So today I was greeted by a powershell.exe in the processes list taking up a lot of memory. A quick memory dump revealed it was running some script that it stored in the registry in base64
There's no direct guide of how to fix it, Malware bytes did nothing. But here's what i did. :
See the process -> Right click and Do a memory dump
Copy dump from the temp location to a more permanent location
Search for powershell.exe, it'll give you the parameters of how it ran, Mine was:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\<randomstr>').<randomstr>)));
Copy and Run gp 'HKCU:\Software\Classes\<randomstr1>').<randomstr2> to get the base64 encoded script. Decoding it will give you an idea of what it's doing. Mine looks like the script here:
https://isc.sans.edu/forums/diary/Powershell+Malware+No+Hard+drive+Just+hard+times/20823/1
To get rid of it, I delete the script and the registry key that causes it to autolaunch ( Reference: http://www.pctools.com/guides/registry/detail/109/ )
i.e.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Classes\<randomstr1>]
There's no direct guide of how to fix it, Malware bytes did nothing. But here's what i did. :
See the process -> Right click and Do a memory dump
Copy dump from the temp location to a more permanent location
Search for powershell.exe, it'll give you the parameters of how it ran, Mine was:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\<randomstr>').<randomstr>)));
Copy and Run gp 'HKCU:\Software\Classes\<randomstr1>').<randomstr2> to get the base64 encoded script. Decoding it will give you an idea of what it's doing. Mine looks like the script here:
https://isc.sans.edu/forums/diary/Powershell+Malware+No+Hard+drive+Just+hard+times/20823/1
To get rid of it, I delete the script and the registry key that causes it to autolaunch ( Reference: http://www.pctools.com/guides/registry/detail/109/ )
i.e.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Classes\<randomstr1>]
