Jump to content

Powershell.exe using 100% CPU


Recommended Posts

Greetings,

We have around 20 virtual servers (Windows 2008) which have been consuming 100% CPU since the last couple of days. All the servers were working fine earlier but looks like they have got effected with malware            (PowerShell.exe runs at 100% CPU). We can end the "PowerShell.exe" service but it automatically starts again after an hour or so

Microsoft Security Essentials is detecting the malware (HackTool:PowerShell/Wanascan.A). Also observed that the files are quarantined

We have tried to clean with multiple anti malware software / anti virus software but could not identify the root cause. Request your help in resolving the issues

Attached are the log files for your reference & troubleshooting

Thanks & Regards, Chakri  

Addition.txt

AdwCleaner.txt

Export Summary.txt

FRST.txt

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Link to post
Share on other sites

Hi Chakri :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

In the Task Manager, under the Details tab, if you add the Command Line column, can you tell me what command is used to launch the powershell.exe process?

Link to post
Share on other sites

Alright, I see what's happening. Open a command prompt with Admin Rights and enter the following commands:

([WmiClass] 'root\default:systemcore_Updater').Properties['funs'].Value > %userprofile%\Desktop\funsvalue.txt
([WmiClass] 'root\default:systemcore_Updater').Properties['mon'].Value > %userprofile%\Desktop\monvalue.txt

Then attach the funsvalue.txt and monvalue.txt files that should be on your desktop.

Link to post
Share on other sites

All good. Now, in the meantime, let's get an Autoruns log from one of the infected server.

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:

  • Download Autoruns.zip from the Sysinternals Suite webpage
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator
  • Accept the EULA on opening, then wait for all the entries to load
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file
  • Right-click on the file you saved and select Send to followed by Compressed (zipped) folder
  • Attach the .zip file on your next post, or if it says that it's too big, upload it on SendSpace and post the download URL for it here

Link to post
Share on other sites

By the way, this is what your servers are infected with.

https://github.com/carbreal/Malware_Analysis/tree/master/FileLess_Miner

Pay attention to this...

Quote

But, what is the Mimikatz for? Apparently, It's also kind of a non-interactive botnet, It uploads every credential stolen.
We see a couple servers listening for our data. It checks for connectivity and, for each credential, it appends the b64 of the credential to the data parameter and it makes a GET request to the api.php with the data.

I'm sorry but at this point, if it hasn't been done yet, I strongly suggest that you contact your IT Security team or if you have one, your Incident Response team. Your network has been breached, credentials have been compromised and therefore it is possible that attackers could have gotten into your network. This isn't something that can (or even should) be solved online. You have a security breach on your hands, and therefore you should follow your incident response protocol (if you have one). I can help you gather information if needed.

Link to post
Share on other sites

Thanks again for your responses

Should I be sending the Autoruns - Start-up Entries?

Or else as suggested by you, do we need to contact a local vendor and get this resolved

Note: We do not have a special IT team to take care of such incident

Link to post
Share on other sites

Yes, send the Autoruns log as I'll need it.

Here's how I see the remediation should go:

  • Disconnect every server from the network, leaving the only possible access via their virtualization host (ie: VMware). If it isn't possible, remove as many of these as you can from the network and start with these
  • Remove the infection (I'll see what I can do to help you with that)
  • Once done, manually download and install the MS17-010 Security Bulletin (patch against EternalBlue) on them (transfer the files via VMware, do NOT put them back on the network yet or they'll get infected right away)
  • Disable SMBv1 on these servers (if possible in your environment)
  • Once done, put them back on the network
  • Update the servers (install all the missing Windows Updates)
  • See if they get infected again (monitor them for the malicious powershell.exe activity)

MS17-010: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Link to post
Share on other sites

Alright I'll be waiting :) 

Edit: The information you provided me has been forwarded to the Research Team, which added the definitions to Malwarebytes. Though we need as much information as you can provide in order to make sure that the product can be updated to fully remove that threat.

Edited by Aura
Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.