File name: E1A1.tmp.exe Detection ratio: 4 / 55 IPS未拦截，估计是加密勒索挂马

显示全部楼层 · 发表于 2016-3-1 11:13:37

本帖最后由墨家小子于 2016-3-1 11:16 编辑

SHA256: be87a80656b74b6dff101b3f33c57ce01ebe834efaa94b895cdfd98ec211bf4f
File name: E1A1.tmp.exe
Detection ratio: 4 / 55
Analysis date: 2016-03-01 03:08:35 UTC ( 1 minute ago )
https://www.virustotal.com/en/file/be87a80656b74b6dff101b3f33c57ce01ebe834efaa94b895cdfd98ec211bf4f/analysis/1456801715/

AVG Win32/Heim 20160301
Bkav HW32.Packed.F752 20160229
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.fh 20160301
Qihoo-360 HEUR/QVM07.1.Malware.Gen 20160301

纯天然实机又进去一次，看看IPS有没有反应，结果IPS哑火，应该是漏了，HMPA依旧神勇拦截，这回木马又换了一个！

HMPA拦截日志：

Mitigation CallerCheck

Platform    6.3.9600/x64 06_3d
PID       10980
Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description  Internet Explorer 11

Callee Type  CreateProcess
         C:\Users\GGG\AppData\Local\Temp\Low\E1A1.tmp.exe

Stack Trace
#  Address  Module                Location
-- -------- ------------------------ ----------------------------------------
1  0A9A07E6 (anonymous)
         85c0                   TEST       EAX, EAX
         7517                   JNZ       0xa9a0801
         e914ffffff             JMP       0xa9a0703

2  0A9A08D2 (anonymous)
3  776E919F kernel32.dll          BaseThreadInitThunk +0xe
4  77C3A22B ntdll.dll             RtlInitializeExceptionChain +0x84
5  77C3A201 ntdll.dll             RtlInitializeExceptionChain +0x5a

Process Trace
1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [10980]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:267521 /prefetch:2
2  C:\Program Files\Internet Explorer\iexplore.exe [944]
"C:\Program Files\Internet Explorer\iexplore.exe" -private
3  C:\Windows\explorer.exe [4080]
4  C:\Windows\System32\userinit.exe [9132]
5  C:\Windows\System32\winlogon.exe [7292]
C:\windows\System32\WinLogon.exe -SpecialSession
6  C:\Windows\System32\smss.exe [7936]
\SystemRoot\System32\smss.exe 00000000 00000054 C:\windows\System32\WinLogon.exe -SpecialSession

显示全部楼层 · 发表于 2016-3-1 11:46:01

文件名: e1a1.tmp.exe
威胁名称: SONAR.SelfHijack!gen1
完整路径: 不可用

____________________________

详细信息
极少用户信任的文件, 极新的文件, 风险高

原始
下载自
未知

活动
已执行的操作: 6

____________________________

在电脑上的创建时间
2016-3-1 ( 11:43:24 )

上次使用时间
2016-3-1 ( 11:43:24 )

启动项目
否

已启动
是

____________________________

极少用户信任的文件
诺顿社区中有不到 5 名用户使用了此文件。

极新的文件
该文件已在不到 1 周前发行。

高
此文件具有高风险。

SONAR 主动防护监视电脑上的可疑程序活动。

____________________________

来源: 外部介质

源文件:
e1a1.tmp.exe

____________________________

文件操作

文件: f:\norton样本\临时收集\ e1a1.tmp.exe 已删除
事件: 正在运行进程: f:\norton样本\临时收集\ e1a1.tmp.exe 已终止
____________________________

系统设置操作

事件: 进程启动 (执行者 f:\norton样本\临时收集\e1a1.tmp.exe, PID:2840) 未采取操作
事件: 进程启动: f:\norton样本\临时收集\ e1a1.tmp.exe, PID:580 (执行者 f:\norton样本\临时收集\e1a1.tmp.exe, PID:2840) 未采取操作
事件: 进程启动: f:\norton样本\临时收集\ e1a1.tmp.exe, PID:2840 (执行者 f:\norton样本\临时收集\e1a1.tmp.exe, PID:2840) 未采取操作
____________________________

可疑操作

(执行者 f:\norton样本\临时收集\e1a1.tmp.exe, PID:2840) 未采取操作
____________________________

文件指纹 - SHA:
不可用
文件指纹 - MD5:
不可用

显示全部楼层 · 发表于 2016-3-1 16:09:29

红伞杀'TR/Crypt.Xpack.414624 [trojan]'

显示全部楼层 · 发表于 2016-3-1 18:12:11

微点拦截

显示全部楼层 · 发表于 2016-3-1 19:20:09

卡巴云杀，断网双击，主防拦截，并回滚

01.03.2016 19.18.19;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;恶意程序的操作已回滚;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\windows\temporary internet files\content.ie5\31a2ddz8\9-220x124[2].jpg;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\windows\temporary internet files\content.ie5\31a2ddz8\9-220x124[2].jpg;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\windows\temporary internet files\content.ie5\31a2ddz8\9-220x124[1].jpg;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\windows\temporary internet files\content.ie5\31a2ddz8\9-220x124[1].jpg;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\internet explorer\brndlog.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\microsoft\internet explorer\brndlog.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\_recovery_+vvfun.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\_recovery_+vvfun.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\color\_recovery_+vvfun.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\color\_recovery_+vvfun.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\color\profiles\_recovery_+vvfun.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\color\profiles\_recovery_+vvfun.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\acrobat\_recovery_+vvfun.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\acrobat\_recovery_+vvfun.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\acrobat\11.0\_recovery_+vvfun.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\acrobat\11.0\_recovery_+vvfun.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.18.19;回滚恶意程序的操作时文件被恢复;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\acrobat\11.0\cache\_recovery_+vvfun.txt;c:\sandbox\administrator\defaultbox\user\current\appdata\local\adobe\acrobat\11.0\cache\_recovery_+vvfun.txt;C:\Sandbox\Administrator\DefaultBox\drive\C\Windows\wbuortmpvraw.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:18:19
01.03.2016 19.16.20;恶意程序已删除;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:16:20
01.03.2016 19.16.20;恶意程序已删除;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:16:20
01.03.2016 19.16.20;恶意程序已删除;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:16:20
01.03.2016 19.16.20;恶意程序已删除;PDM:Trojan.Win32.Generic;C:\Users\Administrator\Downloads\E1A1.tmp.exe;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:16:20
01.03.2016 19.16.05;恶意程序已终止;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:16:05
01.03.2016 19.16.05;恶意程序已终止;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:16:05
01.03.2016 19.16.05;恶意程序已终止;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:16:05
01.03.2016 19.16.05;恶意程序已终止;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:16:05
01.03.2016 19.16.05;检测到恶意程序;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:16:05
01.03.2016 19.16.05;检测到恶意程序;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:16:05
01.03.2016 19.16.05;检测到恶意程序;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\sandbox\administrator\defaultbox\drive\c\windows\wbuortmpvraw.exe;03/01/2016 19:16:05
01.03.2016 19.16.05;检测到恶意程序;PDM:Trojan.Win32.Generic;Beacon Correction Witch;c:\users\administrator\downloads\e1a1.tmp.exe;03/01/2016 19:16:05

显示全部楼层 · 发表于 2016-3-1 19:34:19

Identity Protection 侦测
威胁名称;"状态";"检测时间";"对象类型";"进程"
IDP.ALEXA.51, C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\RAR$EXA0.006\E1A1.TMP.EXE;"已保护";"2016/3/1, 19:29:17";"文件或目录";""

显示全部楼层 · 发表于 2016-3-1 21:59:37

加密*3

显示全部楼层 · 发表于 2016-3-1 22:19:52

AVG攔截

显示全部楼层 · 发表于 2016-3-1 22:22:34

Windows Defender 4.8攔截

显示全部楼层 · 发表于 2016-3-2 06:37:57

900703 发表于 2016-3-1 22:22
Windows Defender 4.8攔截

报毒名称，图片谢谢，我好奇~

[可疑文件] File name: E1A1.tmp.exe Detection ratio: 4 / 55 IPS未拦截，估计是加密勒索挂马

本帖子中包含更多资源

评分

浏览过的版块