Jump to content

Windows Server 2012 R2 Malware Trojan.Agent.MNR MSCORSWV.EXE


Recommended Posts

Windows Server 2012 R2.  Malwarebytes cleaned off a Ransomware attack & others.  It also identified Malware Trojan.Agent.MNR on C:\windows\MSCORSWV.EXE.  It says it cleans it, but after reboot the file, a Process, and a Process Module are found again.   If I boot to SAFE mode and scan, they are not found.  The NICs are teamed.  No network connection available in Safe Mode with networking. 

I did a server OS restore to the day before the RANSOMWARE attack.  Reinstalled Malwarebytes - no ransomware found, but 11 items cleaned.  BUT, the Trojan is still there.  Cleans, comes back unless in safe mode.

Log after OS restore:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/10/19
Scan Time: 1:26 PM
Log File: 2a5c0efc-7351-11e9-baa3-0cc47a2b86ee.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10498
License: Free

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: OHAVER\_ohcadmin

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 404611
Threats Detected: 11
Threats Quarantined: 10
Time Elapsed: 2 min, 1 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498

Module: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 9
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Removal Failed, [2696], [142279],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX0\MSCL.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX1\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX2\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX3\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX4\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX5\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX6\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX7\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Log After reboot:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/10/19
Scan Time: 1:37 PM
Log File: acd42abc-7352-11e9-8e2e-0cc47a2b86ee.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10498
License: Free

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: OHAVER\_ohcadmin

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 404620
Threats Detected: 3
Threats Quarantined: 3
Time Elapsed: 2 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498

Module: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Log in Safe Mode:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/10/19
Scan Time: 2:10 PM
Log File: 3654f287-7357-11e9-8b80-000000000000.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10498
License: Free

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: OHAVER\_ohcadmin

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 404120
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 36 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Thank you,

Arvis Holland

 

Link to post
Share on other sites

Found the source - two services:

Service Name
Display Name 
Description
Path to executable
 
TrkWk
Distributed Link Tracking
ÔÚ¼ÆËã»úÄÚ NTFS ÎļþÖ®¼ä±£³ÖÁ´½Ó»òÔÚÍøÂçÓòÖеļÆËã»úÖ®¼ä±£³ÖÁ´½Ó¡£
C:\WINDOWS\SysWOW64\srvany.exe
 
bmadmin
Logical Disk Manager Service
ÅäÖÃÓ²ÅÌÇý¶¯Æ÷ºÍ¾í¡£´Ë·þÎñֻΪÅäÖô¦ÀíÔËÐУ¬È»ºóÖÕÖ¹¡£
C:\Program Files (x86)\Common Files\inetinfo.exe
Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.