itman 1,755 Posted June 26 Share Posted June 26 @Nataniell, I need you to do something else to aid in forensic analysis of this coinminer. Open the Autoruns folder and run Autoruns64.exe - not Autoruns.exe. Once Autoruns initializes, refer to the below screenshot; Verify that the two red highlighted entries are not check marked. If they are, uncheck mark them; shutdown Autoruns; and restart Autoruns64.exe. Again, wait till it fully initializes. Next in the Quick Filter search box, enter secureboot64. Post a screenshot of what is shown. Hopefully, this will show us what is running this bugger. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 26 Author Share Posted June 26 Here Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 26 Author Share Posted June 26 (edited) full log TXT here but I fortgot to check hide empty locations in this log. Screan is newer PC-DOMOV.txt Edited June 26 by Nataniell Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 26 Share Posted June 26 17 minutes ago, Nataniell said: Here Somewhat expected, a service was created to run at system startup to run secureboot64.exe. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 26 Author Share Posted June 26 Yes, the computer seems to be clean now Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 26 Share Posted June 26 Pondering a bit more, I believe secureboot64.exe is just a renamed version of secureboot.exe. The attacker just added the command line code to it in the registry service entry to connect to the pastebin.com domain hosting the coinminer. A great example of how truly dangerous a Win "living-off-the-land" attack can be. Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 29 Share Posted June 29 (edited) @Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed. You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry. Edited June 29 by itman Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 30 Author Share Posted June 30 19 hours ago, itman said: @Nataniell, hopefully you still have HIPS log entries related to your created HIPS rule to block cmd.exe startup? If this is the case, please post the log entry related to secureboot64.exe starting cmd.exe. Only one log entry is needed. You can copy an Eset log entry by right button mouse clicking on the entry and selecting copy. Then select paste in your forum reply to insert the log entry. This one? Čas;Aplikace;Operace;Cíl;Akce;Pravidlo;Doplňující informace;Hash aplikace;Cílový hash 25.06.2024 16:32:08;C:\ProgramData\Microsoft\Windows\SystemSecure\Modules\System\secureboot64.exe;Spustit novou aplikaci;C:\Windows\system32\cmd.exe;Blokováno;SKEN;;75C34BCB48FA08D0EF47504049192CA1E389DAC8;7140CAF2A73676D1F7CD5E8529DB861F4704C939 Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 30 Share Posted June 30 2 hours ago, Nataniell said: This one? Yes, thank you. Unfortunately, it appears secureboot64.exe was never submitted to VirusTotal. If you haven't cleared your Win Recycle Bin, it still might be there. Could you check please. Quote Link to comment Share on other sites More sharing options...
Nataniell 0 Posted June 30 Author Share Posted June 30 Nope i deleted completly Quote Link to comment Share on other sites More sharing options...
IvelinNaydenov 0 Posted August 26 Share Posted August 26 I have the file, you need it? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted August 26 Administrators Share Posted August 26 1 hour ago, IvelinNaydenov said: I have the file, you need it? Please provide logs collected with ESET Log Collector. Quote Link to comment Share on other sites More sharing options...
itman 1,755 Posted August 26 Share Posted August 26 6 hours ago, IvelinNaydenov said: I have the file, you need it? Submit the file here: https://www.hybrid-analysis.com/ for a scan. Once the analysis completes, post a link to the analysis. This way we can all review the analysis. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.