3.1
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.60
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Mydoom-EG [Trj] | 20200906 | 18.4.3895.0 |
| Baidu | Win32.Worm-Email.Mydoom.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200906 | 2013.8.14.323 |
| McAfee | GenericRXLN-WS!775558C731FF | 20200906 | 6.0.6.653 |
| Tencent | Worm.Win32.Mydoom.l | 20200906 | 1.0.0.1 |
动态指标
一个进程试图延迟分析任务。
(1 个事件)
| description | 0c9966b97d119c82743817e992e05d09fe614633a338487d320ba33c6162d270.exe 试图睡眠 121.25 秒,实际延迟分析时间 121.25 秒 | |||
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'UPX1', 'virtual_address': '0x00007000', 'virtual_size': '0x00005000', 'size_of_data': '0x00004600', 'entropy': 7.897902341253568} | entropy | 7.897902341253568 | description | 发现高熵的节 | |||||||||
| entropy | 0.8974358974358975 | description | 此PE文件的整体熵值较高 | |||||||||||
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(3 个事件)
| host | 114.114.114.114 | |||
| host | 15.228.162.193 | |||
| host | 16.100.233.21 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar | reg_value | C:\Windows\lsass.exe | ||||||
生成一些 ICMP 流量
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | Worm.Mydoom |
| APEX | Malicious |
| AVG | Win32:Mydoom-EG [Trj] |
| Acronis | suspicious |
| Ad-Aware | Worm.Generic.23834 |
| AhnLab-V3 | Win32/Mydoom.worm.22020.H |
| Antiy-AVL | Worm[Email]/Win32.Mydoom |
| Arcabit | Worm.Generic.D5D1A |
| Avast | Win32:Mydoom-EG [Trj] |
| Avira | TR/BAS.Samca.zictf |
| Baidu | Win32.Worm-Email.Mydoom.a |
| BitDefender | Worm.Generic.23834 |
| BitDefenderTheta | AI:Packer.ABA073F91F |
| Bkav | W32.MyDoomLB.Worm |
| CAT-QuickHeal | Worm.Mydoom |
| Comodo | Worm.Win32.Mydoom.Q@308v |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.731ff7 |
| Cynet | Malicious (score: 100) |
| Cyren | W32/Mydoom.CJDZ-5239 |
| DrWeb | Win32.HLLM.MyDoom.33808 |
| ESET-NOD32 | Win32/Mydoom.Q |
| Elastic | malicious (high confidence) |
| F-Secure | Email-Worm:W32/Mydoom.gen!A |
| FireEye | Generic.mg.775558c731ff7b91 |
| Fortinet | W32/MyDoom.M@mm |
| GData | Worm.Generic.23834 |
| Ikarus | Email-Worm.Win32.Mydoom |
| Invincea | ML/PE-A + W32/MyDoom-N |
| Jiangmin | I-Worm/Zhelatin.sq |
| K7AntiVirus | EmailWorm ( 0000439f1 ) |
| K7GW | EmailWorm ( 0000439f1 ) |
| Kaspersky | Email-Worm.Win32.Mydoom.l |
| MAX | malware (ai score=83) |
| Malwarebytes | Worm.Agent |
| McAfee | GenericRXLN-WS!775558C731FF |
| MicroWorld-eScan | Worm.Generic.23834 |
| Microsoft | Worm:Win32/Mydoom.L@mm |
| NANO-Antivirus | Trojan.Win32.Mydoom.cuyllc |
| Panda | W32/Mydoom.DN.worm |
| Qihoo-360 | Worm.Win32.Mydoom.A |
| Rising | Worm.Mail.Win32.Mydoom.l (CLASSIC) |
| SUPERAntiSpyware | Worm.MyDoom |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/MyDoom-N |
| Symantec | W32.Mydoom.gen@mm |
| TACHYON | Worm/W32.Mydoom.34820 |
| Tencent | Worm.Win32.Mydoom.l |
| TotalDefense | Win32/Mydoom.N |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(5 个事件)
| dead_host | 10.152.136.61:1042 |
| dead_host | 192.168.1.13:1042 |
| dead_host | 172.17.81.42:1042 |
| dead_host | 15.228.162.193:1042 |
| dead_host | 16.100.233.21:1042 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 08:00:00
PE Imphash
5d02f6de12eb07fb22fe87e05e50d6a0
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x00006000 | 0x00000000 | 0.0 |
| UPX1 | 0x00007000 | 0x00005000 | 0x00004600 | 7.897902341253568 |
| .rsrc | 0x0000c000 | 0x00001000 | 0x00000800 | 2.6495694551935207 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x0000c3c4 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0000c4f0 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library ADVAPI32.dll:
• 0x80c59c RegCloseKey
Library MSVCRT.dll:
• 0x80c5a4 time
Library USER32.dll:
• 0x80c5ac wsprintfA
Library WS2_32.dll:
• 0x80c5b4 gethostname
L!This program cannot be run in DOS mode.
iiiiM,
hPD4e4(
M4M4M4|tld\4MTLD803M(
`XPD;@
IEFrame
ATH_Note
rctrl_renwn
c:\sDec
nSep3ug
/%s, %u
.2u:um
nkmrnetG
{Staiex
Kazaa Lk
ry P6I
W0RAR.v.3Z.od.key#
p 5.0 () C
lcomhdeRe$tvor.
dnsapi%{.dllphlp
w@kPa_9le
{cabu'mass
vGubm{l
crosoftd
the.bgold-Uk;s}ca
"Z+cre
iWKQg^
foG+lc-
zcWxrrsf.)OW
+rr ,ar+
og3gnu
.m{6Ov
;WRdN`do8a0;oa
lekk5bnda
ymav_-!'5b_
8o@d0(
@e*.*KAdtpRN
USERPROFILE
:\yaha0
`v.;D
7 e ig;`
lud A
nvQl\+n
:gb puw2D
k3Srb\2aqFqh
5'%i~Ba.=x|
\c$Yf/j
n*ikyQA9
"p3f,FoeSA
\k,Nv EXZrr
naht%w.^
aF:H$Wh'i|s W-1MTc
Ei+!d/.s
Z@vU<$t>?Pl,e%p>0|Bcts@$F
amsQaeA
(`r[a<b
1w-f6}
!b []=-
G_n!CZ]y
lbAs9Y2
Z Lkn,$T.
F:$f]
,YS5dG
;hjX>\lmpt
[STkMdbMHK66-3
L82:tt
+Djg9!?]:Fm1f
Ve-DAE
"MONWz
$<("P"C"8
N&!Vo<SDj=
tQ"K O4"a
x14c;<#n
ABCDEFGHIJK
6LMNOPQRSTUVWXYZ cfgt
jklmFpq
!_vwxyz23456789+/qsX-P
zExp 6.00.26
3IMEO,4P
uTBy@Mfid;
V9Jw,t6-Ty@m-PDt/xP
9Zr="R"s
q-V51O
48X.5sNPs+a^vI?Gp}appmI/%Gk
[mnOf&4nfn-EdAbMv64"DDi{QHL
\HC=u'%Zu>i7bk\2,
'-$uhjp
>a{QUIT
>'PTZ5
-xYIHEL
LO87`+
nTPS&)\\*
|2~^]H+
:.] KlhJ
of.twa
rer\\MicM/s7n5'O'n dYO+ CkfCu_+5
/eu]G? ;P_6OIX]
8*P7Sh
C_^w7[
_'F$3^D
|lfk=Pj
pxeDSE
c|pLh$;x
%pX+>u
wu&q<GG5Wqoh
Pi6twaire\Miicrosofiit\Winidows\iCurren
itVrsiion\RuH
p$Trl6y
I2\CSW|$
ldcC-o^S
jZY-i`;WR
6-F.;_
$j<_RP3
jh`OJ?b4q
fdg4u|`
YCppcM;u
u?IH+Sn
#<Kf#F
B0 ;xv+PV;tQ
3 @F;|/
wiiniGniet.dll[-
5PEKef9ut_
3$tv3Wj(-
B;POi8/x
6~W"B;}
8@le(7loC
WbPV$v5
\;C}0
>F@JuD.F'
V)$Y;t0Y|
b1?mp ,
K?GOGSU~m3f
ne,<};u<)Zt
Q0^]8PU
{;_t$@SDIC1\
U~R/('Rf4;
}e%Y-b$I0
nGUqtv
!cs_0?b
A$]~% {
pzw{ok
jd7FF6|=~
tVe;?Vd;t$hFBn
*gu;r_ipWl
JS:S>}tG
QSZxOO+N!
W*Xp0,
\<<@t?(T
+CY<Jo=B@9zO
Kyd+7h%
-0vYC1-NO/&<
'xqf,wOy/UH]
tb0UE,
0"8d5^7-S;1YU2vHf
x 0|8<
2+SJNr
F}.RU8
cbf0d_
x5FG['@
hv$~,\ l\t3D
Qm {+8
.5a>3K
Hy FQ~
J6f2/Xp
?GLa`;
bx3*oo
+KICY`D
h^ddk3T
o';Wto*9
vt\kQS
'UY3SQ g
g%vAa+qYDW\&^
]G7F(O
=khY(QR
h~8ZnQ;t
GWSYf;
j2.`h
r2Ojx26hR<P
f+eqkNdw "Z
?I7\d;
@ZA{+[
H_tu(n
}8h+|-;O
;}e;}a;WZ
;~C;~?+b
M-JSQaH
P=/sSu
V|Ehmd
[GdlcO`1vUMp6l:p
jQ4Mhp
> Fzr?0
1EpDMlu[4EP`
djk7&s
04Sof,
,\Micro
,sof\W,
,AB\WAP
,ab bF
,ile NaP,m
#*u=9kY1d
8F,ZF>h=
<U<puY6ql_
buG:uCR<hu
sup>Y<s
btN<db7x
75<w_u
Kfuc['{8
\P#NYsYZ
Pu%8.@+u
#<8P>|f
&P2 jKk
\.ocal 6rSeti\.Qngs-V=TemFp5fr
yJ5fI:F/Wu]
]4Mbk$b
=#Lf$a
LLa7PP1d[
CYRtg-
+0S6-h
.5PfO5
guj,(,
g*<u?m
0<Q'Fzd|s0K
zV5Xme
P9d{Vj.
$Pt7lK
Y`f[ 5g;Pl
^:#CYx
bD^:3rS
@PA`Wz
/h(ht!h`
JbG!=!!++
~$k/&;t
}d4H1A|(}.
3*HWS.
Y]G2~
_`EPF0
|$3FP;
[mx#(|
pe\#kkV^S&Y
hXPkWPQ
,>kA&5
54oE'J
Z(MrSPPY
lJS^8
#[=9"E@
K8!PxC
Q"FhWQ"Yz72G
^$cG|$l
xo?~E< r8<=t4<+t0<,<
t(<v aULv7GR<Y
Od3GX%dy
,l_HHt
"}5vBR
+D5uUtm1Oh\9
VRG-'(
vm-!+_|
D#NQPWNy
KDDBS}g^Y
1@&o4,;[;
@5~)XZP;
7l[fW!c
bFO><:t9.5
$8&4E?ao8:ua
0}9-G^u
abM*^&
/dV!IV'LYs
-SRg@C
'Y1Hh<
=+(~.*%8g
,X3+(J-
;t. .u
|#eXrk }
p&hh.`
9\X]$l
U3B@$`W
JIJHp`m
W{WP'O
RKhc4
ebKtW66
k|v*(\/#Rh
FAS5Cp"Y$
^xW0vvP
Je&"TnQra
+;rMSK%nv
J-TmtQ
$pPrYH;\y
.noj8f
wnYE;r
sm@f=AB
hh6Gfpn|#
|&^bBA+ZS
}^WB_X@
_(5^*'_
tSEFtP7
, aNM~XX
nl9YJ.u+YtV[i
X.Abvl7(d
_xFZ h
WN_KMe
CS;~S[`+{
Qr(`T,oYt>)
lOPuDHL%db
>q70}:
;?| 4l
w__;}a
YP"z'GC
lR tSMpW?xp5
hncaH0
wu)P/xAl
y@*-&@'_Z
!5&#cD
pBmu=i
fgT@EH5
[P71/}
&xE[f;
U`eb{[m&
&T#zW*
P]p=V^^Y[@~
n("F$A
l)>7`03V4i
G]%Djd
bNT!E"
~#6"azp
.l( G;(|
~k;~!,
rjv(k Nhu
9t&ET`
lsc:qRH
PGtop&0=
At-^(Eehz{
GF?x\G
HYWWh>x=I
U,TempFNAU
ve;GMGlobalAl
Cas[M$g+
ZgViewOfUnm
vHtked
von)Vaab{
sCopyx
]ESl$lqAP/h
De;y-amc
%[audeChl4M]UByt"A[s
RnIPoi
;i6`H.
3l0Ao 'Gg
g`VueE
_um{@0s
d#m{[1
,`BuffA
Low3lGwvr#w
#EAYMbp
GPGWHU
wwwwwww
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
wsprintfA
n"ID% Z
Gzgw$^aA~u
Process Tree
- 0c9966b97d119c82743817e992e05d09fe614633a338487d320ba33c6162d270.exe (1932) "C:\Users\Administrator\AppData\Local\Temp\0c9966b97d119c82743817e992e05d09fe614633a338487d320ba33c6162d270.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 15.228.162.193 |
| 16.100.233.21 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 172.17.0.1 | 192.168.56.101 | 3 | |
| 172.17.0.1 | 192.168.56.101 | 3 | |
| 172.17.0.1 | 192.168.56.101 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | e3b0c44298fc1c14_lsass.exe |
|---|---|
| Size | 0.0B |
| Type | empty |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| CRC32 | 00000000 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 623fff3c286bf66f_gpban1l3.txt |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\gpban1l3.txt |
| Size | 1.0KB |
| Processes | 1932 (0c9966b97d119c82743817e992e05d09fe614633a338487d320ba33c6162d270.exe) |
| Type | data |
| MD5 | 0c2113f08571ad3219b67c3c96bb0173 |
| SHA1 | acd4f8e976459c70dde61de3def49a6a261ca672 |
| SHA256 | 623fff3c286bf66f83f55f843d847ae98c64727cccd159e261e82683323ec543 |
| CRC32 | 75269954 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.