Remember a mining virus emergency response incident

Emergency host troubleshooting

Recently, our security technicians discovered that a group of internal network hosts had abnormal communication behaviors with external Internet addresses during the security inspection. The following is an analysis of emergency response to one of the hosts.

Check the Windows Task Manager and find that the CPU usage rate of the host is 100%. Based on actual business conditions, it is preliminarily determined that the host is abnormal.

Looking further into the process with high usage rate, it was found that the suspicious executable file named v6w5m43T.exe took up a lot of CPU usage, and the powershell.exe process was called a lot.

Using Tinder Sword to analyze the suspicious executable file of v6w5m43T.exe in detail, you can see the absolute path of the execution location of the file, and there is a connection to the external Internet address.

The IP address of the malicious program to establish a connection with the external Internet is found, and the IP information is used to trace the source online through the microstep.

Cut off the network connection in time and isolate the network.

Use the Autoruns tool to check all the programs automatically loaded when the host is turned on, and find suspicious tasks.

Open the "Task Scheduler" and find that there is a malicious scheduled task.

Timed tasks: The system executes malicious files every 1 hour.

According to the scheduled task, the absolute path of the malicious file is found. Open the l61xHyVQ malicious file in TXT format,

It was found that the domain name t.tr2q.com existed, and the online search and analysis of microstep showed that it was a malicious website.

Checking and killing mining viruses

After installing the security software Tinder, scan and kill the mining Trojan horse program.

Repair method

1. To remove file viruses in the machine, you can use anti-virus software to perform a full scan, mainly to remove file viruses. Some virus files need to be cleared manually, and the temporary files under C:\Windows\Temp and the files in the recycle bin are cleared.

2. To remove malicious scheduled tasks, delete suspicious scheduled tasks in Management Tools --> Scheduled Tasks --> Scheduled Tasks Library.

3. Clear the startup program of powershell and cmd.