Jump to content

URL/Urlik.AAR Object - pastebin - virus?

Nataniell
 Share
Go to solution Solved by Nataniell,

Recommended Posts

itman

itman 1,718

Posted
Posted

@Nataniell, I need you to do something else to aid in forensic analysis of this coinminer.

Open the Autoruns folder and run Autoruns64.exe - not Autoruns.exe.

Once Autoruns initializes, refer to the below screenshot;

Eset_Autoruns.png.885e43e2281a354cb736d70dc53a11d0.png

Verify that the two red highlighted entries are not check marked. If they are, uncheck mark them; shutdown Autoruns; and restart Autoruns64.exe. Again, wait till it fully initializes.

Next in the Quick Filter search box, enter secureboot64. Post a screenshot of what is shown.

Hopefully, this will show us what is running this bugger.

Link to comment
Share on other sites
itman

itman 1,718

Posted
Posted

Pondering a bit more, I believe secureboot64.exe is just a renamed version of secureboot.exe. The attacker just added the command line code to it in the registry service entry to connect to the pastebin.com domain hosting the coinminer.

A great example of how truly dangerous a Win "living-off-the-land" attack can be.

Link to comment
Share on other sites
itman

itman 1,718

Posted
Posted (edited)

@Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed.

You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry.

Edited by itman
Link to comment
Share on other sites
Nataniell

Nataniell 0

Posted
  • Author
Posted
19 hours ago, itman said:

@Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed.

You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry.

This one?

Čas;Aplikace;Operace;Cíl;Akce;Pravidlo;Doplňující informace;Hash aplikace;Cílový hash
25.06.2024 16:32:08;C:\ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe;Spustit novou aplikaci;C:\Windows\system32\cmd.exe;Blokováno;SKEN;;75C34BCB48FA08D0EF47504049192CA1E389DAC8;7140CAF2A73676D1F7CD5E8529DB861F4704C939
 

Link to comment
Share on other sites
itman

itman 1,718

Posted
Posted
2 hours ago, Nataniell said:

This one?

Yes, thank you.

Unfortunately, it appears secureboot64.exe was never submitted to VirusTotal.

If you haven't cleared your Win Recycle Bin, it still might be there. Could you check please.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...