Wininfo.exe alerts - Received alert from Traps regarding malware detection of maximum system

Mohammed_Yasin — Tue, 17 Aug 2021 08:09:24 GMT

received alert from Traps regarding malware detection of the maximum system due to file “Wininfo.exe”.

Please find a snapshot of one system and suggest how to fix this. Is there any impact?

CORTEXXDR

WildFire Malware

High

Source:XDR Agent

Category:Malware

Action:Detected (Post Detected)

Host:SS-akhil

Username:N/A

Starred:No

Excluded:No

Alert:1240

Incident:123

{
    "original_alert_json":{
        "uuid":"60950e6e927a42679814266964aa8edb",
        "recordType":"threat",
        "customerId":"1396903310",
        "severity":3,
        "generatedTime":"2021-08-13T09:14:58.439860Z",
        "originalAgentTime":"2021-08-13T09:14:58.439860Z",
        "serverTime":"2021-08-13T09:16:28.194296",
        "isEndpoint":1,
        "agentId":"8e6737354f7e37f0d7b25c330ebf0c7a",
        "endPointHeader":{
            "osVersion":"10.0.19043",
            "agentIp":"192.168.0.101",
            "deviceName":"SS-akhil",
            "agentVersion":"5.0.6.5109",
            "contentVersion":"193-67945",
            "policyTag":"ZWMzNzFjZWEwZThlYjVkYzA5YjZlYWNhMDI0NjlkZTk0OTU2NzgyNTIzM2U2NWQ5ODhmZmM2OTBiNGY5NDk3MjpGYWxzZTpESVNBQkxFRDpMSUNFTlNFXzIwX1BSRVZFTlQ=",
            "securityStatus":0,
            "protectionStatus":0,
            "deviceDomain":"ss.group",
            "userName":"akhilheda",
            "userDomain":"ss.group",
            "userSid":"S-1-5-21-3286644759-2474778216-3316818064-3298",
            "osType":1,
            "is64":1,
            "isVdi":0,
            "agentId":"8e6737354f7e37f0d7b25c330ebf0c7a",
            "agentTime":"2021-08-13T09:14:58.439860Z",
            "tzOffset":0
        },
        "messageData":{
            "eventCategory":"prevention",
            "moduleId":"COMPONENT_WILDFIRE_POST_DETECTION",
            "moduleStatusId":"CYSTATUS_MALICIOUS_EXE",
            "preventionKey":"ee6af308fc1611ebbcfa98fa9b5d3ad5",
            "processes":[

            ],
            "files":[
                {
                    "rawFullPath":"\\\\?\\C:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\session\\Repository\\r0zuj05w\\wininfo.exe",
                    "fileName":"wininfo.exe",
                    "sha256":"3ae8462769a4d5012b66af226a196bb12571c72a231b66f07afcc838e878045c",
                    "fileSize":"82432"
                },
                {
                    "rawFullPath":"\\\\?\\C:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\session\\Repository\\r0zuj12w\\wininfo.exe",
                    "fileName":"wininfo.exe",
                    "sha256":"3ae8462769a4d5012b66af226a196bb12571c72a231b66f07afcc838e878045c",
                    "fileSize":"82432"
                }
            ],
            "users":[

            ],
            "urls":[

            ],
            "postDetected":1,
            "sockets":[

            ],
            "block":0,
            "eventParameters":[
                "\\\\?\\C:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\session\\Repository\\r0zuj12w\\wininfo.exe",
                "3ae8462769a4d5012b66af226a196bb12571c72a231b66f07afcc838e878045c",
                "3ae8462769a4d5012b66af226a196bb12571c72a231b66f07afcc838e878045c",
                "1"
            ],
            "fileIdx":0,
            "verdict":1,
            "preventionMode":"post_detected",
            "trapsSeverity":3,
            "profile":"Malware",
            "description":"WildFire Malware",
            "cystatusDescription":"Suspicious executable detected",
            "sourceFile":{
                "rawFullPath":"\\\\?\\C:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\session\\Repository\\r0zuj05w\\wininfo.exe",
                "fileName":"wininfo.exe",
                "sha256":"3ae8462769a4d5012b66af226a196bb12571c72a231b66f07afcc838e878045c",
                "fileSize":"82432"
            },
            "policyId":"3a2d7cfbae6c4ab39e8ffcd727140573"
        }
    },
    "internal_id":1240,
    "external_id":"ee6af308fc1611ebbcfa98fa9b5d3ad5",
    "severity":"SEV_040_HIGH",
    "matching_status":"MATCHED",
    "detection_modules":null,
    "end_match_attempt_ts":null,
    "alert_source":"TRAPS",
    "local_insert_ts":1628846247856,
    "source_insert_ts":1628846157839,
    "alert_name":"WildFire Malware",
    "alert_category":"Malware",
    "alert_description":"Suspicious executable detected",
    "bioc_indicator":null,
    "matching_service_rule_id":null,
    "attempt_counter":0,
    "bioc_category_enum_key":null,
    "alert_action_status":"POST_DETECTED",
    "case_id":123,
    "is_whitelisted":false,
    "starred":false,
    "deduplicate_tokens":null,
    "filter_rule_id":null,
    "mitre_technique_id_and_name":[
        ""
    ],
    "mitre_tactic_id_and_name":[
        ""
    ],
    "agent_id":"8e6737354f7e37f0d7b25c330ebf0c7a",
    "agent_version":"5.0.6.5109",
    "agent_ip_addresses":[
        "192.168.0.101"
    ],
    "agent_hostname":"SS-akhil",
    "agent_device_domain":"ss.group",
    "agent_fqdn":"SS-akhil.ss.group",
    "agent_os_type":"AGENT_OS_WINDOWS",
    "agent_os_sub_type":"10.0.19043",
    "agent_data_collection_status":null,
    "mac":null,
    "agent_is_vdi":null,
    "agent_install_type":"STANDARD",
    "agent_host_boot_time":null,
    "event_sub_type":null,
    "module_id":[
        "WildFire post detection"
    ],
    "module_name":[
        "COMPONENT_WILDFIRE_POST_DETECTION"
    ],
    "association_strength":null,
    "dst_association_strength":null,
    "story_id":null,
    "is_disintegrated":null,
    "event_id":null,
    "event_type":[
        3
    ],
    "event_timestamp":[
        1628846098439
    ],
    "actor_effective_username":[
        "N\/A"
    ],
    "actor_process_instance_id":null,
    "actor_process_image_path":null,
    "actor_process_image_name":null,
    "actor_process_command_line":null,
    "actor_process_signature_status":[
        "SIGNATURE_UNAVAILABLE"
    ],
    "actor_process_signature_vendor":null,
    "actor_process_image_sha256":null,
    "actor_process_image_md5":null,
    "actor_process_causality_id":null,
    "actor_causality_id":null,
    "actor_process_os_pid":null,
    "actor_thread_thread_id":null,
    "actor_process_execution_time":null,
    "causality_actor_process_image_name":null,
    "causality_actor_process_command_line":null,
    "causality_actor_process_image_path":null,
    "causality_actor_process_instance_id":null,
    "causality_actor_process_os_pid":null,
    "causality_actor_process_signature_vendor":null,
    "causality_actor_process_signature_status":[
        "SIGNATURE_UNAVAILABLE"
    ],
    "causality_actor_causality_id":null,
    "causality_actor_process_execution_time":null,
    "causality_actor_process_image_md5":null,
    "causality_actor_process_image_sha256":null,
    "action_file_path":[
        "\\\\?\\C:\\ProgramData\\Lenovo\\ImController\\SystemPluginData\\LenovoSystemUpdatePlugin\\session\\Repository\\r0zuj12w\\wininfo.exe"
    ],
    "action_file_name":[
        "wininfo.exe"
    ],
    "action_file_md5":null,
    "action_file_sha256":[
        "3ae8462769a4d5012b66af226a196bb12571c72a231b66f07afcc838e878045c"
    ],
    "action_file_macro_sha256":null,
    "action_registry_data":null,
    "action_registry_key_name":null,
    "action_registry_value_name":null,
    "action_registry_full_key":null,
    "action_local_ip":null,
    "action_local_port":null,
    "action_remote_ip":null,
    "action_remote_port":null,
    "action_external_hostname":null,
    "action_country":[
        "UNKNOWN"
    ],
    "action_process_instance_id":null,
    "action_process_causality_id":null,
    "action_process_image_name":null,
    "action_process_image_sha256":null,
    "action_process_image_command_line":null,
    "action_process_signature_status":[
        "SIGNATURE_UNAVAILABLE"
    ],
    "action_process_signature_vendor":null,
    "action_process_image_path":null,
    "action_process_image_md5":null,
    "action_process_os_pid":null,
    "os_actor_effective_username":null,
    "os_actor_process_instance_id":null,
    "os_actor_process_image_path":null,
    "os_actor_process_image_name":null,
    "os_actor_process_command_line":null,
    "os_actor_process_signature_status":[
        "SIGNATURE_UNAVAILABLE"
    ],
    "os_actor_process_signature_vendor":null,
    "os_actor_process_image_md5":null,
    "os_actor_process_image_sha256":null,
    "os_actor_process_causality_id":null,
    "os_actor_causality_id":null,
    "os_actor_process_os_pid":null,
    "os_actor_thread_thread_id":null,
    "os_actor_process_execution_time":null,
    "fw_app_id":null,
    "fw_interface_from":null,
    "fw_interface_to":null,
    "fw_rule":null,
    "fw_rule_id":null,
    "fw_device_name":null,
    "fw_serial_number":null,
    "fw_url_domain":null,
    "fw_email_subject":null,
    "fw_email_sender":null,
    "fw_email_recipient":null,
    "fw_app_subcategory":null,
    "fw_app_category":null,
    "fw_app_technology":null,
    "fw_vsys":null,
    "fw_xff":null,
    "fw_misc":null,
    "fw_is_phishing":[
        "NOT_AVAILABLE"
    ],
    "dst_agent_id":null,
    "dst_causality_actor_process_execution_time":null,
    "dns_query_name":null,
    "dst_action_external_hostname":null,
    "dst_action_country":null,
    "dst_action_external_port":null,
    "is_pcap":null,
    "contains_featured_host":[
        "NO"
    ],
    "contains_featured_user":[
        "NO"
    ],
    "contains_featured_ip":[
        "NO"
    ],
    "image_name":null,
    "container_id":null,
    "cluster_name":null,
    "remote_cid":null,
    "events_length":1,
    "is_excluded":false
}

topic Wininfo.exe alerts - Received alert from Traps regarding malware detection of maximum system in Advanced Threat Prevention Discussions

Wininfo.exe alerts - Received alert from Traps regarding malware detection of maximum system