本帖最后由 墨家小子 于 2015-12-4 20:04 编辑
SHA256: 3475cb7d8bcaeae135d7afcc1f077817b0bc1610a925e0b08be84649144a50a0
File name: TMPC93F.tmp
Detection ratio: 3 / 54
Analysis date: 2015-12-04 10:52:08 UTC ( 1 minute ago )
https://www.virustotal.com/en/fi ... nalysis/1449226328/
1、进挂马网页,SSF弹出conhost.exe要执行taskhost.exe,平时没见过这样的弹窗,疑点1
2、随后conhost.exe很多行为,疑点2
3、按捺不住的explorer终于露出尾巴,看文字加粗处
4、最后两个tmp粉墨登场……
5、explorer执行应用程序 (vssadmin.exe Delete Shadows /All /Quiet)并联网回到服务器(应该是加密勒索吧,很像)
2015/12/4 18:41:05,C:\Windows\System32\conhost.exe,53,Allowed ;执行应用程序 (C:\windows
\system32\taskhost.exe)
2015/12/4 18:41:05,C:\Program Files (x86)\Internet Explorer\iexplore.exe,53,Allowed ;执行应用程序 (C:
\windows\system32\conhost.exe)
2015/12/4 18:42:06,C:\Windows\System32\conhost.exe,53,Allowed ;执行应用程序 (C:\windows
\explorer.exe)
2015/12/4 18:42:08,C:\Windows\System32\conhost.exe,53,Allowed ;执行应用程序 (C:\windows
\system32\taskhost.exe)
2015/12/4 18:42:11,C:\Windows\System32\conhost.exe,53,Allowed ;执行应用程序 (C:\windows
\explorer.exe)
2015/12/4 18:42:18,C:\Windows\explorer.exe,53,Allowed ;执行应用程序 (C:\Users\AAAA\AppData\Local
\Temp\{B96EB7CE-3FCF-4776-BBA5-2FD9CADF8090}\TMPC779.tmp)
2015/12/4 18:42:19,C:\Windows\explorer.exe,53,Allowed ;执行应用程序 (C:\Users\AAAA\AppData\Local
\Temp\{80E14A51-C0EF-4136-B7A8-C260A5B503EA}\TMPC93F.tmp)
2015/12/4 18:42:20,C:\Windows\System32\taskhost.exe,48,Allowed ;出站网络访问
2015/12/4 18:43:03,C:\Users\AAAA\AppData\Local\Temp\{B96EB7CE-3FCF-4776-BBA5-
2FD9CADF8090}\TMPC779.tmp,53,Allowed ;执行应用程序 (C:\Users\AAAA\AppData\Local\Temp
\{B96EB7CE-3FCF-4776-BBA5-2FD9CADF8090}\TMPC779.tmp)
2015/12/4 18:43:27,C:\Users\AAAA\AppData\Local\Temp\{80E14A51-C0EF-4136-B7A8-
C260A5B503EA}\TMPC93F.tmp,53,Allowed ;执行应用程序 (C:\Users\AAAA\AppData\Local\Temp
\{80E14A51-C0EF-4136-B7A8-C260A5B503EA}\TMPC93F.tmp)
2015/12/4 18:43:33,C:\Users\AAAA\AppData\Local\Temp\{B96EB7CE-3FCF-4776-BBA5-
2FD9CADF8090}\TMPC779.tmp,53,Allowed ;执行应用程序 ("C:\windows\system32\explorer.exe")
2015/12/4 18:43:48,C:\Windows\SysWOW64\explorer.exe,41,Allowed ;修改受保护的文件 (C:\Windows
\ymoguvyx.exe)
2015/12/4 18:44:03,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU
\Software\Microsoft\Windows\CurrentVersion\Run,onynuqov)
2015/12/4 18:44:05,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU
\Software\Microsoft\Windows\CurrentVersion\Run,utogufex)
2015/12/4 18:44:07,C:\Windows\SysWOW64\explorer.exe,26,Blocked ;修改受保护的注册表键 (HKCU
\Software\Microsoft\Windows\CurrentVersion\Run,ehaqndos)
2015/12/4 18:44:10,C:\Windows\SysWOW64\explorer.exe,53,Blocked ;执行应用程序 (vssadmin.exe
Delete Shadows /All /Quiet)
2015/12/4 18:44:12,C:\Windows\SysWOW64\explorer.exe,50,Allowed ;使用 DNS 解析服务访问网络
2015/12/4 18:44:12,C:\Windows\explorer.exe,57,Allowed ;正在以只读方式打开受保护的进程
(explorer.exe(pid=5920))
2015/12/4 18:44:12,C:\Windows\explorer.exe,57,Allowed ;正在以只读方式打开受保护的进程
(explorer.exe(pid=5920))
2015/12/4 18:44:16,C:\Windows\SysWOW64\explorer.exe,48,Blocked ;出站网络访问 |