Kaspersky
Question

HEUR:Trojan.Multi.Crypmod.gen - Blocked on fileserver KES11

  • 11 October 2019
  • 8 replies
  • 6834 views

Hello,

On our Windows 2019 fileserver there was a "HEUR:Trojan.Multi.Crypmod.gen" blocked according to the KSC10 administration server Threats Report.

code:
Path to file : System

Result: Blocked: HEUR:Trojan.Multi.Crypmod.gen User: DOMAIN_XXX\USERNAME_XXX (Initiator) Object: System Reason: Dangerous action Database release date: 9/​23/​2019 3:56:00 AM Remote session: 0x1e08736c Remote host: - (192.168.0.xxx)






Looking in the KES11 "Reports\Behavior Detection" on the File Server i can see the following.

code:
9/23/2019 4:48:27 PM    Malicious object detected    External application    DOMAIN_XXX\USER_XXX    Detected: HEUR:Trojan.Multi.Crypmod.gen    External application    Behavior analysis    

Application: External application
User: DOMAIN_XXX\USER_XXX (Initiator)
Remote session: 0x1e08736c
Remote host: - (192.168.0.xxx)
Component: Behavior Detection
Result: Detected: HEUR:Trojan.Multi.Crypmod.gen
Object: External application
Reason: Behavior analysis
Database release date: 9/23/2019 3:56:00 AM



9/23/2019 4:48:27 PM Blocked External application DOMAIN_XXX\USER_XXX Blocked: HEUR:Trojan.Multi.Crypmod.gen External application Dangerous action

Application: External application
User: DOMAIN_XXX\USER_XXX (Initiator)
Remote session: 0x1e08736c
Remote host: - (192.168.0.xxx)
Component: Behavior Detection
Result: Blocked: HEUR:Trojan.Multi.Crypmod.gen
Object: External application
Reason: Dangerous action
Database release date: 9/23/2019 3:56:00 AM







Unfortunately i cannot find much more then this in the Kaspersky logging and cannot find anything at all about this in the KES11 logging on the Users computer.

I've scanned all our Servers and every client computer in our company and found nothing, what i do know is the this user used a private USB stick to print some pictures for his kids birthday, this USB stick was placed in his (up to date) Windows 10 computer but was also placed in the Ricoh printer itself, a device that i cannot scan.


Fortunately it looks like the program was halted before it could do anything and since this happened we did not detect anything strange on our network or our computers.

But the lack of information bothers me, especially because the users client computer has no logging of this issue at all, is there any way i can find out more about this Trojan.Multi.Crypmod.gen or get more useful logging from KES or from KSC..?

8 replies

Userlevel 5
Badge +4
Hi,

By default such an events are stored at KES local interface - Reports - File Threat protection.
Unfortunately, this is the only place at local PC, that keeps that infromation(with default settings).
Hi, thank you Nikolay for your answer, it's to bad the there isn't more information available, especially because i still have no clue as to how this got to my FileServer, apparently from a client computer sure but that client computer itself didn't detect anything and they both use the same KES11 installation.

The only other way i could have spread to the FileServer would be that it spread though a Ricoh network multicopier, and that would be very bad cause if that would be the case, because it could stay undetected and possibly untreated on that device for a long time.
Userlevel 5
Badge +4
Is there a possibility to provide us with a sample of that malware?
Thank you!
I would love to but unfortunately there is nothing in the KSC backup to send just the notification like in the picture i just added.

Hello.  I have the same exact threat on one of my storage servers.  Have no idea where this action comes from and need to find out what to do besides running full scans.  This user is outside of our company and I am assuming tried to do something that was not allowed during a remote session and was blocked.  I need to know what triggers this and what to do to correct it.

 

Thank you

 

Hi Adam,

 

Luckily i have not seen this issue resurface on any of my servers and client devices, so i guess that's good news, but i never did find out any more about this issue then i had already posted here.

I have the exact same detection, but using Kaspersky Anti-Ransomware Tool for Business, and it gives me even LESS information about it:

No other AV solution tested here detected this… Maybe it’s a Kaspersky engine bug?

Hello everyone.

I have the same detection too. It’s in portuguese-Brazil language:

 

Detection:

Resultado:     Detectado: HEUR:Trojan.Multi.Crypmod.gen
Usuário:     DOMAIN\username (Iniciador)
Objeto:     System
Motivo:     Análise de comportamento
Data da versão do banco de dados:     08/01/2021 11:06:00
Sessão remota:     0x54ee8339
Host remoto:     10.10.10.29

 

Not neutralized

Resultado:     Não neutralizado: HEUR:Trojan.Multi.Crypmod.gen
Usuário:    DOMAIN\username (Iniciador)
Objeto:     System
Sessão remota:     0x54ee8339
Host remoto:     10.10.10.29

 

Does it have a solution? I tried Kaspersky Support but they don’t helped so much.

Reply / Ответить