cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
10
Helpful
3
Replies

Could not get a handle on the process's executable

ADS_18
Level 1
Level 1

We have a Windows server running on 7.5.3 (Scheduled for upgrade to 8.1.3 shortly). There is a threat detected on the server and it was successfully quarantined. When viewing the details of the event in Event Trajectory, it says on the detected file "Created by an unknown process. Could not get a handle on the process's executable."

What could cause this message to occur? 


File detected is: 

Detected DuctSizer.exeDucts 6.0.0.0 (2b5619fb…a585381a)[PE_Executable] as W32.2B5619FB9D-85.LP.RET.SBX.TG.

 

File full path: ?:\[sanitized]\DuctSizer.exe

File SHA-1: c36324d2b1c33c2e981cb1261034b39833fc8842.

File MD5: c6d187bbd5422656405360cde4450b07.

File size: 90112 bytes.

Detected by the SHA engines.

 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Roman Valenta
Cisco Employee
Cisco Employee

Lets first look at the file itself. Based on the MD5 this file is currently flagged as malicious by our SHA engine. However , this could be also a false positive event and the only way how to make sure is to open TAC case , submit the artifact to the case notes password protected "infected" and let our lab review the file. In case of FP event the disposition will be reverted.

 

Currently Full Report based on your MD5 hash:

SHA256: 2b5619fb9d93d7aebe1df4af020d363d6d8de04f81d74705223fba2ba585381a

Detections:

13/72
ClamAV: Not Detected
TETRA: Not Detected
Sophos: Not Detected
McAfee:

Detected
File Name: DuctSizer.exe
File Size: 88 KB
File Type: Win32 EXE
File Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Product Name: Ducts
Product Version: 6.00
First Seen: 2017-11-27 03:20:50 UTC
Last Scanned: 2022-12-22 18:15:56 UTC
Rescan
Threat Grid No report returned. File has been submitted for private analysis.
Talos Intel No report returned.
AMP Cloud Disposition:

Malicious
Threat Name: W32.2B5619FB9D-85.LP.RET.SBX.TG
Last Assigned Malicious: 2020-12-05 13:12:32 UTC
Threat Metascore: 68

 

Here lets pay attention to the Threat Metascore which shows only 68 this number is under the expected Threat Score for innocuous files. A higher number means that the threat can be legit, for example a Threat Score of 95 indicates that is almost sure that the file is malicious. For example a simple Excel file with Macros that opens another Excel document can reach a Threat Score of 85 due to Visual Basic for Applications and so on...

Also Last Time it was assigned as malicious was 2 yrs ago.

"Created by an unknown process. Could not get a handle on the process's executable."

 

Basically, what that means is that we couldn’t get a handle on the process or the process was short-lived and died before we could see the handle.

This message could also appear if the file was not quarantined because It was moved, deleted or already quarantined.

// Retrospective Quarantine.

Some time what we see is that file was quarantined by another engine and once Cloud Lookup is done a different engine try to pull the file retroactively based on it's last know location,  but the file is not there as it was previous quarantined.

In other words, the AMP connector analyze the files, get the sha and compares it with the Cloud, this process usually take a second, however, in that time the file could be deleted or moved and when the AMP connector tries to quarantine the file, it can't because the file isn’t there anymore.

AMP connector saves that SHA and disposition in the cache, so, next time the AMP connector see that SHA It will be quarantined because now we don’t have to ask the AMP Cloud to know if the file is Malicious or not.


Lastly what is DuctSizer?

 

Based on quick look up it seem to be some sort of small app for duct calculations. See the description bellow

DuctSizer is a tool that can quickly find the correct round, rectangular or oval duct size to fit on your inputs. You can use DuctSizer when you need quick, accurate answers to straight duct size or pressure loss questions. DuctSizer includes these features: English (IP) and/or SI units, with defaults saved, temperature and altitude corrected calculations, duct roughness input and reference information, calculations for any length of straight duct and calculations for round, rectangular and oval ducts.

http://www.linric.com/ductsizer.htm

 

If your org is in that type of business where this tool can be utilized , perhaps one of your users download this tool to use it in their project. Again based on the description it seems to be legit file and it would have to go through our lab first to positively determine if this is false positive event or not.

 

 

View solution in original post

3 Replies 3

Roman Valenta
Cisco Employee
Cisco Employee

Lets first look at the file itself. Based on the MD5 this file is currently flagged as malicious by our SHA engine. However , this could be also a false positive event and the only way how to make sure is to open TAC case , submit the artifact to the case notes password protected "infected" and let our lab review the file. In case of FP event the disposition will be reverted.

 

Currently Full Report based on your MD5 hash:

SHA256: 2b5619fb9d93d7aebe1df4af020d363d6d8de04f81d74705223fba2ba585381a

Detections:

13/72
ClamAV: Not Detected
TETRA: Not Detected
Sophos: Not Detected
McAfee:

Detected
File Name: DuctSizer.exe
File Size: 88 KB
File Type: Win32 EXE
File Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Product Name: Ducts
Product Version: 6.00
First Seen: 2017-11-27 03:20:50 UTC
Last Scanned: 2022-12-22 18:15:56 UTC
Rescan
Threat Grid No report returned. File has been submitted for private analysis.
Talos Intel No report returned.
AMP Cloud Disposition:

Malicious
Threat Name: W32.2B5619FB9D-85.LP.RET.SBX.TG
Last Assigned Malicious: 2020-12-05 13:12:32 UTC
Threat Metascore: 68

 

Here lets pay attention to the Threat Metascore which shows only 68 this number is under the expected Threat Score for innocuous files. A higher number means that the threat can be legit, for example a Threat Score of 95 indicates that is almost sure that the file is malicious. For example a simple Excel file with Macros that opens another Excel document can reach a Threat Score of 85 due to Visual Basic for Applications and so on...

Also Last Time it was assigned as malicious was 2 yrs ago.

"Created by an unknown process. Could not get a handle on the process's executable."

 

Basically, what that means is that we couldn’t get a handle on the process or the process was short-lived and died before we could see the handle.

This message could also appear if the file was not quarantined because It was moved, deleted or already quarantined.

// Retrospective Quarantine.

Some time what we see is that file was quarantined by another engine and once Cloud Lookup is done a different engine try to pull the file retroactively based on it's last know location,  but the file is not there as it was previous quarantined.

In other words, the AMP connector analyze the files, get the sha and compares it with the Cloud, this process usually take a second, however, in that time the file could be deleted or moved and when the AMP connector tries to quarantine the file, it can't because the file isn’t there anymore.

AMP connector saves that SHA and disposition in the cache, so, next time the AMP connector see that SHA It will be quarantined because now we don’t have to ask the AMP Cloud to know if the file is Malicious or not.


Lastly what is DuctSizer?

 

Based on quick look up it seem to be some sort of small app for duct calculations. See the description bellow

DuctSizer is a tool that can quickly find the correct round, rectangular or oval duct size to fit on your inputs. You can use DuctSizer when you need quick, accurate answers to straight duct size or pressure loss questions. DuctSizer includes these features: English (IP) and/or SI units, with defaults saved, temperature and altitude corrected calculations, duct roughness input and reference information, calculations for any length of straight duct and calculations for round, rectangular and oval ducts.

http://www.linric.com/ductsizer.htm

 

If your org is in that type of business where this tool can be utilized , perhaps one of your users download this tool to use it in their project. Again based on the description it seems to be legit file and it would have to go through our lab first to positively determine if this is false positive event or not.

 

 

ADS_18
Level 1
Level 1

Hi @Roman Valenta,

Thanks for your response. I have opened a TAC case and uploaded the artifact for analysis.

Regarding the below details,

Last Assigned Malicious: 2020-12-05 13:12:32 UTC
Threat Metascore: 68

Are they only available on your end? I cannot seem to see them in Cisco Secure Endpoint console.

Thank a lot for your detailed explanation about "Created by an unknown process. Could not get a handle on the process's executable." 

Yes that info was gathered via our internal tool.  The Last Assigned Malicious is otherwise gathered via Malware Analytic (Formerly know as Threat Grid)