Forum Discussion
MarcoMangiante
Sep 08, 2021Iron Contributor
Need help with suspicious "Behavior:Win32/SuspCopy.B"
Hello, the system of a colleague is trying to block various attempt of the threat classified as "Behavior:Win32/SuspCopy.B"; I found that the antivirus block it but after some times it find it again...
rs8091
Sep 08, 2021Copper Contributor
Interesting, does your colleague know the source of the script? Are you able to quarantine the file from defender atp console?
MarcoMangiante
Sep 08, 2021Iron Contributor
Hello rs8091
no, my colleague doesn't know how her system is infected. We activated the preview of Microsoft Defender Endpoint P1 and I can see this:
These are not generated by that file but I have seen that in many random directory that the threat create there is always a powershell file with that code inside.
I don't know if I can quarantine it.
Any help is appreciated.
Thanks.
- rs8091Sep 08, 2021Copper ContributorHi, it should be possible from the console to quarantine it
https://docs.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir- MarcoMangianteSep 09, 2021Iron Contributor
Hello rs8091
thanks for your reply. I've seen the link and also on our dashboard but I don't see the possibility; we have activated the preview of Microsoft 365 Defender for Endpoint P1, I d.
I also see that the script that I copied on this forum, is not seen in the alert tree.
For what I see today, on my colleague C:\Users\[colleague_account]\AppData\Roaming there is a directory "obUwHjQXC" that has the following files as in the image:
I also see that every hour 30/60 minutes the svchost.temp is refreshed; also, I suppose that when Defender recognize the infection, the virus is blocked and so start the dialog in the image:
I tried to create again the directory and the file, even if empy because I don't know the contents of the .tmp file; after some time I checked and see that the file recreated remains empty and the dialog when the problem shows again is this:
Other thing that I noticed in past days, that the files 0_[something].log and 1_[something].log change every day: yesterday there si Teams, the day before Chrome.
This is what I see on the endpoint; instead, what I see on the alerts on the Defender dashboard is something like this in the picture (see that it seems that sometimes the virus uses the bitsdmin.exe to transfer data I don't know where):
The time is the same that I find on the pc. I also found many many entries in task scheduler: I now disactivated all the, I suppose, related to the threat, but I can't see nothing that can help me to understand what starts the virus
Hope this can help to understand better and help.
Thanks a lot.
- rs8091Sep 13, 2021Copper ContributorHello Marco,
if you click on the events in the ATP console (4th picture) on the right should open a panel with options how to remediate/block/quarantine the files. Is it available?