Chaichana 1 Posted December 7, 2020 Share Posted December 7, 2020 NEW NOTIFICATION Malicious file Win64/CoinMiner.ZF was detected on computer ad02.musashi.co.th Detection type: trojan Detection name: Win64/CoinMiner.ZF Computer name: ad02.musashi.co.th Logged user: NT AUTHORITY\SYSTEM User : NT AUTHORITY\SYSTEM Time of occurrence: 12/7/20, 10:50:42 AM UTC+7 Scanner: Real-time file system protection Action performed: cleaned by deleting URL: file:///C:/Windows/system32/dfsvc.exe PLEASE ADVISE HOW TO GET RID OF IT. THANK! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted December 7, 2020 Administrators Share Posted December 7, 2020 Is the threat continually being detected? If so, please collect logs with ESET Log Collector from the machine and upload the generated archive here. Link to comment Share on other sites More sharing options...
Chaichana 1 Posted December 7, 2020 Author Share Posted December 7, 2020 efsw_logs.zipDear Marcos Yes, it's continually being detected. Please kindly see the logs as attached. Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted December 7, 2020 Administrators Share Posted December 7, 2020 Could you please manually run update and then reboot the machine? I assume that PowerShell/Agent.QR will be detected and cleaned by the startup scan in WMI. Should the problem persist, please provide a log generated by Autoruns. JamesR 1 Link to comment Share on other sites More sharing options...
ESET Staff JamesR 48 Posted December 7, 2020 ESET Staff Share Posted December 7, 2020 I agree with Marcos, this looks like a WMI persistent threat. Manually telling ESET to update its detection engine, should correct the issue of the threat continually being detected. Although, there is a good chance you may already have the update (ESET checks for these updates once per hour). If this does not fix the issue, definitely generate an Autoruns log. Lastly, its not uncommon for Servers to have been infected due to unexpected ports being exposed to the internet. I highly recommend you audit your public IP Addresses with some simple nmap scans to verify what ports are exposed to the internet. nmap -sV -Pn -F %PublicIPAddress% Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
itman 1,538 Posted December 7, 2020 Share Posted December 7, 2020 One of the better known WMI based coin miners is GhostMiner: https://www.trendmicro.com/en_us/research/19/i/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads.html . However that puppy dropped an .exe in the Windows Temp directory. Of interest in this Eset detection is the creation of dfsvc.exe in the Windows System32 directory. This exec is associated with .Net ClickOnce software; at least in its legit form. Link to comment Share on other sites More sharing options...
itman 1,538 Posted December 7, 2020 Share Posted December 7, 2020 This might be the culprit: https://success.trendmicro.com/solution/000261917 . And it's exploiting EternalBlue vulnerability. Link to comment Share on other sites More sharing options...
Chaichana 1 Posted December 8, 2020 Author Share Posted December 8, 2020 After I did manually updated and then reboot the machine. the problem is fixed. Thanks! Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
Recommended Posts