HEUR:Trojan.Multi.Crypmod.gen - Blocked on fileserver KES11

[Erwin NL]

Hello, On our Windows 2019 fileserver there was a "HEUR:Trojan.Multi.Crypmod.gen" blocked according to the KSC10 administration server Threats Report. Path to file : System Result: Blocked: HEUR:Trojan.Multi.Crypmod.gen User: DOMAIN_XXX\USERNAME_XXX (Initiator) Object: System Reason: Dangerous action Database release date: 9/​23/​2019 3:56:00 AM Remote session: 0x1e08736c Remote host: - (192.168.0.xxx) Looking in the KES11 "Reports\Behavior Detection" on the File Server i can see the following. 9/23/2019 4:48:27 PM Malicious object detected External application DOMAIN_XXX\USER_XXX Detected: HEUR:Trojan.Multi.Crypmod.gen External application Behavior analysis Application: External application User: DOMAIN_XXX\USER_XXX (Initiator) Remote session: 0x1e08736c Remote host: - (192.168.0.xxx) Component: Behavior Detection Result: Detected: HEUR:Trojan.Multi.Crypmod.gen Object: External application Reason: Behavior analysis Database release date: 9/23/2019 3:56:00 AM 9/23/2019 4:48:27 PM Blocked External application DOMAIN_XXX\USER_XXX Blocked: HEUR:Trojan.Multi.Crypmod.gen External application Dangerous action Application: External application User: DOMAIN_XXX\USER_XXX (Initiator) Remote session: 0x1e08736c Remote host: - (192.168.0.xxx) Component: Behavior Detection Result: Blocked: HEUR:Trojan.Multi.Crypmod.gen Object: External application Reason: Dangerous action Database release date: 9/23/2019 3:56:00 AM Unfortunately i cannot find much more then this in the Kaspersky logging and cannot find anything at all about this in the KES11 logging on the Users computer. I've scanned all our Servers and every client computer in our company and found nothing, what i do know is the this user used a private USB stick to print some pictures for his kids birthday, this USB stick was placed in his (up to date) Windows 10 computer but was also placed in the Ricoh printer itself, a device that i cannot scan. Fortunately it looks like the program was halted before it could do anything and since this happened we did not detect anything strange on our network or our computers. But the lack of information bothers me, especially because the users client computer has no logging of this issue at all, is there any way i can find out more about this Trojan.Multi.Crypmod.gen or get more useful logging from KES or from KSC..?

[Nikolay Arinchev]

Hi, By default such an events are stored at KES local interface - Reports - File Threat protection. Unfortunately, this is the only place at local PC, that keeps that infromation(with default settings).

[Erwin NL]

Hi, thank you Nikolay for your answer, it's to bad the there isn't more information available, especially because i still have no clue as to how this got to my FileServer, apparently from a client computer sure but that client computer itself didn't detect anything and they both use the same KES11 installation. The only other way i could have spread to the FileServer would be that it spread though a Ricoh network multicopier, and that would be very bad cause if that would be the case, because it could stay undetected and possibly untreated on that device for a long time.

[Nikolay Arinchev]

Is there a possibility to provide us with a sample of that malware? Thank you!

[Erwin NL]

I would love to but unfortunately there is nothing in the KSC backup to send just the notification like in the picture i just added.

[AdamTX79]

Hello.  I have the same exact threat on one of my storage servers.  Have no idea where this action comes from and need to find out what to do besides running full scans.  This user is outside of our company and I am assuming tried to do something that was not allowed during a remote session and was blocked.  I need to know what triggers this and what to do to correct it.

 

Thank you

 

[Erwin NL]

Hi Adam,

 

Luckily i have not seen this issue resurface on any of my servers and client devices, so i guess that's good news, but i never did find out any more about this issue then i had already posted here.

[None]

I have the exact same detection, but using Kaspersky Anti-Ransomware Tool for Business, and it gives me even LESS information about it:

No other AV solution tested here detected this… Maybe it’s a Kaspersky engine bug?

[Administrador - BMTech]

Hello everyone.

I have the same detection too. It’s in portuguese-Brazil language:

 

Detection:

Resultado:     Detectado: HEUR:Trojan.Multi.Crypmod.gen
Usuário:     DOMAIN\username (Iniciador)
Objeto:     System
Motivo:     Análise de comportamento
Data da versão do banco de dados:     08/01/2021 11:06:00
Sessão remota:     0x54ee8339
Host remoto:     10.10.10.29

 

Not neutralized

Resultado:     Não neutralizado: HEUR:Trojan.Multi.Crypmod.gen
Usuário:    DOMAIN\username (Iniciador)
Objeto:     System
Sessão remota:     0x54ee8339
Host remoto:     10.10.10.29

 

Does it have a solution? I tried Kaspersky Support but they don’t helped so much.

[GerKaspy]

I got the same problem and another person as well 

 

 

 

[Derick Amorim]

Bom dia,

Sou novo nesse mudo do Kaspersky, obtive a mesma informação que acabei de ler acima, saberia me informar se já teve alguma solução deste caso, ou o que posso está fazendo para mitigar essa ameaça no meu ambiente?

[Cyril_Shi]

I have the same problem, I think it is the bug but have no official reply.