Jump to content

sysnative/cmd.exe flagged as an exploit


watchowner

Recommended Posts

This popped up this morning and while MB shows it was quarantined, there is nothing inmy quarantine?

Is this a legit exploit or false positive?

Thanks

 

=============================================================

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/27/22
Protection Event Time: 6:56 AM
Log File: 90d17b3e-6e4a-11ed-befc-000000000000.json

-Software Information-
Version: 4.5.17.221
Components Version: 1.0.1806
Update Package Version: 1.0.62790
License: Premium

-System Information-
OS: Windows 11 (Build 22621.819)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 1
Malware.Exploit.Agent.Generic, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, ,

Exploit: 0
(No malicious items detected)


(end)

=============================================================

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/26/22
Protection Event Time: 5:07 AM
Log File: 0ef375fa-6d72-11ed-b5f6-000000000000.json

-Software Information-
Version: 4.5.17.221
Components Version: 1.0.1806
Update Package Version: 1.0.62782
License: Premium

-System Information-
OS: Windows 11 (Build 22621.819)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid
URL:

 

(end)

Link to post
Share on other sites

Something ran a CMD. If Emdisoft tries to block any of the following be sure to allow it.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites

  • Root Admin

Never mind. I've found your ticket. You actually have 3 different tickets from today. Please do not create any new tickets. Reply to your ticket. Creating new tickets will put your ticket further back in the queue.

4093497
4093454
4093039

 

The folder SYSNATIVE is a virtual folder for 32-bit redirection to 64-bit code.

File System Redirector
https://learn.microsoft.com/sv-se/windows/win32/winprog64/file-system-redirector

The 'Program Files (x86)' and 'SysWOW64' folders explained
https://www.samlogic.net/articles/32-64-bit-windows-folder-x86-syswow64.htm

The 'Sysnative' folder in 64-bit Windows explained
https://www.samlogic.net/articles/sysnative-folder-64-bit-windows.htm

 

As you can see here for an example. CMD.EXE exists in both directories but are different sizes.

image.png

 

 

Let me review your logs and see what I can find. Why this registry

 

Did you personally click on a file or run something that called this or did it simply come up on it's own?

 

The command basically looks to be querying the Registry for this Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

Then ask about the MachineGuid but not sure if it would really run correctly or not as the switch is wrong. More so to the point again though is WHY would any program use CMD.EXE to query the registry?

If it's a Windows program it should be using an API or similar programming context to query the value, not drop to CMD.exe to query the registry.

 

Link to post
Share on other sites

  • Root Admin

I don't see an obvious reason for this specific call, but perhaps one of the other faulting apps was trying to query why it was failing?

Please see the following from your Event Logs.

At a minimum it looks like you may need to install Microsoft .NET 5.0 Runtime

 

Application errors:
==================
Error: (11/27/2022 04:02:11 PM) (Source: .NET Runtime) (EventID: 1023) (User: )
Description: Description: A .NET application failed.
Application: DDVDataCollector.exe
Path: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
Message: You must install or update .NET to run this application.

App: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
Architecture: x64
Framework: 'Microsoft.NETCore.App', version '5.0.0' (x64)
.NET location: C:\Program Files\dotnet\

The following frameworks were found:
  3.1.31 at [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  6.0.11 at [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]

Learn about framework resolution:
https://aka.ms/dotnet/app-launch-failed

To install missing framework, download:
https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=5.0.0&arch=x64&rid=win10-x64

 

Then restart the computer.

Then download and run the following program to check and update other software on your system.

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

 

Keep an eye out and let us know if you get this error alert again or not.

 

Link to post
Share on other sites

  • 9 months later...
1 minute ago, AbdelN said:

I have noticed the same issue the last 4 days. Any update?

Here is a quote from another topic.

Quote

Hi,

Thank you to everyone who reported this issue and worked with us in providing logs, etc. We have now fixed this issue and it is going through internal testing. If everything goes well, we should be releasing the fix in the next 2 weeks or so. Please bear with us. Thank you.

Edited 17 hours ago by Arthi

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.