sophos central endpoint getting this malware

Hi yeowkm 

Form the events logs, it seems it is getting cleared. However, I can see after running a full system scan as well, there is an alert of the detection. We will need to find the source , hence I would request you to run Source of Infection tool on the machine, from the logs we can find some more information. 

under the user endpoint event logs. it was classified as malicious behaviour. 

will upload once i get the SOI logs

1854.source of infection.zip

Hello yeowkm,

SOI isn't a magic wand.
It can help to find out what writes a certain file or into a certain location. Did you get another alert during these almost 3 hours SOI ran, if so - could you tell the time?  A cursory glance showed nothing outright suspicious. There are surprisingly few records - what switches/parameters did you use (apparently -p), did you run it as admin? Wonder why the Trace has these OpenProcess failed errors (normally disk space shouldn't be a concern and I use, at least initially, maximum logging, i.e. -ll 1)..

As it's likely not regsvr32.exe that is compromised it'd be necessary first to find out with what parameters it is called, Process Monitor should help. 

Christian

Hello yeowkm,

SOI isn't a magic wand.
It can help to find out what writes a certain file or into a certain location. Did you get another alert during these almost 3 hours SOI ran, if so - could you tell the time?  A cursory glance showed nothing outright suspicious. There are surprisingly few records - what switches/parameters did you use (apparently -p), did you run it as admin? Wonder why the Trace has these OpenProcess failed errors (normally disk space shouldn't be a concern and I use, at least initially, maximum logging, i.e. -ll 1)..

As it's likely not regsvr32.exe that is compromised it'd be necessary first to find out with what parameters it is called, Process Monitor should help. 

Christian

Hello Yeowkm,

If you are still seeing the detection and Sophos cleaning it automatically then make sure all of your endpoints on the network are protected by Sophos and they are up to date.

Please monitor and try to find out which computer is triggering it using SOI tool. If you could not find anything please contact Sophos support at the earliest for remote assistance.

Hello yeowkm 

Other than what SAJ and QC have suggested, you can also download and run MS Autoruns. There may be a script that is needing regsvr32.exe to run, and is causing the detection. If it is a scheduled task, autoruns is sure to find it.

Please refer to this related thread for additional information.