Lockbits 11 Posted July 10, 2019 Posted July 10, 2019 Hello guys, In the customer where we're testing EEI we're seeing some alerts regarding Office documents saving executable files. We know that there're a lot of malware in Office format using macro to download an and then execute a malware. The strange thing in the alerts we're seeing is that always the file that is saved is in .com format and always in a temporal folder. We manually searched for the file but it doesn't exist. We think it could be that Office is saving a .com file that belongs to some temporal procedure and not a malware. I think modern Windows versions can't even execute .com files. What do you think?
itman 1,806 Posted July 10, 2019 Posted July 10, 2019 (edited) Quote NOTE: If a folder includes both EXE and COM files with the same filename (e.g., run.exe and run.com), the DOS or Windows command prompt will run the COM file if you type the filename without the extension. https://fileinfo.com/extension/com In other words, malware runs via a batch script. Quote Taking advantage of this default behaviour, virus writers and other malicious programmers have used names like notepad.com for their creations, hoping that if it is placed in the same directory as the corresponding EXE file, a command or batch file may accidentally trigger their program instead of the text editor notepad.exe. Again, these .com files may in fact contain a .exe format executable. On Windows NT and derivatives (Windows 2000, Windows XP, Windows Vista, and Windows 7), the PATHEXT variable is used to override the order of preference (and acceptable extensions) for calling files without specifying the extension from the command line. The default value still places .com files before .exe files. This closely resembles a feature previously found in JP Software's line of extended command line processors 4DOS, 4OS2, and 4NT. https://en.wikipedia.org/wiki/COM_file Edited July 10, 2019 by itman
Administrators Marcos 5,461 Posted July 10, 2019 Administrators Posted July 10, 2019 First of all, EEI basically shouldn't have FPs because it doesn't say what is malicious and what is clean but informs you about suspicious and non-standard operations performed in your network. They can be legit or malicious; for legit ones it's possible to create exceptions so that such alerts are no longer triggered and reported.
Lockbits 11 Posted July 10, 2019 Author Posted July 10, 2019 16 minutes ago, Marcos said: First of all, EEI basically shouldn't have FPs because it doesn't say what is malicious and what is clean but informs you about suspicious and non-standard operations performed in your network. They can be legit or malicious; for legit ones it's possible to create exceptions so that such alerts are no longer triggered and reported. Hi Marcos, Yes it's not technically an FP. But I'm asking here if the alert I show is legit or malicious. I think it's legit. Do you know if Office creates .com files or it's a malicious symptom? Thank you.
Administrators Marcos 5,461 Posted July 10, 2019 Administrators Posted July 10, 2019 After I clicked a link pointing to eicar in a document and saved it, the download url could be seen after checking details of firefox:
Lockbits 11 Posted July 11, 2019 Author Posted July 11, 2019 Hi Marcos, Unfortunately in this case there are not link involved in the alert.
ESET Staff Lubomir 0 Posted July 18, 2019 ESET Staff Posted July 18, 2019 Hi Lockbits! .com extension still can be executed on Windows, let's take as an example system utilities such as tree.com or more.com. Since content.mso is the folder where office files are cached, it could easily be legit. However, when we look at it with paranoid eye, it could also be the functionality of storing temporary files (or just the location) misused to store arbitrary data in a form that can be executed and then executed. So it's hard to tell for sure unless you have the file, or you know if it was executed. To be on the safe side I would: - check if any other suspicious events were done by that instance of winword (aggregated events, raw events) - check if any other suspicious events happened on that computer - find the d4ae7e10.com file itself (you already did this) - find the file which was opened by word (look at the aggregated events tab of winword process or explorer process) - find if d4ae7e10.com file was executed - check the process tree (this process tree doesn't indicate that) - use search to find any events for d4ae7e10.com - search for d4ae7e10.com file in executables view
Lockbits 11 Posted July 19, 2019 Author Posted July 19, 2019 Hi Lubomir, Thanks for your reply. We’ll follow your indications. Best regards.
Recommended Posts