Jump to content

EEI and alert D0806: FP?


Recommended Posts

Hello guys,

In the customer where we're testing EEI we're seeing some alerts regarding Office documents saving executable files. We know that there're a lot of malware in Office format using macro to download an and then execute a malware.

The strange thing in the alerts we're seeing is that always the file that is saved is in .com format and always in a temporal folder. We manually searched for the file but it doesn't exist. We think it could be that Office is saving a .com file that belongs to some temporal procedure and not a malware. I think modern Windows versions can't even execute .com files.

What do you think?

1208476189_CapturadePantalla2019-07-10ala(s)12_18_59.thumb.png.5bbd427f2310fa53cdfdce8f3fa6c20e.png

Link to comment
Share on other sites

Quote

NOTE: If a folder includes both EXE and COM files with the same filename (e.g., run.exe and run.com), the DOS or Windows command prompt will run the COM file if you type the filename without the extension.

https://fileinfo.com/extension/com

In other words, malware runs via a batch script.

Quote

Taking advantage of this default behaviour, virus writers and other malicious programmers have used names like notepad.com for their creations, hoping that if it is placed in the same directory as the corresponding EXE file, a command or batch file may accidentally trigger their program instead of the text editor notepad.exe. Again, these .com files may in fact contain a .exe format executable.

On Windows NT and derivatives (Windows 2000, Windows XP, Windows Vista, and Windows 7), the PATHEXT variable is used to override the order of preference (and acceptable extensions) for calling files without specifying the extension from the command line. The default value still places .com files before .exe files. This closely resembles a feature previously found in JP Software's line of extended command line processors 4DOS, 4OS2, and 4NT.

https://en.wikipedia.org/wiki/COM_file

Edited by itman
Link to comment
Share on other sites

  • Administrators

First of all, EEI basically shouldn't have FPs because it doesn't say what is malicious and what is clean but informs you about suspicious and non-standard operations performed in your network. They can be legit or malicious; for legit ones it's possible to create exceptions so that such alerts are no longer triggered and reported.

Link to comment
Share on other sites

16 minutes ago, Marcos said:

First of all, EEI basically shouldn't have FPs because it doesn't say what is malicious and what is clean but informs you about suspicious and non-standard operations performed in your network. They can be legit or malicious; for legit ones it's possible to create exceptions so that such alerts are no longer triggered and reported.

Hi Marcos,

Yes it's not technically an FP. But I'm asking here if the alert I show is legit or malicious. I think it's legit. Do you know if Office creates .com files or it's a malicious symptom?

Thank you.

Link to comment
Share on other sites

  • Administrators

After I clicked a link pointing to eicar in a document and saved it, the download url could be seen after checking details of firefox:

image.png

 

image.png

Link to comment
Share on other sites

  • ESET Staff

Hi Lockbits!

.com extension still can be executed on Windows, let's take as an example system utilities such as tree.com or more.com.

Since content.mso is the folder where office files are cached, it could easily be legit. However, when we look at it with paranoid eye, it could also be the functionality of storing temporary files (or just the location) misused to store arbitrary data in a form that can be executed and then executed. So it's hard to tell for sure unless you have the file, or you know if it was executed.

To be on the safe side I would:
- check if any other suspicious events were done by that instance of winword (aggregated events, raw events)
- check if any other suspicious events happened on that computer
- find the d4ae7e10.com file itself (you already did this)
- find the file which was opened by word (look at the aggregated events tab of winword process or explorer process)
- find if d4ae7e10.com file was executed
    - check the process tree (this process tree doesn't indicate that)
    - use search to find any events for d4ae7e10.com
    - search for d4ae7e10.com file in executables view

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...