Jump to content

Powershell.exe outbound connections after malware removal


Recommended Posts

Morning, we've got a server that is continuing to prompt powershell.exe outbound connections using Malwarebytes. From what I can tell it's occurring every 40 minutes. We believe this might be a payload from a recently cleaned Exchange server that fell victim to the Hafnium exploit. 

I ran the FRST tool and have provided the needed logs for review. Thank you in advance!

Addition.txt FRST.txt

Link to post
Share on other sites

Thanks for your help. Looks like the powershell.exe outbound connections have stopped but we've now got the following

Compromised   Inbound Connection IP Address 222.186.136.150 Port: 443 File: C:\xammp\apache\bin\httpd.exe
Compromised   Inbound Connection IP Address 222.112.190.70 Port: 80 File: C:\xammp\apache\bin\httpd.exe

Trojan   Inbound Connection IP Address 209.141.60.60 Port: 443 File: C:\xammp\apache\bin\httpd.exe

And various similar reports from different IPs but same port number. This is a FileCloud server by the way. 

I've reattached the latest FRST and JSON files.

Thank you again!   

Addition.txt FRST.txt

Link to post
Share on other sites

I am sorry we'll need another registry export
Open Command Prompt and run this command:

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree" %USERPROFILE%\Desktop\regexport.txt

Question about this since this is a state sponsored Hafnium related indicator of compromise. Did you do any remediation manually, like scanning with other tools, doing a manual removal of the indicators of compromise or first thing you noticed is that outbound block?

Link to post
Share on other sites

It seems that Emsisoft didn't properly remove the task so it still keeps running. Because if was damaged MalwareBytes cannot detect it this way.

I am going to need one more export and after that we'll delete those. Open Command Prompt as Administrator:
 

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B73C93B1-3B2E-424C-8162-8EFC41C7410F}" %USERPROFILE%\Desktop\reg_export.txt

Attach reg_export.txt

Open Command Prompt as Administrator and type one after the other:


 

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73C25191-3831-490A-904A-0B477D0F92D8}" /F
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73C25191-3831-490A-904A-0B477D0F92D8}" /F
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B73C93B1-3B2E-424C-8162-8EFC41C7410F}" /F
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B73C93B1-3B2E-424C-8162-8EFC41C7410F}" /F

 

Edited by TwinHeadedEagle
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.