| Technical Details |
|
| Analysis Number | 1 |
| Parent ID | 0 |
| Process ID | 1780 |
| Filename | C:\file.exe |
| Filesize | 19005 bytes |
| MD5 | 4d9143a18b691b517815edf5e89f8f76 |
| Start Reason | AnalysisTarget |
| Termination Reason | NormalTermination |
| Start Time | 00:00.094 |
| Stop Time | 00:05.188 |
| DLL-Handling | |
| Filesystem | | New Files | C:\WINDOWS\system32\del.bat
| | Opened Files | \\.\PIPE\lsarpc
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\del.bat
| | Chronological order | Get File Attributes: C:\WINDOWS\SYSTEM32\702AF42.EXE Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Create File: C:\WINDOWS\system32\del.bat
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\del.bat ()
Find File: del.bat
|
|
| Registry | | Changes | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\577B2F0B "DisplayName" = 577B2F0B
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\577B2F0B "DisplayName" = 577B2F0B
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\577B2F0B "Description" = 37AFE3
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\577B2F0B "Description" = 37AFE3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\577B2F0B "ErrorControl" = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\577B2F0B "ImagePath" = C:\WINDOWS\system32\702AF42.EXE -k
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\577B2F0B "ImagePath" = C:\WINDOWS\system32\702AF42.EXE -k
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\577B2F0B "ObjectName" = LocalSystem
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\577B2F0B "ObjectName" = LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\577B2F0B "Start" = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\577B2F0B "Type" = [REG_DWORD, value: 00000010]
| | Reads | HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
|
|
| Process Management | Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\del.bat) As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1780) As User: () Creation Flags: ()
Enum Processes
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1452)
|
| Service Management | Open Service Manager - Name: "SCM"
|
| System Info | Get System Directory
|
| Window | Find Window - Class Name (#32770) Window Name (½ðɽ¶¾°Ô)
Enum Windows
|
| Analysis Number | 2 |
| Parent ID | 0 |
| Process ID | 712 |
| Filename | |
| Filesize | -1 bytes |
| MD5 | |
| Start Reason | SCM |
| Termination Reason | Unknown |
| Start Time | 00:04.578 |
| Stop Time | 00:00.000 |
| Analysis Number | 3 |
| Parent ID | 0 |
| Process ID | 712 |
| Filename | |
| Filesize | -1 bytes |
| MD5 | |
| Start Reason | SCM |
| Termination Reason | Unknown |
| Start Time | 00:04.609 |
| Stop Time | 00:00.000 |
| The following process was started by process: 1 |
| Analysis Number | 4 |
| Parent ID | 1 |
| Process ID | 1376 |
| Filename | C:\WINDOWS\system32\del.bat |
| Filesize | 388608 bytes |
| MD5 | eeb024f2c81f0d55936fb825d21a91d6 |
| Start Reason | CreateProcess |
| Termination Reason | NormalTermination |
| Start Time | 00:04.922 |
| Stop Time | 00:05.922 |
| DLL-Handling | |
| Filesystem | | Opened Files | C:\WINDOWS\system32\del.bat
| | Deleted Files | C:\file.exe
C:\WINDOWS\system32\del.bat
| | Chronological order | Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\
Find File: C:\WINDOWS\system32\del.bat
Open File: C:\WINDOWS\system32\del.bat (OPEN_EXISTING)
Get File Attributes: C:\FILE.EXE Flags: (SECURITY_ANONYMOUS)
Find File: C:\FILE.EXE
Delete File: C:\file.exe
Get File Attributes: C:\WINDOWS\system32\del.bat Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\system32 Flags: (SECURITY_ANONYMOUS)
Delete File: C:\WINDOWS\system32\del.bat
|
|
| Registry | | Reads | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck"
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions"
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion"
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor"
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar"
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar"
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun"
HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck"
HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions"
HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion"
HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor"
HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar"
HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar"
HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun"
|
|
| Process Management | Kill Process - Filename () CommandLine: () Target PID: (1376) As User: () Creation Flags: ()
|
发表于 2007-11-23 10:23:43
楼主
发表于 2007-11-23 10:25:49
