VirSCAN VirSCAN

1, Możesz wysyłać dowolne pliki, ale nie większe niż 20Mb.
2, VirSCAN obsługuje dekompresję Rar/Zip, ale archiwum musi zawierać mniej niż 20 plików.
3, VirSCAN może skanować pliki skompresowane i zaszyfrowane hasłem "infected" lub "virus".
4, Jeśli przeglądarka nie może wgrać plików, prosimy pobrać wczynię VirSCAN do wysłania.

Język
Obciążenie serwera
Server Load
VirSCAN
VirSCAN

1, Możesz wysyłać dowolne pliki, ale nie większe niż 20Mb.
2, VirSCAN obsługuje dekompresję Rar/Zip, ale archiwum musi zawierać mniej niż 20 plików.
3, VirSCAN może skanować pliki skompresowane i zaszyfrowane hasłem "infected" lub "virus".

Podstawowe informacje

Nazwa pliku: 00第八号当铺
Rozmiar pliku: 32768
Typ pliku: application/x-dosexec
MD5: dd016bbecec3eb99ce60b049b572710d
sha1: 5cd8f265fb3c944d85cbcc1623c534d99376f8ec

 CreateProcess

ApplicationName:
CmdLine: regedit.exe /s C:\Users\ADMINI~1\AppData\Local\Temp\~dfds3.reg
childid: 2200
childname: regedit.exe
childpath: C:\Windows\SysWOW64\regedit.exe
drop_type:
name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
pid: 1248
ApplicationName:
CmdLine: a.bat
childid: 2080
childname: cmd.exe
childpath: C:\Windows\SysWOW64\cmd.exe
drop_type:
name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
pid: 1248
ApplicationName:
CmdLine:
childid: 1248
childname: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
drop_type:
name:
noNeedLine:
path:
pid: 2528

 Summary

buffer: C:\Users\Administrator\AppData\Local\UmRdpService.exe
processid: 2200
szSubkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: UmRdpService

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: d41d8cd98f00b204e9800998ecf8427e
name: ~dfds3.reg
new_size: 0bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\~dfds3.reg
processid: 1248
processname: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
size: 0
this_path: /data/cuckoo/storage/analyses/5000905/files/8154835103/~dfds3.reg
type: empty
analysis_result: 安全
create: 0
how: del
md5: 6207ffc3a6714878a8d1684ed3ae13d6
name: a.bat
new_size: 1024bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\a.bat
processid: 2080
processname: cmd.exe
sha1: e14b6a18786681046206496a25f68c2c8d62f1c8
sha256: d987af38471126e10ff6b21f3b2437bacfc0c2b1dc26412eb8539f2330f4486d
size: 1024
this_path: /data/cuckoo/storage/analyses/5000905/files/3569470307/a.bat
type: ASCII text, with CRLF line terminators

 Dropped Unsave

analysis_result: HEUR:Trojan.Win32.Miancha.gen
create: 0
how: del
md5: dd016bbecec3eb99ce60b049b572710d
name: UmRdpService.exe
new_size: 32KB (32768bytes)
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\UmRdpService.exe
processid: 2080
processname: cmd.exe
sha1: 5cd8f265fb3c944d85cbcc1623c534d99376f8ec
sha256: e6125457301ed4c40a42c31b2f1cac0468d4b4b4fe13b8df6a3e4c0a29883604
size: 32768
this_path: /data/cuckoo/storage/analyses/5000905/files/143779383/UmRdpService.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: HEUR:Trojan.Win32.Miancha.gen
create: 0
how: move
md5: 6cce4a5516d9e631342f145a54a5a891
name: UmRdpService.exe
new_size: 32KB (32768bytes)
operation: 拷贝覆盖文件
path: C:\Users\Administrator\AppData\Local\UmRdpService.exe
processid: 2080
processname: cmd.exe
sha1: eb1f2841a8948303d85c24666470fa523d15259d
sha256: cfb7f1131b2fadfecbb521ca8e5ce9b7b877641c457d8b63d85f31bfad271a7b
size: 32768
this_path: /data/cuckoo/storage/analyses/5000905/files/1000/UmRdpService.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 1
process_id: 1248
process_name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 5
process_id: 1248
process_name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
rulename: 从资源段释放文件并运行
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 12
process_id: 1248
process_name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
rulename: 打开服务控制管理器
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 15
process_id: 1248
process_name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
rulename: 调用加密算法库
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 21
process_id: 1248
process_name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
rulename: 遍历文件
attck_tactics: 其他恶意行为
level: 4
matchedinfo: 恶意程序通过使用批处理进行敏感操作,比如删除文件,设置计划任务等
num: 227
process_id: 1248
process_name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
rulename: 使用批处理进行敏感操作
attck_tactics: 防御逃逸
level: 3
matchedinfo: 恶意程序通过使用批处理删除正常文件或恶意文件自身或恶意文件释放的文件,以达到破坏正常文件或隐藏恶意文件的目的
num: 227
process_id: 1248
process_name: 1621252812556_dd016bbecec3eb99ce60b049b572710d.exe
rulename: 删除文件(使用批处理方式)
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 8
process_id: 2200
process_name: regedit.exe
rulename: 遍历文件
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 38
process_id: 2200
process_name: regedit.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 2080
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 26
process_id: 2080
process_name: cmd.exe
rulename: 遍历文件