How to eradicate Malware during incident response

8 min readNov 6, 2024

In this blog I am going to cover practical scenario of incident response in corporate environment. Here I will try to show how the eradication process works. That is one of the main process of incident response. Let’s start with introduction.

🍁Introduction

Here we are going to cover how we handle infected system by malware using powershell command-line.

We will learn different PowerShell Commands can be used in Incident Response to remediate the machine. I will take a real world scenario where a machine is infected with malware e.g. NanoCore RAT to explain this PowerShell Commands

These commands can be very useful in a limited Windows environment where you don’t have access to tools like GNU core utilities, Python interpreters etc. If PowerShell remoting [2] is configured in your environment then you run these commands even on a remote infected machine from your clean machine.

What we will cover here ?

PowerShell
Malware infection scenario- NanoCore
PowerShell Commands for Incident Response
Conclusion
References

🍁PowerShell

PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes.

PowerShell is based on object not text. The output of a command is an object. You can send the output object, through the pipeline, to another command as its input.

🍁Malware infection scenario- NanoCore

Suppose there is a NanoCore malware infection in our environment and we are at the eradication step of Incident Response. We will learn which PowerShell Commands can be used for Incident Response but it can be applicable to any malware family . To keep it simple, we will consider following points:

Only one Windows 10 machine is infected with NanoCore malware in our environment based on Network logs.
We have physical access to this machine so no need for PowerShell Remoting.
We have the copy of the initial NanoCore sample 0ed2be7c91efdb87c98084bb0a22d8d7 which infected the machine, so we know the IoCs.

NanoCore IoCs

Drop RAVBg64.exe and bat files in $Env:TEMP
Create run.dat and other files in the GUID directory in $Env:APPDATA.
Create Persistency by creating autorun entry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CC: anunankis3[.]duckdns[.]org

🍁PowerShell Commands for Incident Response

The main goal of this Eradication step in Incident response is to remove all the malware artifacts from the system and verify if the system is completely cleaned or not.

One of the good things about PowerShell Commands is you don’t need to use different tools for working with files, registry or processes, all the things you can manage using inbuilt PowerShell cmdlets. All the PowerShell commands are tested on PowerShell 7 (or Core) but should work on Windows PowerShell 5.1.

Steps for removing NanoCore infection:

Check for malicious process
Terminate malicious process
Remove the persistency
Check for files in $env:APPDATA\GUID\
Get the Hashes of the files
Copy artifacts for analysis
Delete malware artifacts

Note :
Please make sure you are running the PowerShell with admin privilege otherwise you will not be able to remediate the system.

Check for malicious process

We have to check if the malicious process RAVBg64.exe is currently executing from $env:TEMP directory or not. Get-Process cmdlet can be used to get currently executing processes as shown in the pic below.

Get-Process

Get-Process PowerShell cmdlet output

We know this RAVBg64 .exe process is executing as shown in the above image but we need to know the complete path to identify if it’s running from the temp directory.

Get-Process RAVBg64 | Select-Object Id, ProcessName, Path, Company, StartTime | Format-Table

Get-Process cmdlet doesn’t support the process command line so use Get-WmiObject command

Only applicable for Windows PowerShell 5.1

Get-WmiObject -Class Win32_Process -Filter "name='RAVBg64.exe'" | Select-Object ProcessId, ProcessName, CommandLine

But Get-Wmiobject is deprecated so use Get-CimInstance for PowerShell 7 as mentioned by reddit user.

Get-CimInstance -Class Win32_Process | Format-Table -Property ProcessId, ProcessName, CommandLine -Autosize

Get-Process & Get-WmiObject PowerShell cmdlets output

2. Terminate malicious process

Stop-Process can be used to terminate processes based on process name or process ID (PID), or pass a process object.

Get-Process RAVBg64 | Stop-Process

You may need to stop this process imapsv.exe instead of RAVBg64.exe, if the machine has already restarted as this filename is used in registry for persistence.

Image 3:

Note : If you don’t stop the malicious process and try to delete the file from disk then it will give you access error due to the open handle.

3. Remove Persistence

Get-ItemProperty cmdlet can be used for listing registry entries as shown below:

Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'IMAP Service'

Remove-ItemProperty can be used for removing NanoCore persistence registry entry.

Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' | Remove-ItemProperty -Name 'IMAP Service' Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'

Query & remove NanoCore registry entry using PowerShell Command.

4. Check for files in $env:APPDATA\GUID\

NanoCore creates a unique GUID dir in $env:APPDATA to keep it’s copy and logs. We can Get-ChildItem cmdlet to list the directory it’s like dir cmd. This cmdlet can be used in file system directory, registry hive, or a certificate store.

-Recurse — Used to recursive list all the sub-dir
-Filter — You can use the parameter to filter the path and it supports * and ? wildcards e.g *.dat, *.exe

Get-ChildItem -Path $Env:APPDATA -Force -Recurse -Filter run.dat

Instead of Get-ChildItem, we can Test-Path to check if the dir or file exists or not
Test-Path -Path $Env:APPDATA\*\run.dat

Note:
-Force — It is used to list hidden or system files. Some malware use the hidden attribute for their files, so always use this parameter.

Test-Path & Get-ChildItem PowerShell cmdlets

After running the above cmds you will be able to know the unique GUID directory name 0319B08F-2B65–4192-B2D2–1E2F62087064 , this folder contain other artifacts as shown in below screenshot.

Get-ChildItem -Path C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Force -Recurse

Get-ChildItem cmdlets using Force & Recurse parameters.

5. Gather hashes

Get-FileHash cmdlet can be used to get the hash using a different algorithm e.g. MD5. SHA1 , SHA256 etc. By default, the Get-FileHash cmdlet uses the SHA256 algorithm, although any hash algorithm that is supported by the target operating system can be used.

SHA256
Get-FileHash -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe'

MD5
Get-FileHash -Algorithm MD5 -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe'

Get-FileHash PowerShell cmdlet

We can use Get-ChildItem & Get-FileHash cmdlets for collecting the file hashes in the directory with MD5, SHA256, Name & FullName.

We will use calculated properties that require a Hashtable with a Name/label and an Expression key. The name key is the property name and the Expression key is a scriptblock that will be executed as Select-Object receives input. Please read this great article [5] by @adbertram regarding calculated properties using Hashtable

@{ Name = ''; Expression = {}}

Using E/Expression we are calculating the MD5 & SHA256 of each file returned by Get-ChildItem

Get-ChildItem -Path C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Force -Recurse -File | Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, @{N='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}}, Name, FullName

Gather MD5, SHA256, Name and FullName of NanoCore files

Now we will export the result in FileHashes.csv format using Export-Csv

PowerShell Command for exporting hashes to csv.

5. Copy artifacts for analysis

Before removing the artifacts, we may want to copy them for further analysis if needed by other teams.

Let’s use the New-Item cmdlet to create the directory and use Copy-Item to copy the files to IoCs dir

New-Item -ItemType Directory -Path C:\Users\admin\IoCs

Copy-Item C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Destination C:\Users\admin\IoCs\ -Recurse

New-Item & Copy-Item PowerShell cmdlets for directory.

6. Delete malware artifacts

Note: Don’t forget to use -Force in Remove-Item, otherwise you cannot delete read-only or hidden files which are frequently used in Malware.

We have already removed the persistence mechanism, now we just need to delete the files from the infected machine using Remove-Item cmdlet.

Delete the complete dir recursively
Remove-Item -Path $env:APPDATA\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Recurse -Force

Remove the copy of the NanoCore malware
Remove-Item -Path $env:TEMP\RAVBg64.exe -Force

Delete the initial file
Remove-Item -Path $env:USERPROFILE\Desktop\Serial.exe

Remove-Item cmdlet for file & directory.

🍁Conclusion

At the end we have studied useful PowerShell Commands which can be used in Incident Response for NanoCore but these commands can be applied to any malware infection. There are a lot more PowerShell Commands which can be used in Incident Response.

For the next iteration, you can even write the PowerShell script and deploy to multiple machines over your network for cleanup.

that’s all for today if you like a content give me clap and follow for more content.

🍁References

PowerShell Overview — Microsoft
PowerShell remoting
Installing PowerShell Core
ANY.RUN — (MD5: 0ed2be7c91efdb87c98084bb0a22d8d7) NanoCore
Using PowerShell’s Calculated Properties.