Thread Info
  • State Not Answered
  • Replies 10 replies
  • Subscribers 13 subscribers
  • Views 2237 views
  • Users 0 members are here
Options
Suggested

WIN-PROT-HMPA-MALWARE-CRYPTOGUARD

Silvio Bittner

Hello Community,

This message appears on a file server, with the associated IP address that is said to have carried out the attack. 

CryptoGuard detected a ransomware attack from 192.168.X.X (client ip)

The client shows the same thing, but nowhere is there any indication of which process led to this decision. 

The client is locked (8h or manuelly unlock) but where can I see why to solve the problem?, but where can I see why to solve the problem?

regards

Silvio



Added tags
[edited by: GlennSen at 6:14 AM (GMT -7) on 26 Mar 2024]
Parents Reply Children
  • 0 in reply to LHerzog

    not sure, sometime we have a problem with an applicatation called "Oxygen" an XML-Audit Tool. but, In the past, there was a concrete indication of the process on the client and the exception rule is still there... 
    in the meantime I found the corresponding log on the server:

    in the meantime I found the corresponding log on the server:

    [ 1804: 5924] I [Protected] PID 4, Features 08FD2E3040000000 Silent 0080000000000000, 192.168.66.XXX
    2024-02-26T08:22:24.318Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
    2024-02-26T08:22:24.318Z [ 1804: 5924] W IsActiveSession failed, session 1
    2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 4
    2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 65536
    2024-02-26T08:22:24.319Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
    2024-02-26T08:22:24.323Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 1
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 4
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 65536
    2024-02-26T08:22:24.324Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
    2024-02-26T08:22:24.324Z [ 1804: 5924] I [Alert] CryptoGuard V5, familyId=3ca5d37a-8ed5-7ba5-f8b2-8b632175ffa5, PID 4, 192.168.66.216
    2024-02-26T08:22:24.330Z [ 1804: 5924] I [Sophos] dropped xml C:\ProgramData\Sophos\Management Communications System\Endpoint\Messages\ToManagementServer\20240226082224324505_evt_hmpa-exploit.umc
    2024-02-26T08:22:24.338Z [ 1804: 5924] I [Sophos] dropped json C:\ProgramData\Sophos\Health\Event Store\Incoming\24883b2d-247b-4c47-92cc-e33863265399.json
    2024-02-26T08:22:24.343Z [ 1804: 5924] I [Sophos] successfully posted request to SSP

  • 0 in reply to Silvio Bittner

    PID4 is system and that IP 66.216 is probably the client.

    System process will be triggered for SMB access. If you have XDR and Datalake you can query what the client did at that time

    machines must both be online (live query)

    That may be tricky as the most obvious query File Access history is uselessly limited by Sophos:

    Server:

    Client:

    community.sophos.com/.../live-discover-query-cancelled-e-process-sophososqueryextension-exe-exceeded-30-cpu-limit

  • 0 in reply to LHerzog

    I want to try that, this datalake thing is nice when you have nothing else to do :-)
    Thank you for the suggestion.

  • 0 in reply to Silvio Bittner

    Once I have found the suspicious, legitimate process... a "java-exe" invoked by a parent program, how can I manually exclude the sha265 value...?

Unfiltered HTML