Jump to content

Ransomware attack


stagg

Recommended Posts

Hello I was trying to copy some photos from my pc to an external disk and I got a black screen for 2 seconds and then a popup from malwarebytes that wrote "Ransomware attack prevented".
Then I searched the marlwarebytes history but nothing was in it. So I searched in the app logs and found this:
 

"01/05/18    " 16:50:28.874"    855712890    2ae4    2b7c    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    1073    "Received threat detection callback from ARW SDK, ObjectPath=Video.UI.exe, Sha256Hash="
01/05/18    " 16:50:28.889"    855712906    2ae4    2b7c    ERROR    CleanControllerImpl    mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListed    "RulesWhiteLister.cpp"    173    "Cannot figure out rule white list status of file 'Video.UI.exe' because we could not read its contents"
01/05/18    " 16:50:28.889"    855712906    2ae4    2b7c    ERROR    CleanControllerImpl    CommonCleanUtils::GetFileHashesAndSize    "CommonCleanUtils.cpp"    307    "GetTripleHash failed for file = 'Video.UI.exe'"
01/05/18    " 16:50:28.889"    855712906    2ae4    2b7c    ERROR    CleanControllerImpl    CommonCleanUtils::GetFileHashesAndSize    "CommonCleanUtils.cpp"    342    "Cannot calculate hash of file 'Video.UI.exe' because of error reading its contents using swiss army"
01/05/18    " 16:50:28.889"    855712906    2ae4    2b7c    INFO    CleanControllerImpl    mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus    "WhiteListManager.cpp"    248    "White list status (not cached): File 'Video.UI.exe'   => Hubble:Error"
01/05/18    " 16:50:28.889"    855712906    2ae4    2b7c    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "ArwControllerImplHelper.cpp"    1098    "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=Video.UI.exe, id=0x0"
01/05/18    " 16:50:30.327"    855714343    2ae4    272c    WARNING        ArwSDK    ""    0    "{Thread: 0x00001628, Tick: 0x33012A27} [KillProcess] The process {PID: 11196} is already stopped."
01/05/18    " 16:50:30.327"    855714343    2ae4    272c    WARNING        ArwSDK    ""    0    "{Thread: 0x00001628, Tick: 0x33012A27} [KillProcess] The process {PID: 9972} is already stopped."
01/05/18    " 16:50:30.327"    855714343    2ae4    272c    WARNING        ArwSDK    ""    0    "{Thread: 0x00001628, Tick: 0x33012A27} [KillProcess] The process {PID: 10432} is already stopped."
01/05/18    " 16:50:30.327"    855714343    2ae4    272c    WARNING        ArwSDK    ""    0    "{Thread: 0x00001628, Tick: 0x33012A27} [KillProcess] The process {PID: 9200} is already stopped."
01/05/18    " 16:52:48.369"    855852390    2ae4    2220    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2164    "App Injected (Mozilla Firefox (and add-ons))"
01/05/18    " 16:52:49.038"    855853062    2ae4    2220    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2164    "App Injected (Mozilla Firefox (and add-ons))"
01/05/18    " 16:52:49.225"    855853250    2ae4    2220    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2164    "App Injected (Mozilla Firefox (and add-ons))"
01/05/18    " 16:52:49.569"    855853593    2ae4    2220    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2164    "App Injected (Mozilla Firefox (and add-ons))"
01/05/18    " 16:52:50.897"    855854921    2ae4    2220    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2164    "App Injected (Mozilla Firefox (and add-ons))"
01/05/18    " 16:52:52.616"    855856640    2ae4    2220    INFO    AEControllerImpl    mb::aecontrollerimpl::AEControllerImplHelper::DoAppInjectedNotification    "AEControllerImplHelper.cpp"    2164    "App Injected (Mozilla Firefox (and add-ons))"
01/05/18    " 16:53:19.369"    855883390    2ae4    1ec4    INFO    LicenseControllerImpl    mb::licensecontrollerimpl::KeystoneImpl::KeystoneCheck    "KeystoneImpl.cpp"    129    "Entering KeystoneCheck. Checking with Keystone for licensing status for our installation_token"
01/05/18    " 16:53:19.369"    855883390    2ae4    1ec4    WARNING    HttpConnection    mb::common::net::HttpConnection::SendRequest    "HttpConnection.cpp"    341    "HTTP POST - host not found"
01/05/18    " 16:53:19.369"    855883390    2ae4    1ec4    WARNING    HttpConnection    mb::common::net::HttpConnection::LogExceptionDetails    "HttpConnection.cpp"    1472    "Exception details: text=Host not found: keystone.mwbsys.com"
01/05/18    " 16:53:19.369"    855883390    2ae4    1ec4    ERROR    LicenseControllerImpl    mb::licensecontrollerimpl::KeystoneImpl::SendKeystoneRequest    "KeystoneImpl.cpp"    786    "Received a [-3] response from Keystone. This isn't one of the expected httpStatus returns."
01/05/18    " 16:53:19.369"    855883390    2ae4    1ec4    ERROR    LicenseControllerImpl    mb::licensecontrollerimpl::KeystoneImpl::SendKeystoneRequest    "KeystoneImpl.cpp"    796    "SendRequest RequestBody ({
 

It seems that "Video.UI.exe" (which is a part of Microsoft Windows Store apps as far as I know) was reported as a Ransomware, but as I could understand from the log, then flagged as a white listed.

Anyone knows what's going on? Is this a false alarm?

Thank you!

Edited by stagg
Link to post
Share on other sites

  • Staff

Hi @stagg - this was most likely a false positive. Can you run this tool and provide the zip file it creates?

arwlogs.exe is an information gathering tool that neither installs nor does it make system/registry hive changes.

  1. Download the trusted, Malwarebytes authored arwlogs.exe utility/tool and save only to a system Administrator's desktop of the system in question.
  2. Single right-click the j1Bynr2.png&key=c55e643d4ec26aa771880d2d  arwlogs.exe icon and select RunAsAdmin.jpg  Run as administrator from the Windows context menu.
  3. If a Windows User Account Control (UAC) alert/prompt for arwlogs.exe appears, select the "Yes" button to continue.
  4. If a Windows SmartScreen warning alert/prompt for arwlogs.exe appears, select "More info" then select the "Run anyway" button to continue.
  5. A Command window will appear and its contents may be mostly ignored.
  6. When "Press any key to continue . . . " appears at the bottom of the Command window, type any Enter key to close the window.
  7. A zipped archive HSPwQfy.png&key=8bea481e1c29518a4e1e2ca3 (yyyy-mm-dd-{COMPUTERNAME}.zip) should have been generated to the system Administrator's desktop.
  8. Attach the above-zipped archive to your next reply in this topic.
  9. Delete j1Bynr2.png&key=c55e643d4ec26aa771880d2d  arwlogs.exe from the Administrator desktop.

 

Link to post
Share on other sites

  • Staff

Thanks @stagg. I'm confident this was a false positive detection. However, I'd like to collect a bit more information for analysis of this situation.

Create and obtain Farbar Recovery Scan Tool (FRST) logs

  1. Download FRST and save it to your desktop
    Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  3. Press the "Scan" button
  4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
  5. Please attach those logs in reply.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.