Top CrowdStrike IOA Detection in Indonesia

Since the malware is detected using Indicator of Attack, here are the most common malware detection that must be manually remediated via Real Time Response.

svchost.exe

Detection:

C:\Windows\NetworkDistribution\svchost.exe

How to clean:

  • Remove the services contain RemoteProtocolManager.dll
  • Remove the files/folders
    • C:\WindowsNetworkDistribution\
    • C:\WindowsSystem32\dllhostex.exe
    • C:\WindowsSystem32\RemoteProtocolManager.dll
    • C:\Windows\System32\%random%.exe
  • Patch the system

PowerShell

Detection:

C:\Windows\System32\WindowsPowerShell*

PowerShell Malware

How to clean:

  • Remove all scheduled tasks contain malicious PowerShell command

mssecsvc.exe

Detection:

C:\windows\mssecsvc.exe

How to clean:

  • Remove service mssecsvc2.0
  • Remove the files/folders
    • C:\windows\mssecsvc.exe
    • C:\windows\%random%
    • C:\windows\tasksche.exe
  • Patch the system

3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

Detection:

C:\windows\%random%.exe

How to clean:

  • Change the administrator password
  • Patch the system
  • Remove all scheduled tasks contain malicious PowerShell command

spoolsv.exe

Detection: C:\windows\resources\spoolsv.exe

How to clean:

  • Remove the files/folders
    • rm c:\windows\resources\spoolsv.exe
    • rm c:\windows\resources\explorer.exe

I also list some companions that sometimes sensor don't detect it even the malware is running in memory.

c:\windows\syswow64\config\systemprofile\appdata\roaming\%random%.exe
-  c:\windows\fonts\fontsdl1hots.exe
-  c:\windows\temp\svchost.exe
-  c:\windows\temp\wfree.exe