File name: 50FC.tmp.exe Detection ratio: 7 / 55 貌似加密勒索挂马XXX

显示全部楼层 · 发表于 2016-3-17 17:00:42

SHA256: 0536334d7043bffdaaeadcc1a3e6d9ff8543b1a609fbe903514afee99342e410
File name: 50FC.tmp.exe
Detection ratio: 7 / 55
Analysis date: 2016-03-17 08:57:52 UTC ( 1 minute ago )
https://www.virustotal.com/en/file/0536334d7043bffdaaeadcc1a3e6d9ff8543b1a609fbe903514afee99342e410/analysis/1458205072/

Baidu Win32.Trojan.Kryptik.qc 20160317
Bkav HW32.Packed.A3C6 20160316
ESET-NOD32 a variant of Win32/Kryptik.ERLT 20160317
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.dh 20160317
Qihoo-360 QVM19.1.Malware.Gen 20160317
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 [F] 20160317
Symantec Suspicious.Cloud 20160317

哈哈有图标了~~~~~

显示全部楼层 · 发表于 2016-3-17 17:08:44

卡巴

显示全部楼层 · 发表于 2016-3-17 17:19:57

火绒扫描miss
右键

放行后，火绒与样本共存中

哈勃：https://habo.qq.com/file/showdetail?pk=ADQGYF1oB2YIMFs%2F
火眼（这次是怎么了，咋一点行为都没分析出来的）：http://fireeye.ijinshan.com/anal ... 64e&type=1#full

显示全部楼层 · 发表于 2016-3-17 17:21:32

毒霸本地启发

显示全部楼层 · 发表于 2016-3-17 18:12:13

红伞云查杀 'TR/Crypt.XPACK.Gen (Cloud)' [trojan]

显示全部楼层 · 发表于 2016-3-17 18:31:59

fs还是信誉了

显示全部楼层 · 发表于 2016-3-17 18:37:57

本帖最后由左手于 2016-3-17 18:39 编辑

[mw_shl_code=css,true]2016-3-17 18:36:03 创建文件风险级别:未知允许
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: C:\Documents and Settings\Administrator\My Documents\ltjcbk.exe
规则: [应用程序]?:\*\*\*\* -> [文件]c:\documents and settings\*\my documents\*

2016-3-17 18:36:03 读文件风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: \Device\NamedPipe\wkssvc
规则: [文件组]Namedpipe -> [文件]\device\namedpipe\*

2016-3-17 18:36:03 读文件风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件组]Namedpipe -> [文件]\device\namedpipe\*

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
值: C:\Documents and Settings\All Users\Documents
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; ProxyBypass

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; IntranetName

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; UNCAsIntranet

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; AutoDetect

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; ProxyBypass

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; IntranetName

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; UNCAsIntranet

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
值: 0x00000001(1)
规则: [注册表组]拦截_重要关联 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap; AutoDetect

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:03 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
值: C:\Documents and Settings\Administrator\Cookies
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:03 创建新进程风险级别:未知阻止
进程: c:\documents and settings\administrator\桌面\50fc.tmp.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c DEL C:\DOCUME~1\ADMINI~1\桌面\50FCTM~1.EXE >> NUL
规则: [应用程序组]→终止_降权组件

2016-3-17 18:36:14 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: C:\Documents and Settings\Administrator\My Documents
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:14 读文件风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: \Device\NamedPipe\lsarpc
规则: [文件组]Namedpipe -> [文件]\device\namedpipe\*

2016-3-17 18:36:14 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CD Burning
值: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:14 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:14 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [应用程序]* -> [注册表]*\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders*

2016-3-17 18:36:14 读文件风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: \Device\NamedPipe\wkssvc
规则: [文件组]Namedpipe -> [文件]\device\namedpipe\*

2016-3-17 18:36:14 读文件风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: \Device\NamedPipe\srvsvc
规则: [文件组]Namedpipe -> [文件]\device\namedpipe\*

2016-3-17 18:36:31 修改注册表值风险级别:未知阻止
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\_jjbp
值: C:\WINDOWS\SYSTEM32\CMD.EXE /C START C:\Documents and Settings\Administrator\My Documents\ltjcbk.exe
规则: [应用程序]c:\documents and settings\*\* -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

2016-3-17 18:36:31 修改注册表值风险级别:未知阻止并结束进程
进程: c:\documents and settings\administrator\my documents\ltjcbk.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLinkedConnections
值: 0x00000001(1)
规则: [注册表组]拦截_Malicious Keys -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Policies\*
[/mw_shl_code]

显示全部楼层 · 发表于 2016-3-17 19:01:46

只有三个报毒...

腾讯（Tencent）: Win32.Trojan.Kryptik.Lmuv 2016-03-17
360（Qihoo 360）: HEUR/QVM19.1.Malware.Gen 2016-03-17
瑞星（Rising） : PE:Malware.XPACK-HIE/Heur!1.9C48

https://www.virusbook.cn/report/scan/0536334d7043bffdaaeadcc1a3e6d9ff8543b1a609fbe903514afee99342e410-1458212369772

显示全部楼层 · 发表于 2016-3-17 19:17:27

显示全部楼层 · 发表于 2016-3-17 19:45:32

左手发表于 2016-3-17 18:37
[mw_shl_code=css,true]2016-3-17 18:36:03 创建文件风险级别:未知允许
进程: c:\documents and s ...

手哥对MD是真爱呐~~

[可疑文件] File name: 50FC.tmp.exe Detection ratio: 7 / 55 貌似加密勒索挂马XXX

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块