вероятно, NotPetya шифранул файлы

Сообщений: 17977

Баллов: 28762

Регистрация: 16.03.2010

Размещено 17.07.2017 16:37:19

судя по журналу угроз было несколько атак через троян, добавленный в Medoc:

Цитата
13.07.2017 3:28:49 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:28:35 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) Server1C\printadm Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:28:04 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) Server1C\printadm Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:27:53 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:27:01 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to run the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:09:35 Real-time file system protection file C:\Users\printadm\Desktop\README.TXT Win32/Diskcoder.C trojan deleted Server1C\printadm Event occurred during an attempt to access the file by the application: C:\Windows\System32\notepad.exe (A7BBC4B4F781E04214ECEBE69A766C76681AA7EB). 9944DC91F408CDD90441D68B46E926F65DC6147C 13.07.2017 3:03:16 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:02:15 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to run the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:01:16 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C 13.07.2017 3:00:38 Real-time file system protection file C:\Users\printadm\Desktop\README.TXT Win32/Diskcoder.C trojan unable to clean NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\Windows\System32\SearchProtocolHost.exe (FD8F3226267F506E3CF0341044275AA5419E537D). 9944DC91F408CDD90441D68B46E926F65DC6147C 13.07.2017 3:00:38 Real-time file system protection file C:\Users\printadm\Desktop\README.TXT Win32/Diskcoder.C trojan unable to clean NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\Windows\System32\SearchProtocolHost.exe (FD8F3226267F506E3CF0341044275AA5419E537D). 9944DC91F408CDD90441D68B46E926F65DC6147C 13.07.2017 3:00:15 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to run the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C 05.07.2017 13:18:32 Real-time file system protection file Q:\MedocIS\MedocIS\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting Server1C\Klient1 Event occurred during an attempt to access the file by the application: Q:\MedocIS\MedocIS\ezvit.exe (CD65D605A97F94A76CC18B08F19D83CE722A1CDD). 3567434E2E49358E8210674641A20B147E0BD23C 05.07.2017 13:17:50 Real-time file system protection file Q:\MedocIS\MedocIS\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) Server1C\Klient1 Event occurred during an attempt to run the file by the application: Q:\MedocIS\MedocIS\ezvit.exe (CD65D605A97F94A76CC18B08F19D83CE722A1CDD). 3567434E2E49358E8210674641A20B147E0BD23C 30.06.2017 13:52:20 Real-time file system protection file Q:\README.TXT Win32/Diskcoder.C trojan deleted Server1C\Klient1 Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). 9944DC91F408CDD90441D68B46E926F65DC6147C 30.06.2017 13:52:19 Real-time file system protection file Z:\README.TXT Win32/Diskcoder.C trojan deleted Server1C\Klient1 Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). EAB267C3CB6D2349C576E9E8FA85A3533B600490

Цитата

13.07.2017 3:28:49 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:28:35 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) Server1C\printadm Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:28:04 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) Server1C\printadm Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:27:53 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:27:01 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to run the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:09:35 Real-time file system protection file C:\Users\printadm\Desktop\README.TXT Win32/Diskcoder.C trojan deleted Server1C\printadm Event occurred during an attempt to access the file by the application: C:\Windows\System32\notepad.exe (A7BBC4B4F781E04214ECEBE69A766C76681AA7EB). 9944DC91F408CDD90441D68B46E926F65DC6147C
13.07.2017 3:03:16 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:02:15 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to run the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:01:16 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C
13.07.2017 3:00:38 Real-time file system protection file C:\Users\printadm\Desktop\README.TXT Win32/Diskcoder.C trojan unable to clean NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\Windows\System32\SearchProtocolHost.exe (FD8F3226267F506E3CF0341044275AA5419E537D). 9944DC91F408CDD90441D68B46E926F65DC6147C
13.07.2017 3:00:38 Real-time file system protection file C:\Users\printadm\Desktop\README.TXT Win32/Diskcoder.C trojan unable to clean NT AUTHORITY\система Event occurred during an attempt to access the file by the application: C:\Windows\System32\SearchProtocolHost.exe (FD8F3226267F506E3CF0341044275AA5419E537D). 9944DC91F408CDD90441D68B46E926F65DC6147C
13.07.2017 3:00:15 Real-time file system protection file C:\ProgramData\Medoc\Medoc_2SRV\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) NT AUTHORITY\система Event occurred during an attempt to run the file by the application: C:\ProgramData\Medoc\Medoc_2SRV\DMF.AppServer.exe (948F336186FD2BC040D821F1A75340711B002F11). 3567434E2E49358E8210674641A20B147E0BD23C
05.07.2017 13:18:32 Real-time file system protection file Q:\MedocIS\MedocIS\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting Server1C\Klient1 Event occurred during an attempt to access the file by the application: Q:\MedocIS\MedocIS\ezvit.exe (CD65D605A97F94A76CC18B08F19D83CE722A1CDD). 3567434E2E49358E8210674641A20B147E0BD23C
05.07.2017 13:17:50 Real-time file system protection file Q:\MedocIS\MedocIS\ZvitPublishedObjects.dll a variant of MSIL/TeleDoor.A trojan cleaned by deleting (after the next restart) Server1C\Klient1 Event occurred during an attempt to run the file by the application: Q:\MedocIS\MedocIS\ezvit.exe (CD65D605A97F94A76CC18B08F19D83CE722A1CDD). 3567434E2E49358E8210674641A20B147E0BD23C
30.06.2017 13:52:20 Real-time file system protection file Q:\README.TXT Win32/Diskcoder.C trojan deleted Server1C\Klient1 Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). 9944DC91F408CDD90441D68B46E926F65DC6147C
30.06.2017 13:52:19 Real-time file system protection file Z:\README.TXT Win32/Diskcoder.C trojan deleted Server1C\Klient1 Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (390C124FFD140AA80033FA535E5EFA58E5580E25). EAB267C3CB6D2349C576E9E8FA85A3533B600490

но если была создана записка о выкупе C:\Users\printadm\Desktop\README.TXT Win32/Diskcoder.C trojan
можно предположить, что шифрование состоялось.

+
вопрос: когда был установлен антивирус ESET: до момента атаки, или уже позже, после того как пошла массовая эпидемия?
+
попробуйте извлечь из карантина файл README.txt, можно переименовать его в readme.vtxt чтобы антивир по новой его не прибивал.
это записка о выкупе,
добавьте ее так же на форум. можно в архив запаковать.

[ Как создать образ автозапуска? ]

Сообщений: 6

Баллов: 3

Регистрация: 12.07.2017

Размещено 17.07.2017 16:42:32

Антивирус был установлен до появления эпидемии.

Прикрепленные файлы

Безымный2.png (140.16 КБ)

Сообщений: 17977

Баллов: 28762

Регистрация: 16.03.2010

Размещено 17.07.2017 16:45:01

+
попробуйте извлечь из карантина файл README.txt, можно переименовать его в readme.vtxt чтобы антивир по новой его не прибивал.
это записка о выкупе,
добавьте ее так же на форум. можно в архив запаковать.

[ Как создать образ автозапуска? ]

Сообщений: 17977

Баллов: 28762

Регистрация: 16.03.2010

Размещено 17.07.2017 16:48:52

судя по логу событий возможно момент атаки был пропущен из за ошибок в обновлении баз

08.07.2017 6:41:19 Ядро ESET База данных сигнатур вирусов обновлена до версии 15711 (20170707).
и следующее обновление идет уже
12.07.2017 22:45:14 Ядро ESET База данных сигнатур вирусов обновлена до версии 15735 (20170712).
а между этими событиями много ошибок при обновлении:
12.07.2017 10:43:15 Модуль обновления Ошибка распаковки файла. NT AUTHORITY\система

[ Как создать образ автозапуска? ]

Ответы