WIN-PROT-HMPA-MALWARE-CRYPTOGUARD

Hello Community,

This message appears on a file server, with the associated IP address that is said to have carried out the attack. 

CryptoGuard detected a ransomware attack from 192.168.X.X (client ip)

The client shows the same thing, but nowhere is there any indication of which process led to this decision. 

The client is locked (8h or manuelly unlock) but where can I see why to solve the problem?, but where can I see why to solve the problem?

regards

Silvio



Added tags
[edited by: GlennSen at 6:14 AM (GMT -7) on 26 Mar 2024]
Parents
  • the hmpa log is C:\ProgramData\HitmanPro.Alert\Logs\sophoshmpaservice.log

    This may help you to plan your further actions:

    support.sophos.com/.../KB-000036287

    I'd start enabling debug on Hitman on both sides.

  • thank you, the log is a good hint, On the client, the file is overwritten, because I didn't find anything, I reset the device in a first "panic"-action. 
    On the server side, there are a few files in "Programdata\HitmanProalert\Safestore
    The time matches the process, unfortunately i can't read the (encrypted) files... 

  • not sure, sometime we have a problem with an applicatation called "Oxygen" an XML-Audit Tool. but, In the past, there was a concrete indication of the process on the client and the exception rule is still there... 
    in the meantime I found the corresponding log on the server:

    in the meantime I found the corresponding log on the server:

    [ 1804: 5924] I [Protected] PID 4, Features 08FD2E3040000000 Silent 0080000000000000, 192.168.66.XXX
    2024-02-26T08:22:24.318Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
    2024-02-26T08:22:24.318Z [ 1804: 5924] W IsActiveSession failed, session 1
    2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 4
    2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 65536
    2024-02-26T08:22:24.319Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
    2024-02-26T08:22:24.323Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 1
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 4
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 65536
    2024-02-26T08:22:24.324Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
    2024-02-26T08:22:24.324Z [ 1804: 5924] I [Alert] CryptoGuard V5, familyId=3ca5d37a-8ed5-7ba5-f8b2-8b632175ffa5, PID 4, 192.168.66.216
    2024-02-26T08:22:24.330Z [ 1804: 5924] I [Sophos] dropped xml C:\ProgramData\Sophos\Management Communications System\Endpoint\Messages\ToManagementServer\20240226082224324505_evt_hmpa-exploit.umc
    2024-02-26T08:22:24.338Z [ 1804: 5924] I [Sophos] dropped json C:\ProgramData\Sophos\Health\Event Store\Incoming\24883b2d-247b-4c47-92cc-e33863265399.json
    2024-02-26T08:22:24.343Z [ 1804: 5924] I [Sophos] successfully posted request to SSP

Reply
  • not sure, sometime we have a problem with an applicatation called "Oxygen" an XML-Audit Tool. but, In the past, there was a concrete indication of the process on the client and the exception rule is still there... 
    in the meantime I found the corresponding log on the server:

    in the meantime I found the corresponding log on the server:

    [ 1804: 5924] I [Protected] PID 4, Features 08FD2E3040000000 Silent 0080000000000000, 192.168.66.XXX
    2024-02-26T08:22:24.318Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
    2024-02-26T08:22:24.318Z [ 1804: 5924] W IsActiveSession failed, session 1
    2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 4
    2024-02-26T08:22:24.319Z [ 1804: 5924] W IsActiveSession failed, session 65536
    2024-02-26T08:22:24.319Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
    2024-02-26T08:22:24.323Z [ 1804: 5924] E WTSQueryUserToken failed with error code 1008, console session 1
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 1
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 4
    2024-02-26T08:22:24.324Z [ 1804: 5924] W IsActiveSession failed, session 65536
    2024-02-26T08:22:24.324Z [ 1804: 5924] E Create report process failed, telemetry path C:\Program Files\Sophos\AutoUpdate\\Telemetry\SubmitTelem.exe
    2024-02-26T08:22:24.324Z [ 1804: 5924] I [Alert] CryptoGuard V5, familyId=3ca5d37a-8ed5-7ba5-f8b2-8b632175ffa5, PID 4, 192.168.66.216
    2024-02-26T08:22:24.330Z [ 1804: 5924] I [Sophos] dropped xml C:\ProgramData\Sophos\Management Communications System\Endpoint\Messages\ToManagementServer\20240226082224324505_evt_hmpa-exploit.umc
    2024-02-26T08:22:24.338Z [ 1804: 5924] I [Sophos] dropped json C:\ProgramData\Sophos\Health\Event Store\Incoming\24883b2d-247b-4c47-92cc-e33863265399.json
    2024-02-26T08:22:24.343Z [ 1804: 5924] I [Sophos] successfully posted request to SSP

Children