Powershell Script Blocked

[AlexLeadingEdge]

Hi guys,

Since upgrading to Malwarebytes v3 we are seeing a popup saying that a powershell script is being called and blocked. I can't see where it is being called from to kill the process, any ideas on how to track down this (possible) infection?

It says that it was logged in this JSON file, which I have opened and copy and pasted here:

BF9D0ABCC47F1F768A74D037871D81282A5284035F1CAF1E6DD38687061FFCCD
{
   "applicationVersion" : "3.0.4.1269",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.39",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.706",
   "detectionDateTime" : "2016-12-12T22:20:16Z",
   "fileSystem" : "NTFS",
   "id" : "289c33a0-c0b9-11e6-9d2e-00155d091702",
   "isUserAdmin" : true,
   "licenseState" : "trial",
   "linkagePhaseComplete" : false,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows Server 2012 R2",
   "schemaVersion" : 1,
   "sourceDetails" : {
      "type" : "ae"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2016-12-12T22:20:16Z",
            "exploitData" : {
               "appDisplayName" : "cmd",
               "blockedFileName" : "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe Get-AppxPackage | Where Name -match ICQ | Select-Object -Expand Version",
               "layerText" : "Application Behavior Protection",
               "protectionTechnique" : "Exploit payload process blocked",
               "url" : ""
            },
            "generatedByPostCleanupAction" : false,
            "id" : "289c33a1-c0b9-11e6-a4d6-00155d091702",
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectType" : "exploit"
         },
         "ruleID" : -1,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Exploit.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

 

[Rsullinger]

Hello AlexLeadingEdge,

 

I want to have you collect me another log that has a bit more information on that block as I want to see what protection layer it is hitting. The log is called mbae-default.txt and it is found under the C:\ProgramData\Malwarebytes\MBAMService. I would replicate the block again before you grab that log so it is at the bottom. Once you do that, get it over to me and I should be able to see what is happening in this instance. 

[AlexLeadingEdge]

Just had two more:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/13/16
Protection Event Time: 11:20 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.706
License: Trial

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [-1],0.0.0

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage | Where Name -match Line | Select-Object -Expand Version
URL: 



(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/13/16
Protection Event Time: 11:21 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.706
License: Trial

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [-1],0.0.0

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage | Where Name -match PiipCorporation.PiipMessenger | Select-Object -Expand Version
URL: 



(end)

 

[AlexLeadingEdge]

5 minutes ago, Rsullinger said:

Hello AlexLeadingEdge,

 

I want to have you collect me another log that has a bit more information on that block as I want to see what protection layer it is hitting. The log is called mbae-default.txt and it is found under the C:\ProgramData\Malwarebytes\MBAMService. I would replicate the block again before you grab that log so it is at the bottom. Once you do that, get it over to me and I should be able to see what is happening in this instance. 

Is this the file you want? It looks encrypted?

mbae-default.zip

[Rsullinger]

Hello Alex,

 

Thank you for that. IT is the log I was looking for and it is encrypted. So it looks like it may be comming from this file:

 

C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\powershell.exe 

Is that something you have on the computer? It seems to be the way it is calling the powershell script may be the reason it is being blocked. If you do know what that script is, do you know what it is attempting to do? 

[AlexLeadingEdge]

That is one of the antivirus systems that our client uses:

https://www.maxfocus.com/remote-management/managed-antivirus

I have no idea why it would be calling that script. I don't believe it has a reason too. Is it possible the Managed Antivirus was scanning that script and it was picked up by Malwarebytes?

[Rsullinger]

Hey Alex,

Hard to say. From what I am seeing, it may be something they are doing. I am going to send you a PM to collect some debug information.