safety 5 Posted September 23, 2022 Share Posted September 23, 2022 Hi, The file is constantly deleted when it is found in RAM, but is "resurrected" again. Can we find the source of this threat? 22.09.2022 12:56:59 Advanced memory scanner file Operating memory » C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 3634BFE5E04A47482E02F849D0C5FACA31213B0F 22.09.2022 12:55:09 Advanced memory scanner file Operating memory » C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting B7C9EDF0683C243AD74CA7D2760003A3EC3806A5 22.09.2022 12:52:09 Startup scanner file Operating memory » C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 5CEE07D38D917C1AC6933342524DD303A9201613 eav_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted September 23, 2022 Administrators Share Posted September 23, 2022 Please supply me with the file: C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll. Also enable the LiveGrid Feedback system for maximum protection and to ensure that we get suspicious files. Enabling it also improves protection by certain protection modules, such as the Ransomware shield. Create also a Procmon boot log. After a reboot, stop logging only after the threat has been detected if it's detected shortly after the system starts up. Save the pml log, compress it and upload it here. Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 7 minutes ago, Marcos said: Please supply me with the file: C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll. Unfortunately, this file is not quarantined. I paid attention to this strange Task. We asked the user to quarantine this file. c:\users\igor\appdata\roaming\msidb.exe /hxxsx:8484 /om:7 /eqcirph /qdkfh, , Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted September 23, 2022 Administrators Share Posted September 23, 2022 Does the dll exist? If so, is it detected by the on-demand scanner if you scan it manually? Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm receipt. Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 (edited) I can assume that it is extracted from somewhere when starting a task and another process, and the antivirus immediately kills it. But she is not in quarantine, judging by the logs. >>>Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm >>>receipt. Yes, this file was requested, it should be quarantined, although it is clean judging by the check for VT Edited September 23, 2022 by safety Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted September 23, 2022 Administrators Share Posted September 23, 2022 2 minutes ago, safety said: I can assume that it is extracted from somewhere when starting a task and another process, and the antivirus immediately kills it. But she is not in quarantine, judging by the logs. >>>Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm >>>receipt. Yes, this file was requested, it should be quarantined, although it is clean judging by the check for VT If you enable the ESET LiveGrid Feedback system, most likely the executable will be sent to ESET automatically since it's probably dropping and injecting the dll. Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 (edited) Previously, there were already several similar cases, and the matter was solved by deleting tasks, although the files that were launched in the tasks were clean. 20.01.2022 9:40:02 Advanced memory scanner file Operating memory » C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll multiple threats deleted 4EC9095A35736DFFE889AC992A4460A6C780972F 20.01.2022 9:39:54 Advanced memory scanner file Operating memory » C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll multiple threats deleted F378F3E53FF08A9DF28586DE383A8A4D3B1F35EB 20.01.2022 9:38:21 Advanced memory scanner file Operating memory » C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll multiple threats deleted D1D3F2531F12E5163BEAFE10BB2425D73F5F395B ------------- deleting these tasks helped "Command line" = "c:\users\itc-omn\appdata\local\asus giftbox\user data\a3f739aa\vmplayer.exe -us:8 -lznupsl:12" ( 9: High Risk ) ; ; ; "Command line" = "c:\users\itc-omn\appdata\local\apps\f2238d51\vnplayer.exe /xsqlrl:66576859 /bk /wfu /bziujw:825" ( 9: High Risk ) ; ; ; SysInspector1.zip Edited September 23, 2022 by safety Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted September 23, 2022 Administrators Share Posted September 23, 2022 The above exe files (vmplayer.exe and vnplayer.exe) probably don't exist, ESI shows 0 size of the files. If exist, please provide them. Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 (edited) 23 minutes ago, Marcos said: The above exe files (vmplayer.exe and vnplayer.exe) probably don't exist, ESI shows 0 size of the files. If exist, please provide them. Perhaps there was a blocking of access. I watched this case in another program. (uVS). This is a clean file from VMware. (We were unable to reproduce the issue. There was no time. Just deleted these tasks, and then the download dll stopped.) Полное имя C:\USERS\ITC-OMN\APPDATA\LOCAL\APPS\F2238D51\VNPLAYER.EXE Имя файла VNPLAYER.EXE Тек. статус ПРОВЕРЕННЫЙ в автозапуске Удовлетворяет критериям TASK.EXE (ССЫЛКА ~ .JOB)(1) AND (ЗНАЧЕНИЕ ~ .EXE)(1) [auto (0)] Сохраненная информация на момент создания образа Статус ПРОВЕРЕННЫЙ в автозапуске File_Id 50922D2A294000 Linker 9.0 Размер 2691736 байт Создан 18.12.2021 в 09:25:23 Изменен 18.12.2021 в 09:25:23 TimeStamp 01.11.2012 в 08:04:58 EntryPoint + OS Version 5.0 Subsystem Windows graphical user interface (GUI) subsystem IMAGE_FILE_DLL - IMAGE_FILE_EXECUTABLE_IMAGE + Оригинальное имя VMPLAYER.EXE Тип файла 32-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Действительна, подписано "VMware, Inc." Оригинальное имя vmplayer.exe Версия файла 9.0.1 build-894247 Версия продукта 9.0.1 build-894247 Описание VMware Player Производитель VMware, Inc. Доп. информация на момент обновления списка CmdLine /XSQLRL:66576859 /BK /WFU /BZIUJW:825 SHA1 3FA003D9B68373402C4A603CE47B90269E192CE8 MD5 4AA4BB31B3EA8B9EAE62F52CC7283602 Ссылки на объект Ссылка C:\WINDOWS\TASKS\VNPLAYER.JOB Значение "C:\Users\itc-omn\AppData\Local\Apps\f2238d51\vnplayer.exe" /xsqlrl:66576859 /bk /wfu /bziujw:825 Ссылка C:\WINDOWS\SYSTEM32\TASKS\VNPLAYER Task \vnplayer Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CF5A942D-E1AC-4355-B6E0-7356BE7FBE33}\Actions Actions "C:\Users\itc-omn\AppData\Local\Apps\f2238d51\vnplayer.exe" /xsqlrl:66576859 /bk /wfu /bziujw:825 Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CF5A942D-E1AC-4355-B6E0-7356BE7FBE33}\ Edited September 23, 2022 by safety Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 Here, too, the hash is undefined, but through uVS we see it. Полное имя C:\USERS\IGOR\APPDATA\ROAMING\MSIDB.EXE Имя файла MSIDB.EXE Тек. статус ?ВИРУС? ПОДОЗРИТЕЛЬНЫЙ в автозапуске Удовлетворяет критериям TASK.EXE (ССЫЛКА ~ .JOB)(1) AND (ЗНАЧЕНИЕ ~ .EXE)(1) [auto (0)] Сохраненная информация на момент создания образа Статус ПОДОЗРИТЕЛЬНЫЙ в автозапуске File_Id 4A5BC3C729000 Linker 9.0 Размер 154440 байт Создан 17.09.2022 в 21:06:14 Изменен 19.03.2010 в 15:02:22 TimeStamp 13.07.2009 в 23:31:19 EntryPoint + OS Version 6.0 Subsystem Windows graphical user interface (GUI) subsystem IMAGE_FILE_DLL - IMAGE_FILE_EXECUTABLE_IMAGE + Тип файла 32-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Отсутствует либо ее не удалось проверить Статус ПОДОЗРИТЕЛЬНЫЙ ОБЪЕКТ Путь до файла Типичен для вирусов и троянов Доп. информация на момент обновления списка CmdLine /HXXSX:8484 /OM:7 /EQCIRPH /QDKFH SHA1 D292822E4119A5A73A8B3CEA7AC4BEAC6CF21829 MD5 88F4AF07CA066060ABC8DB7E838F2FEB Ссылки на объект Ссылка C:\WINDOWS\TASKS\MSIDB.JOB Значение "C:\Users\igor\AppData\Roaming\MsiDb.exe" /hxxsx:8484 /om:7 /eqcirph /qdkfh Ссылка C:\WINDOWS\SYSTEM32\TASKS\MSIDB Task \MsiDb Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4F7CBE8E-145B-4AA4-8558-5F1C5FCBBC9B}\Actions Actions "C:\Users\igor\AppData\Roaming\MsiDb.exe" /hxxsx:8484 /om:7 /eqcirph /qdkfh Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4F7CBE8E-145B-4AA4-8558-5F1C5FCBBC9B}\ Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 Probably only Proсmon could help track down who is behind the launch of this dll Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 (edited) In the third case dated 08.03. 2022 it was: 03.08.2022 16:21:55 Advanced memory scanner file Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting E270A42E0B87887376DE25E48312CFF2571DB9A3 03.08.2022 16:21:50 Advanced memory scanner file Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 5F66A0781CDCECDF6C65F348E189362EF587274F 03.08.2022 16:20:14 Advanced memory scanner file Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 1C4398C983256367004BE99569CC49ADDB7B5DE8 --------------- Here the problem was solved after deleting this task: c:\windows\system32\tasks\java, c:\users\Дмитрий\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, , eis_logs.zip Edited September 23, 2022 by safety Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 But here too, java.exe is clean. Полное имя C:\USERS\ДМИТРИЙ\APPDATA\ROAMING\JAVA.EXE Имя файла JAVA.EXE Тек. статус ?ВИРУС? ПОДОЗРИТЕЛЬНЫЙ в автозапуске Удовлетворяет критериям TASK.EXE (ССЫЛКА ~ .JOB)(1) AND (ЗНАЧЕНИЕ ~ .EXE)(1) [auto (0)] FILENAME.LIST (ПОЛНОЕ ИМЯ ~ \ROAMING\JAVA.EXE)(1) [auto (0)] Сохраненная информация на момент создания образа Статус ПОДОЗРИТЕЛЬНЫЙ в автозапуске File_Id 4E08554211000 Linker 10.0 Размер 58248 байт Создан 07.07.2022 в 13:54:55 Изменен 05.02.2022 в 01:19:52 TimeStamp 27.06.2011 в 10:02:42 EntryPoint + OS Version 5.0 Subsystem Windows graphical user interface (GUI) subsystem IMAGE_FILE_DLL - IMAGE_FILE_EXECUTABLE_IMAGE + Тип файла 32-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Отсутствует либо ее не удалось проверить Статус ПОДОЗРИТЕЛЬНЫЙ ОБЪЕКТ Путь до файла Типичен для вирусов и троянов Доп. информация на момент обновления списка CmdLine /PJ=9757386 /ZGVLO=92 /NBW /MKJ=13105 SHA1 E387EFA1B3580EA075FA637E19C388DF7A330D3D MD5 95E3593CA9A3CE84ECB40B727FDD3234 Ссылки на объект Ссылка C:\WINDOWS\TASKS\JAVA.JOB Значение "C:\Users\Дмитрий\AppData\Roaming\java.exe" /pj=9757386 /zgvlo=92 /nbw /mkj=13105 Ссылка C:\WINDOWS\SYSTEM32\TASKS\JAVA Task \java Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0A0F558A-0B55-40B5-87F6-4C46E55B74BD}\Actions Actions "C:\Users\Дмитрий\AppData\Roaming\java.exe" /pj=9757386 /zgvlo=92 /nbw /mkj=13105 Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0A0F558A-0B55-40B5-87F6-4C46E55B74BD}\ Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,935 Posted September 23, 2022 Administrators Solution Share Posted September 23, 2022 Let me know when the LiveGrid Feedback system gets enabled, will check if we have received any of those suspicious files. Also provide a Procmon boot log with logging stopped after threat detection after the reboot along with fresh ELC logs. Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 1 hour ago, Marcos said: Please provide the file c:\users\igor\appdata\roaming\msidb.exe, do not delete it until I confirm receipt. check, please sent the file in the archive in a private message. Link to comment Share on other sites More sharing options...
safety 5 Posted September 23, 2022 Author Share Posted September 23, 2022 (edited) 27 minutes ago, Marcos said: Let me know when the LiveGrid Feedback system gets enabled, will check if we have received any of those suspicious files. Also provide a Procmon boot log with logging stopped after threat detection after the reboot along with fresh ESET Log Collector logs. unfortunately, the task with the file has already been cleaned up, now just wait for the next similar case, then we will cteate the full logs (ESET Log Collector + PROCMON) before cleaning the system. according to the user, there are no detections yet. Edited September 23, 2022 by safety Link to comment Share on other sites More sharing options...
itman 1,630 Posted September 23, 2022 Share Posted September 23, 2022 (edited) Reviewing an Eset similar Win32_Spy.Agent variant behavior description here: https://www.virusradar.com/en/Win32_Spy.Agent.OVP/description , I would begin by taking a hard look at suspicious entries in device's Win startup directories. Start with C:\Users\xxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup directory. Make sure you set Win Explorer View temporarily to show OS files. The only thing that should be in this directory is a desktop.ini file. Next, proceed to reviewing the following directories: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Windows accesses these directories in top down order at system startup time. Also, SysInternals Autoruns might be of assistance here. Make sure you enable the option to have entries scanned at VirusTotal. -EDIT- This Win32_Spy.Agent variant description: https://www.virusradar.com/en/Win32_Spy.Agent.OXJ/description might be more relevant since it shows rundll32.exe running from a Win registry startup location. Edited September 23, 2022 by itman Link to comment Share on other sites More sharing options...
Recommended Posts