]#}3f~~2Q
fpppDDNN
NDppDY
D`cEhb+-e-e7D$M
E}fpy'Mpy
B"DsCa}C
L78&4p:Q
}chQ6}ppb
bCQY}EMj
bppgPC-
tp:|yp:p~?f%f!9v}v:
}`}M~DDveD5}<xQ
ppc`g}Gyp:
p:C}sD
}bK5pQ,hQ&pp
u}yp:Kp:K
t#}ppj/@!DJYppD
}v\pp,Dn
yf}D}H
fjQ`;ppQ$
fLLLfL
LpL.fL
fL$}QfL
DxJme}xJ
bDx:pp"
DxW}}yp:
hh5b}Q8eVE} }n}hpp5pw
,{`4-}j
-ajn}j}J%-ppDm
}j6c`QO&}x)p}C
p:!afDxf!}OMl
fP2pOp:
B\w}bp`O
\pppe\
_[bfgZV9
T9-pp]ce\
,V292b,\n
D:9bjQppp b2V}
pD}fjb,p
.?QhV9
N\MT,2.
pp2Vrb92
bp~:}r
p:jQ}v
ppMx:vpb
vJ.}pbV
9fbWV.}Tj,\
:SxmpT9b#c
fp`}!]ce9f
b~}9be|b
-c`G}xffV
}`bhVbe3]cD
9bp~-e]b
,bg-ppD+
LDMBfV,9glf;f.f
V-};p~6b-jNbgh
._}6b$hpfVGbD'<}bvr}
v%Gb,bD
grv69b;,bVj
}$-Zg}]
:9fDV9
KVj}x@,}RbG,bxt}vGb}9
eV2.D}jf.Q
$-p}2DTGf
} Vf}}:Gf}b9r
mv59:-}v
Bv}brv.Mv
}xbVbeV92:,f.DGb
2VG}Lf9:bVlftD~v}b
Jv6vpbppDv92Vr2:xb-}vffnf::-h}vD
c0p}dzp}}\:5D
g} TIIV
QmbQL\w}g2e
} ~V}D
yg92}v9
9j`]ce
~bQDf}o
D|e9fp
u}&s9q2} }Zpop:vD>
Q}=n}rnV9n
QHppp#
9n}\nn}
9j\c}~V92
9n]t#9n2b
M79aW}NW
;t9njop:9n9
Sbppf}x}Lb)})H}'T::9V29fc`
~b:|cfD
}}bese
v;afxDv;e8
fRMJ}Px
}+Vo}^h}~bQKpDice::~f
bt`}{hDv{
Qyyyyg9
}^blh|}"
}}2\}P
p~^>7}
MvnM}L}:L}yj9j\E
8p`}n`~l8
ppg0O}
}aEDgc
}D}L}t
9~fQC}
V}Dv>}
pF}v]}V
bt"}<{
c4p:{w}
vn1D8e99
9fto}OUq}:Q5}_t
Ta}T5b6
Q\nf`QTt}*e
Qtpp]ce5>}`\p\S
\5Veop:
~}Yx}n
vYppD}ppp:vc~}L}yb
}vxj2j9jbfEh9
}vfhv|b
2hR-e{
~}GfQV}e69
}{}R}v
h6M\hp:GfVl}
bp`M~b}'?
ppfvX~_}Dv(
vp8Qppc\u(}<Eb
Qp:Rbv
Qp:Mnp:V}feX
}p}vx}
f,N}bbpp
D6bqb}q
}u\]~b
Qp:vDJM<Ql<R\<UD}<bmfV}x@}
|Dvp:Qc}
p}\p:Q'M
phPp:QM
QC,b>{M!
bV9e)bvZ,,~fQ/ppp
bIN:9}~
9bDv2pc`
fb&}%}mv,~fQ3;92
?v|nbe
ufnbeU~fQ:m@
~bvw]b~2Q)K
}'<W-e[Tb&h}?
cF-qcV9
chjbEbp
Gh]cv}M2n
-~}nGhlD-l-l~-eTD
2}'2T9
flfc-H
hppp.xt}0`DeV
p:n-w-}~}
ch9f~Z}`
]crh5pppM
-v,-vFcqM
92ch}'
SFW\vB
};2$8f}}D}^bm5^b
O^bj|]^b
^M}/ppp}%Z^hfx^h
p~Q}zM
-`Le.M#
albas9
$bDvgp}~
Svt}b} {fRD]cpp}bh2j}o<S
}xtQufQ}S}ppV999
`l}7_}b92pvO`y
bx}Vc}h`
bI}xvJ
p~}pp~
Q#}xT}x
929V92
v-VEv}2pV9UbMv
thD52bV2
}iq/}bhb:}XV}xv"89jN
bvvTf/
}}}ESQpeM
3DvJQ}M
x!xMxf
x}(OxxL5x
\xD}Dx
tb@MQb
:vNDv`pqc
@8\'SKDv>
e#e!eeeDYRg92
fR2&bvFv3]
b92]5ppp]
Qp:V2b}lbe>92
2"]V2eb2"&V2ev}Vf}vfeDi
n-e[b$vpb$xhvdM
:9f]a:V
v[pppV
nR}b]c}v8}bV
9:pppv
vF}vfDv`}
2n}"v,92}}
n,v9,}
fv><D}
ppg}VGC
JpZfGp~8yc}6
E-ppUpyO}!jQQ 9Q}
QQ?"g9
0::Q:}2m
pb_0e=M}
hppQ0}0|Gc
Up~U:Z0ZZ92j},}
hppDxsi-#bvp@-pp
=jQ{0}&D }
x}:Vb}
U}TDx{jDGV}
}77Dv}
5bv$5v
}+~:~bQnv?b]ce=
7v$1DW1p}d
bvE92`Dg9
}@`8{pDMv
,p:ppmtb*vf}h}R
h[bjd
5G}bvJ5}O}8}a}
p:tbc~
bp:pp:
p:Q&J}1ec~;}c`J@1s2*
`D"}Ie&b
:C~peh`}-~@
c`f1Q\Dv.
hV9f~fc~ujQ
bb}V9f9f
p:~f`t\
p:}`tfQ}e6fdQ+#c#Gd5b
p:Q}ppp
pppp-H
p:QpppdGp:Q
jQ@D$1
ct2Q021
5ppppDe-]cjQppp
}M`pDQuppp~D
gpea6~
gpV?b$
bpp`tbQpppe
p:jQ>pp1
fpV?gPp:cV?b`
t:p`bj,$fp1}Ctbh`D1Q2
GVbbcf?bbNDabKfC`D1!_dNfNsN5
tGxpPXpp(XppnXppXppXppXpp
XppXppXppC(pp
(JCYppYpppppp8pppp?pp.pp
ppKpppppppp=pp
ppbpptpp
ppGpppp&Ypp*pppp(ppppcppEppIpppp(ppa(pp(ppr(pp(pp(pp(pp(pp(pp
(pp3(ppc(ppYpp
YppwYpp3YppYppYpp
ppIzppozpp(zppzppzppzppzppGzppzpp
zppOzpp@zppzppfzppzppcpp'pp
pp*pp?ppppppD-ppfppppppppDx
XppX8`YppYppYpp|YppppDtjpppp
ppIpp8zppzfp:
:-p::p:G:,p: ,p:bb::MMW
Dph-}DbMf
@t58ZSTO
J]TTTlr9?%GBm<j,.|1
qNs*R`~K
J]xbTpppp
pc<FjJ
xpp>=M5O]+
pc<hQp:p:J
p:-p:c
p:2jYpp
pp:DtSpp
pp|M*zpp
ppEM8zpp
cp`*`*lp*lpDlppPf~lpGmlj
`ph<~`
lpph%`m
R`9**N*ppWp*
`bp`?lp-.
|qN~`pp~:1*RN9
`j*NRRphNKDLhD]
`pz-|*
`bp}vGb2?*R`ppmDvf|NN]
RN`ppp9
9K*N``*Rlpb
R`*lpp
h%`}v``*
lpptN~}v
p%`~**`b
jN`*pp
`lpp-}vlppD
Dv`lppUh~`r`|N
*p-bM|Np}j
p?}p}f
xrlpp5-.
?*p=}xN~`*Dx
}1N~:*
`Nlp}bxJlphG
}pJDx;pp}lNpB9.9m]}<pyh`~*`R*`N*
pph.9~1
~lp:}xuBp*
lp:,~*}
_pl~R`|Nqj*KRp!pmNNq~D
p}t}?p`
l1ljbv*`p9
lpG9mbxP-R*`
`*Rpp2D
RN*jNRpp9.b
bpDVbOp:9
p`*`}r``
frs<*lppNlp9|}vp`~N
lpGlr~
*(8pX9~pp9|M-
}-Dxp-`Kpp
-Vlpp'ppp
`}v*]pp/-*
pppWR`R`*
9j|<j<|9.
}Jpp-R}k-R}
3hRDv}vb
}pp4-*v-
`NpppWWl|:pWW]ljl
1.xRph
DpNpppNR`
ppNDx<m9l|b hR`*~plp
|*N9}xNpp
pppppp6ppRpp
4hpp?9%N
R`;;pp
jxcZ?}xD
`ppp.lp
.~JJppp
}XMf`KpR
}vffff<?|l.9M`bV9v~*9
`R?;l];
9?u9?]
D@5R@bx`JJlN
OD}t}x`*
Dx8Gb\Dt
8vv:*]v:l
tvObp5R
5~ppSMS5}xu
ppplfppphppN~`
?.l9.}Gl.%G9%G|JD|GJ
.<mm%<
};r<.9.J
}x19pp
q*KG}p
}V8pp<<B9
;.l|9bapp
ppmpp5RppppJJ}ff5ppN
plppp*
N~`D8<r9|pp?W}vJDb}xpNqLp
D|j<jppp.
**L5Rppp``L
JpppG9999
:o:pp0-TV
Vp~`pppLp5~pp5J
}Vfv|~bb5R5D5*}t
K*}R}8R
RqppRNq8*
*NN`vJKR}
`qp~Db}:K}Jb
bR*}b}tR
RqR*pppN
}b`KbxMR`
RK}fRR*KxafpR
RRNp}v8R
RK}`RRb
DK|f}v
*b`ppp
pN~}uR~*N``pf}`R~`}(
~}bRRppjl`pj
NRNppp
NppKR*KpKR}pN]q*}f~}`
*f}vNpKN
}x:MWpDWpbfa|}
Wl1N**N*xWf
ch:ppGhpp}J
JJ8JJJ1JJ
JJKJJnJJXJ
JPJJJJJJ0J-b
p]]]]].]]/]w])]"]]]M
k:;;;]LrL%L
LLWwk_
WSWWW?WW1WWW~W
W3WWWWp
xGJJBJjJJJJ/JJ JJJJ2J-\9B,
h]M]]5]
]<]]3]d]
{{l{n{{'{
>U;;;BL1L*LL
LPLLLL-
VwU2WWBWWW~WWpJppJhpppJ@JJWJ.J
JJJ=JEJJkJ
JJJ}M\T
]]]]]]]]]]]]]}
huuuuSuJuuuuu#u;;;g;;F;!;@LlLLLL~LLLLLcLL\@
W6W;Wppphpp]J;JJJJ`JJJUJ-_u<
uuuuu uuuUuhD:aW
-;b;L;;
LlLLLCL
WWWgWWpppjppUppp-JJJJJZJ
J`JoJJJ
{m{{uSuuuuFu
~;LLNLLL
FWWWW'W
WQWpppDmLJJJJJyJ^J)J"JQJX
xn(<]1]]R]]]
]]H]]g]
{{{{{{i{[{{{
uuu!u6]?H
;;a;;;;
;;;/;;;;;
;;bLLtL{L?LLLLLXLPL>L=LLLh
:|K+r~YoH
WWJWlW.WW`WWW4W'WW
WeW2WpOJJJJ,J
JRJJ]]]]]]&]\
uuTuuquuuuu
;@LSL{L
7EuWdWppp pppz4w"
kI0}a;
|Y43}]
]S]]]]F]]
uuuvuFupf
I};;;O;;;w;;;e;
;#;aLLLL<L*LL
x2pf:a
OJo]P]]]']]U]
x:pppJc
o,s*+?)
kBq$75T
&#pMz!`
nClDy^~
/WNY;Xg_ w
kernel32.dll
VirtualProtect
FAILED with delay %d
c:\users\win7user\appdata\local\temp\wmpscfgs.exe
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
Process Tree
-
0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe (2236)
"C:\Users\Administrator\AppData\Local\Temp\0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe"
-
wmpscfgs.exe (2996)
c:\users\admini~1\appdata\local\temp\\wmpscfgs.exe
- wmpscfgs.exe (1928) C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
- wmpscfgs.exe (2460) c:\users\admini~1\appdata\local\temp\\wmpscfgs.exe
- wmpscfgs.exe (2656) C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
-
wmpscfgs.exe (2996)
c:\users\admini~1\appdata\local\temp\\wmpscfgs.exe
0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe, PID: 2236, Parent PID: 1808
default registry file network process services synchronisation iexplore office pdf
wmpscfgs.exe, PID: 2996, Parent PID: 2236
default registry file network process services synchronisation iexplore office pdf
wmpscfgs.exe, PID: 2656, Parent PID: 2236
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| www.supernetforme.com | A 74.63.241.30 | 74.63.241.30 |
| ww1.supernetforme.com |
A 199.59.243.227
CNAME 12065.bodis.com |
199.59.243.227 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49167 | 74.63.241.30 www.supernetforme.com | 80 |
| 192.168.56.101 | 49168 | 199.59.243.227 ww1.supernetforme.com | 80 |
| 192.168.56.101 | 49173 | 74.63.241.30 www.supernetforme.com | 80 |
| 192.168.56.101 | 49174 | 74.63.241.30 www.supernetforme.com | 80 |
| 192.168.56.101 | 49175 | 199.59.243.227 ww1.supernetforme.com | 80 |
| 192.168.56.101 | 49177 | 74.63.241.30 www.supernetforme.com | 80 |
| 192.168.56.101 | 49178 | 74.63.241.30 www.supernetforme.com | 80 |
| 192.168.56.101 | 49179 | 199.59.243.227 ww1.supernetforme.com | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 81.17.34.87 | 192.168.56.101 | 3 | |
| 81.17.34.87 | 192.168.56.101 | 3 | |
| 81.17.34.87 | 192.168.56.101 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 2e6ea717a1809e0a_360drvmgr.exe.delme31599 |
|---|---|
| Filepath | c:\program files (x86)\360\360drvmgr\360drvmgr.exe.delme31599 |
| Size | 351.6KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 7fc17df8886521983d94482328011db7 |
| SHA1 | 11206821da4841ad157115b4b3e70e7fb01f8639 |
| SHA256 | 2e6ea717a1809e0a85f6417a9e8839a301684c9c0087af64a60f060f60ebde56 |
| CRC32 | 4802F715 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 9294d9177967e88f_360drvmgr.exe |
|---|---|
| Filepath | C:\Program Files (x86)\360\360DrvMgr\360drvmgr.exe |
| Size | 412.4KB |
| Processes | 2236 (0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe) 2996 (wmpscfgs.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | b2d79725ed46964c81032acdcc3e5192 |
| SHA1 | c872cdc9ed8e16a5ffdc55c1499fd82e7ad8e92d |
| SHA256 | 9294d9177967e88f0a974c98a8b517607a1199b7e07d5ab0092c98bbc04be3e7 |
| CRC32 | 4D2A4E99 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e8e274e36cc6d4fe_wmpscfgs.exe |
|---|---|
| Filepath | C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe |
| Size | 361.2KB |
| Processes | 2236 (0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 913955a4e9acbaa8c6dfa87de98a3d5c |
| SHA1 | 9d6704de91b942fd05fb389296d677d7aa0f3a35 |
| SHA256 | e8e274e36cc6d4fe5abfb6494abaf5a9ffeef0aca91927b771a8405a73141f06 |
| CRC32 | FD5D4E00 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | b4eaa7c51f7d7967_acrotray .exe |
|---|---|
| Filepath | C:\Program Files (x86)\Adobe\acrotray .exe |
| Size | 412.0KB |
| Processes | 2236 (0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe) 2996 (wmpscfgs.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 1e47dc5cad7663328b2eca462c458522 |
| SHA1 | 584f88f1b63fc3b1f9c46563e7ac1e364018793f |
| SHA256 | b4eaa7c51f7d7967297f5a0061e22601c1ef9e75b58d599c0355c6942b52641f |
| CRC32 | B9B5F232 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e0db2a1cea6992bd_360tptmon.exe |
|---|---|
| Filepath | C:\Program Files (x86)\360\360TptMon\360tptmon.exe |
| Size | 378.2KB |
| Processes | 2236 (0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe) 2996 (wmpscfgs.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 7795d3876269e52089f5982ca668cc9d |
| SHA1 | fe53263d4c413fe15bcf57386ae2d3574119a506 |
| SHA256 | e0db2a1cea6992bd127defbb6ac79ba19809e4eb11ae4627d9395e8dcc38310a |
| CRC32 | 064DBEAD |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 17eb67f785353786_360tptmon.exe.delme31607 |
|---|---|
| Filepath | c:\program files (x86)\360\360tptmon\360tptmon.exe.delme31607 |
| Size | 345.4KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 3525fdfe5a30ec4eb187607892046b65 |
| SHA1 | 111354d1a1dfdd7c1127264da4ec86774c0fb730 |
| SHA256 | 17eb67f785353786b2d27fbf6ca22eb326afbfca2aca08d2ad21861c804df76a |
| CRC32 | 3D013455 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | b6e094985a31e6e8_wmpscfgs.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe |
| Size | 373.9KB |
| Processes | 2236 (0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 16eb1b4e608fd44b716addf50c40cc9e |
| SHA1 | 03d65030ca58f83850f9f5c7c0c266b362ddf317 |
| SHA256 | b6e094985a31e6e8605a10b5578d204d0b9482fdb676ed5a20cf78dc493d898b |
| CRC32 | 1B6733CB |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a0d82bce7daa7d70_acrotray.exe |
|---|---|
| Filepath | C:\Program Files (x86)\Adobe\acrotray.exe |
| Size | 376.9KB |
| Processes | 2236 (0a1bca5d081d8ee3ab4eccf12d1725848415f88c2b0d025ca590dbcf877086ae.exe) 2996 (wmpscfgs.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | f87a85c41df90d1621df5499a515ec36 |
| SHA1 | 74594cde60ceb3a903717d4aafba9a0fe79f7335 |
| SHA256 | a0d82bce7daa7d70ca9ca55fe18d8b90507ff03f248b84ab225dd186515951f6 |
| CRC32 | A3AAD160 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 67abdd721024f0ff_31599203.dat |
|---|---|
| Filepath | C:\Program Files (x86)\31599203.dat |
| Size | 4.0B |
| Processes | 2996 (wmpscfgs.exe) |
| Type | data |
| MD5 | 4352d88a78aa39750bf70cd6f27bcaa5 |
| SHA1 | 3c585604e87f855973731fea83e21fab9392d2fc |
| SHA256 | 67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450 |
| CRC32 | 99F8B879 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.