Jump to content

URL/Urlik.AAR Object - pastebin - virus?


Go to solution Solved by Nataniell,

Recommended Posts

@Nataniell, I need you to do something else to aid in forensic analysis of this coinminer.

Open the Autoruns folder and run Autoruns64.exe - not Autoruns.exe.

Once Autoruns initializes, refer to the below screenshot;

Eset_Autoruns.png.885e43e2281a354cb736d70dc53a11d0.png

Verify that the two red highlighted entries are not check marked. If they are, uncheck mark them; shutdown Autoruns; and restart Autoruns64.exe. Again, wait till it fully initializes.

Next in the Quick Filter search box, enter secureboot64. Post a screenshot of what is shown.

Hopefully, this will show us what is running this bugger.

Link to comment
Share on other sites

17 minutes ago, Nataniell said:

Here

image.thumb.png.99ff55d87be3a9b704ee44c81b82be69.png

Somewhat expected, a service was created to run at system startup to run secureboot64.exe.

Link to comment
Share on other sites

Pondering a bit more, I believe secureboot64.exe is just a renamed version of secureboot.exe. The attacker just added the command line code to it in the registry service entry to connect to the pastebin.com domain hosting the coinminer.

A great example of how truly dangerous a Win "living-off-the-land" attack can be.

Link to comment
Share on other sites

@Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed.

You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry.

Edited by itman
Link to comment
Share on other sites

19 hours ago, itman said:

@Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed.

You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry.

This one?

Čas;Aplikace;Operace;Cíl;Akce;Pravidlo;Doplňující informace;Hash aplikace;Cílový hash
25.06.2024 16:32:08;C:\ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe;Spustit novou aplikaci;C:\Windows\system32\cmd.exe;Blokováno;SKEN;;75C34BCB48FA08D0EF47504049192CA1E389DAC8;7140CAF2A73676D1F7CD5E8529DB861F4704C939
 

Link to comment
Share on other sites

2 hours ago, Nataniell said:

This one?

Yes, thank you.

Unfortunately, it appears secureboot64.exe was never submitted to VirusTotal.

If you haven't cleared your Win Recycle Bin, it still might be there. Could you check please.

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...