1. Malicious Programs
Use the command netstat -nao to check network connections and unexpectedly find an abnormal network connection with Process ID (PID) 1748.
Use the command wmic process where processid=1748 get processid,name,executablepath to check the executable path of PID 1748, obtaining C:\windows\Temp\svchost.exe.
1.1 C:\windows\Temp\svchost.exe
Upload the executable file C:\windows\Temp\svchost.exe to the Microstep sandbox and VirusTotal sandbox for analysis, confirm it is a malicious program, and plan to back it up and delete it.
https://www.virustotal.com/gui/file/77ed1262c3f7291ea1857169eb8804ce9dddc11db2c2bdd6b2076a3d7b289ad3
Entering the executable file path C:\windows\Temp\, we find files like mkatz.ini and tmp.vbs containing malicious content, confirming the path as the attackerâs dedicated folder, which should be backed up and then deleted in the future.
Use the command msinfo32 to access system information, select Software EnvironmentâRunning Tasks, and sort by File Date to find other executables with similar dates to the malicious program C:\windows\Temp\svchost.exe: C:\windows\couxxltk.exe, C:\windows\syswow64\wmiex.exe, C:\windows\syswow64\drivers\svchost.exe, C:\windows\syswow64\drivers\taskmgr.exe.
1.2 C:\windows\couxxltk.exe
Upload the executable file C:\windows\couxxltk.exe to the Microstep sandbox and VirusTotal sandbox for analysis, confirm it is a malicious program, and plan to back it up and delete it.
https://www.virustotal.com/gui/file/3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
1.3 C:\windows\syswow64\wmiex.exe
Upload the executable file C:\windows\syswow64\wmiex.exe to the Microstep sandbox and VirusTotal sandbox for analysis, confirm it is a malicious program, and plan to back it up and delete it.
https://www.virustotal.com/gui/file/b771267551961ce840a1fbcd65e8f5ecd0a21350387f35bbcd4c24125ec04530
1.4 C:\windows\syswow64\svhost.exe
Sort by modification date in the path of the malicious program C:\windows\syswow64\wmiex.exe, find the executable file C:\windows\syswow64\svhost.exe, upload it to the Microstep sandbox and VirusTotal sandbox for analysis, confirm it is a malicious program, and plan to back it up and delete it.
https://www.virustotal.com/gui/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc
1.5 C:\windows\syswow64\drivers\svchost.exe
Upload the executable file C:\windows\syswow64\drivers\svchost.exe to the Microstep sandbox and VirusTotal sandbox for analysis. The results are consistent with C:\windows\syswow64\svhost.exe, confirming it is a malicious program, and plan to back it up and delete it.
1.6 C:\windows\syswow64\drivers\taskmgr.exe
Upload the executable file C:\windows\syswow64\drivers\taskmgr.exe to the Microstep sandbox and VirusTotal sandbox for analysis, confirm it is a malicious program, and plan to back it up and delete it.
https://www.virustotal.com/gui/file/de7dba8ef2f284e92f9ceec09599d7e4a31592b773c9642be5bcf18f2463a3a6
Use Everything to check for other malicious programs with similar landing times by filtering using the syntax dm:20240709T2320-20240709T2325, sort by path and size, and inspect one by one. No other suspicious executable files were found.
2. Backdoor
2.1 System Account
Use the command compmgmt.msc to access Computer Management, and in System ToolsâLocal Users and GroupsâUsers, no hidden system accounts were found.
2.2 Scheduled Tasks
Use the taskschd.msc command to view scheduled tasks and find three tasks that periodically start malicious programs.
2.3 Auto-Startup Programs
Use the command msinfo32 to enter system information, select Software EnvironmentâStartup Programs, and find two auto-start programs, WebServers, and Ddriver, that initiate malicious programs.
2.4 Auto-Startup Services
Use the command msinfo32 to enter system information, select Software EnvironmentâServices, and find three auto-start services, WebServers, Ddriver, and CuXq, that start malicious programs.
3. Vulnerabilities
Use the command compmgmt.msc to access Computer Management, filter the current logs under System ToolsâEvent ViewerâWindows LogsâSecurity, and view Event ID 4625 to find a significant number of login failures from IP address 59.108.119.2. Also, view Event ID 4624 to see successful logins from the same IP.
It is determined that IP address 59.108.119.2 performed an RDP brute force attack to ultimately obtain the administrator accountâs weak password and successfully log in to the server. As malicious programs can automatically delete logs, the logs were deleted, so we just took a random screenshot as evidence.
4. Follow-Up Actions
4.1 Remove Backdoors
Use the taskschd.msc command to enter the Task Scheduler, right-click each of the three scheduled tasks and select delete.
Use the command regedit to enter the Registry Editor, navigate to the auto-start program location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, right-click and delete each of the two auto-start programs.
Use the command compmgmt.msc to enter Computer Management, in System ToolsâServices and ApplicationsâServices, right-click to stop each of the three auto-start services.
4.2 Terminate Malicious Processes
Use the command msinfo32 to access system information, select Software EnvironmentâRunning Tasks, sort by File Date, get the malicious program process ID, and use the command taskkill /f /pid:1748 to terminate the malicious process.
4.3 Delete Malicious Files
Backup and delete malicious files, then empty the Recycle Bin.
4.4 Patch Vulnerabilities
Use the command net user administrator new_password to change the weak password.
