itman 1,718 Posted Wednesday at 07:50 PM Share Posted Wednesday at 07:50 PM @Nataniell, I need you to do something else to aid in forensic analysis of this coinminer. Open the Autoruns folder and run Autoruns64.exe - not Autoruns.exe. Once Autoruns initializes, refer to the below screenshot; Verify that the two red highlighted entries are not check marked. If they are, uncheck mark them; shutdown Autoruns; and restart Autoruns64.exe. Again, wait till it fully initializes. Next in the Quick Filter search box, enter secureboot64. Post a screenshot of what is shown. Hopefully, this will show us what is running this bugger. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted Wednesday at 08:02 PM Author Share Posted Wednesday at 08:02 PM Here Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted Wednesday at 08:06 PM Author Share Posted Wednesday at 08:06 PM (edited) full log TXT here but I fortgot to check hide empty locations in this log. Screan is newer PC-DOMOV.txt Edited Wednesday at 08:12 PM by Nataniell Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted Wednesday at 08:25 PM Share Posted Wednesday at 08:25 PM 17 minutes ago, Nataniell said: Here Somewhat expected, a service was created to run at system startup to run secureboot64.exe. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted Wednesday at 08:42 PM Author Share Posted Wednesday at 08:42 PM Yes, the computer seems to be clean now Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted Wednesday at 10:43 PM Share Posted Wednesday at 10:43 PM Pondering a bit more, I believe secureboot64.exe is just a renamed version of secureboot.exe. The attacker just added the command line code to it in the registry service entry to connect to the pastebin.com domain hosting the coinminer. A great example of how truly dangerous a Win "living-off-the-land" attack can be. Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted yesterday at 03:59 PM Share Posted yesterday at 03:59 PM (edited) @Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed. You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry. Edited 23 hours ago by itman Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted 8 hours ago Author Share Posted 8 hours ago 19 hours ago, itman said: @Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed. You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry. This one? Čas;Aplikace;Operace;Cíl;Akce;Pravidlo;Doplňující informace;Hash aplikace;Cílový hash 25.06.2024 16:32:08;C:\ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe;Spustit novou aplikaci;C:\Windows\system32\cmd.exe;Blokováno;SKEN;;75C34BCB48FA08D0EF47504049192CA1E389DAC8;7140CAF2A73676D1F7CD5E8529DB861F4704C939 Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted 6 hours ago Share Posted 6 hours ago 2 hours ago, Nataniell said: This one? Yes, thank you. Unfortunately, it appears secureboot64.exe was never submitted to VirusTotal. If you haven't cleared your Win Recycle Bin, it still might be there. Could you check please. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted 4 hours ago Author Share Posted 4 hours ago Nope i deleted completly Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.