A few comments here.
There a multiple postings in the forum about this attack method. The malware creators are exploiting a Windows bypass method to get around directly dropping a file into the System32 directory. Namely, create a directory there and drop your file into that directory.
Next is the "folly" in using signatures to detect a malicious script. As shown multiple times at malwaretips.com, a minor script modification will defeat an existing Eset signature detection of the original script. The poster was lucky here in that the payload deployed by the script was one Eset had a signature detection for. If the payload was a 0-day one, he would have been nailed.
Eset HIPS needs to be "beefed up" to detect suspicious script file creations. A file being created under hidden file critera; e.g. xxxxxx.tmp.ps1, with a script suffix is suspicious and should be quarantined until it is further examined by a malware expert.
Alternatively, implement what Microsoft Defender does via optional ASR rule. Block execution of any obfuscated script via HIPS option.
We were able to add a detection based on your logs and the sample above confirmed that we were right. The script is a loader detected as PowerShell/Agent.ASW trojan. The payload had already been detected for some time.
Thank you.
BlueTalon gave kudos to itman in Threat Removed
