itman 1,754 Posted June 24 Share Posted June 24 Do you have other HIPS rules besides this one for cmd.exe startup? Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 24 Author Share Posted June 24 (edited) No, just one, that log shows the first settings and then your adjusted settings together Edited June 24 by Nataniell Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 24 Share Posted June 24 5 minutes ago, Nataniell said: No, just one, that log shows the first settings and then your adjusted settings together Delete the first HIPS rule. The only one that should be active is the one I posted. Then clear your HIPS log so only cmd.exe startup entries are shown thereafter. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 24 Share Posted June 24 I am going to dinner. Will log back on later. In the mean time post a new HIPS log after doing the above. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 24 Share Posted June 24 I will also add once you post the screen shot of the HIPS detection's for only cmd.exe startup, disable the HIPS rule by removing its checkmark. Make sure to save this change. Otherwise, your HIPS log will become huge with all these blocked entries. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 Waiting for a new HIPS log screenshot, I've extracted relevant entries from the above log; @Marcos, I found a posting on Reddit that appears related; Quote The string might be different for you. Secureboot.exe in "C:\ProgramFiles\WindowsPowerShell\Modules\SecureBoot" creates that file and writes to it, then marks it for deletion, and then cmd.exe launches and reads that file before the file vanishes. I assume this is the actual miner command which is running inside cmd.exe ) https://www.reddit.com/r/antivirus/comments/19afutf/cmdexe_using_30_cpu_how_can_i_find_out_what/ I suspect SecureBoot directory files might be the source here. In any case, a very nasty coinminer indeed. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 25 Author Share Posted June 25 After fresh boot only 3 apps are in HIPS rulle, chrome.exe, bluemail.exe, secureboot64.exe as you mention... Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 (edited) As referenced in the above linked Reddit article, this also can track cmd.exe execution: https://superuser.com/questions/1575059/how-to-tell-what-command-were-executed-by-cmd-exe-pop-up . Problem is it's enabled via Group Policy and you need a Win Pro version for that. Edited June 25 by itman Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 25 Author Share Posted June 25 I have Win Pro. What I should do? Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 9 minutes ago, Nataniell said: I have Win Pro. What I should do? Nothing for the time being. I saw another posting where the poster started he couldn't get it to work. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 25 Author Share Posted June 25 I did the setup as instructed and got this log. So what next??? Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 39 minutes ago, Nataniell said: I did the setup as instructed and got this log. You can disable the Group Policy entry. It's purpose was to detect what was running cmd.exe in console host mode; i.e. the black window for it appears on the desktop. It's a given this coinminer is running cmd.exe in hidden mode. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 25 Author Share Posted June 25 1 minute ago, itman said: You can disable the Group Policy entry. It's purpose was to detect what was running cmd.exe in console host mode; i.e. the black window for it appears on the desktop. It's a given this coinminer is running cmd.exe in hidden mode. Yes, but that log also found secureboot.exe. So how can I cure this? Quote Link to comment Share on other sites More sharing options...
Solution Nataniell 0 Posted June 25 Author Solution Share Posted June 25 Ok I just deleted \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe And pastebin detection has gone. This path was invisible in windows browser. I had to use Autorun to locate this file. I hope this deletion was enough. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 (edited) 13 minutes ago, Nataniell said: Ok I just deleted \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe Yes, indeed, I have never see a reference to secureboot64.exe. On the other hand, I have seen references to secureboot.exe there although I could not find any detailed explanation on it. Reboot your PC and hopefully you won't have any problems booting Windows. If you do, you will have to enter Recovery mode and run Startup Repair option. Edited June 25 by itman Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 25 Author Share Posted June 25 I did two reboots and everything seems ok... Thx for help Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 2 minutes ago, itman said: \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\ Recheck this folder again and see what is stored there. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 25 Author Share Posted June 25 A lot of things. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 4 minutes ago, Nataniell said: A lot of things What I meant is if secureboot.exe exits there. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 25 Share Posted June 25 Another question. Did Autoruns show this entry, \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe, in red color? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 25 Administrators Share Posted June 25 Could you please upload the file secureboot64.exe (~700 MB) compressed in an archive to https://www.virustotal.com and share the link to scan results? It appears that a file with such name has never been uploaded there for a scan. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 26 Author Share Posted June 26 6 hours ago, itman said: Another question. Did Autoruns show this entry, \ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe, in red color? Yes it was red. And file not exist anymore here. I uploaded file to virust total through AutoRun but I don't know if scan was completed before deletion. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 26 Share Posted June 26 My guess here is secureboot64.exe started secureboot.exe with a command line string for cmd.exe to connect to the pastebin domain hosting the coinminer. If this is the case, we now have another Win "living-off-the-land" attack method. Quote Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 26 Share Posted June 26 @Nataniell. also monitor Chrome and your e-mail client for any abnormal behavior since cmd.exe was being started from both which is not normal. My guess here is this was to disable the coin miner when either was executing to avoid detection via sluggish performance and the like. My guess is there won't be any problems since whatever was being executed would just fail. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 26 Author Share Posted June 26 ok thanks for the tips I will continue to monitor everything Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.