теперь ловим и на x64
id: 189, timestamp: 17:33:28.962, type: PsInject (43), flags: 1 (wait: 1)
sid: S-1-5-21-3297392936-389937181-1225957448-1000, cid: 2244/2092:\Device\HarddiskVolume2\ark\vir\vir.exe
context: start addr: 0x109757f, image: 0x1090000:\Device\HarddiskVolume2\ark\vir\vir.exe
hips: type: 18, action: ask [0]
fileinfo: size: 659456, easize: 39, attr: 0x20, buildtime: 29.11.2017 02:46:16.000, ctime: 18.12.2017 17:32:55.124, atime: 18.12.2017 17:32:55.124, mtime: 16.12.2017 12:41:13.005, descr: , ver: , company: , oname:
hash: 5928c5f4f16d014aa9daa266b0fed1ebcbe4fc70 status: unsigned, pe32, new_pe / unsigned / unknown / unknown
inject: ChangeThreadContext [2], flags: 0x10, addr: 0x778301c4, param: 0x0, len: 0, target: bitness: 32, init: 0, image: \Device\HarddiskVolume2\Windows\SysWOW64\attrib.exe:2464
start address code:
778301c4: 89442404 mov [esp+0x4], eax
778301c8: 895c2408 mov [esp+0x8], ebx
778301cc: e929a00100 jmp 0x7784a1fa
...
fileinfo: size: 16384, easize: 0, attr: 0x20, buildtime: 14.07.2009 02:15:01.000, ctime: 14.07.2009 02:15:01.289, atime: 14.07.2009 02:15:01.289, mtime: 14.07.2009 04:14:12.283, descr: Attribute Utility, ver: 6.1.7600.16385 (win7_rtm.090713-1255), company: Microsoft Corporation, oname: ATTRIB.EXE
catfile: {F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.cat
hash: c10b6995861da38e538a1ffd5acc0bb3fc147a6c status: signed_catroot, sfc, pe32 / signed_catroot / unknown / unknown
inject type: unknown func call from image: \Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
threat: DPH:Trojan.Inject.2.16 ==> send user alert and wait action...
user selected action: deny [5]
path: \Device\HarddiskVolume2\ark\vir\vir.exe ==> denied access to file
process: \Device\HarddiskVolume2\ark\vir\vir.exe:2244 ==> suspended all threads in process
path: \Device\HarddiskVolume2\ark\vir\vir.exe ==> quarantined
process: \Device\HarddiskVolume2\ark\vir\vir.exe:2244 ==> terminated
disinfect: \Device\HarddiskVolume2\ark\vir\vir.exe ==> quarantined, reboot required [1000008]
threat: DPH:Trojan.Inject.2.16 ==> sended user virus found alert
analyze object behavior and find traces:
can't find traces for object: \Device\HarddiskVolume2\ark\vir\vir.exe
id: 189 ==> denied [5], time: 23030.488200 ms
выйдет в след. обновлении модуля. спасибо
attrib.exe
Автор
RUSLAN221
, дек 13 2017 16:01
-
Тема закрыта
60 ответов в этой теме
#61
Konstantin Yudin
-
- Dr.Web Staff
-
- 19 552 Сообщений:
Смотрящий
Отправлено 18 Декабрь 2017 - 17:35
With best regards, Konstantin Yudin
Doctor Web, Ltd.
Doctor Web, Ltd.
Читают тему: 1
0 пользователей, 1 гостей, 0 скрытых
