Jump to content

Malware exploit agent t1055 defense evasion

westconn
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

westconn

westconn

Posted
Posted

Hello all,

 

Past 2 days I have received 4 episodes of the following below.

 

Thank you

 

Vincent

 

Please advise!

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/22/22
Protection Event Time: 4:40 PM
Log File: 61e820ca-f253-11ec-b9c1-3868938f58d5.json

-Software Information-
Version: 4.5.9.198
Components Version: 1.0.1699
Update Package Version: 1.0.56399
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1766)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent - T1055 - Defense Evasion, , Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1055 - Defense Evasion
File Name: 
URL: 

(end)

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello @westconn

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[ 2 ]

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

[ 3 ]

Please do not make changes or deletions on your own. Please do not run tools or apps on your own ( except for Malwarebytes & Microsoft Defender antivirus.) Also please do not delete FRST or anything related to it. It is important to not delete FRST until when I guide you to tools cleanup at the end, when I give the all clear. !

This custom script is for  Westconn  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. 

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. 

NOTE-2: This should run scans with MS Defender antivirus and remove outstanding action items, if any. 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. This is not the end-all.

AFTER completion of this run, you should do One new Scan with Malwarebytes

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi. Thank you. 

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply 😀
  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you. I will review that set of reports. Meantime, be sure to Delete all cache on Opera browser See https://clear-my-cache.com/en/windows/opera.html

Also, 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Very excellent. 

I would recommend getting a report on the update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi. I am listing below 2 things to do. 

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[ 2 ]

Now, look on the Downloads folder & Delete the old file named  

Fixlist.txt

Reply YES to the prompt to confirm deletion. 

This custom script is for  Westconn  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. 

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run. Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a couple of scans with Microsoft Defender antivirus, plus gather status report.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. This is not the end-all.

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks. Malwarebytes scan reports no malware. Question: Have you perhaps made some settings adjustments on Malwarebytes Settings ?  such as under the section "Exploit protection" ??  have you yourself made a change to enable pentesting ?  ( penetration testing?

  • Like 1
Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

It looks to me that there is not a malware here. But that one or more scheduled tasks of Lenovo are triggering the alert. We can remove a couple of those scheduled tasks which are not needed. 

Now, look on the Downloads folder & Delete the old file named  

Fixlist.txt

Reply YES to the prompt to confirm deletion. 

This custom script is for  Westconn  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any.  

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run. Hoping it will not exceed 60 minutes in execute time.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. This is not the end-all.

  • Like 1
Link to post
Share on other sites
westconn

westconn

Posted
  • Author
Posted
1 hour ago, Maurice Naggar said:

Thanks. Malwarebytes scan reports no malware. Question: Have you perhaps made some settings adjustments on Malwarebytes Settings ?  such as under the section "Exploit protection" ??  have you yourself made a change to enable pentesting ?  ( penetration testing?

no not that i recall. This all started June 20th, Monday, after I install filemaker pro and Java (required for Fielmaker pro extension

 

pen testing was enabled, I did not do that at least not willingly and I certainly didnt play with malaware setting on Monday.

 

I reset the advanced exploit to default as follows:

 

image.thumb.png.420428c353ced999dab27bec56e222fb.pngimage.thumb.png.1a9cda9b08c4d628ee15628c66957cb7.pngimage.thumb.png.cf8aa7f6b9e427c40ad4e683e08a4266.pngimage.thumb.png.d19b7ab7bdab668af77d80d4097d79fc.png

image.thumb.png.3ed519767a54779a337c14d44751e390.png

 

do you still want me to run the fix file you sent?

Thank you

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Good to hear the status news. As to Lenovo, you may want to ask Lenovo support about a scheduled task they call Lenovo\BatteryGauge\BatteryGaugeMaintenance. I am not able to tell as to what it is there for  ( meaning, the purpose or real function of it).

As to what needs attention, per the SecurityCheck report you provided the other day: 

PuTTY release 0.76 (64-bit) v.0.76.0.0  Warning! Download Update

Cisco Webex Meetings v.42.3.1  Warning! Download Update

Zoom v.5.10.4 (5035)  Warning! Download Update

--------------------------- [ AdobeProduction ] ---------------------------
Adobe Creative Cloud v.5.6.0.788  Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Opera Stable 87.0.4390.45 v.87.0.4390.45  Warning! Download Update

Bonjour v.2.0.2.0  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended.
Your pc does not need "Bonjour".

*

This here is for tools cleanup. 

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Delete mb-support-1.8.7.918.exe on Downloads folder
Delete mbst-grab-results.zip on the Desktop.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

I wish you all the best.

  • Thanks 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.