Jump to content
Lockbits

EEI and alert D0806: FP?

Recommended Posts

Hello guys,

In the customer where we're testing EEI we're seeing some alerts regarding Office documents saving executable files. We know that there're a lot of malware in Office format using macro to download an and then execute a malware.

The strange thing in the alerts we're seeing is that always the file that is saved is in .com format and always in a temporal folder. We manually searched for the file but it doesn't exist. We think it could be that Office is saving a .com file that belongs to some temporal procedure and not a malware. I think modern Windows versions can't even execute .com files.

What do you think?

1208476189_CapturadePantalla2019-07-10ala(s)12_18_59.thumb.png.5bbd427f2310fa53cdfdce8f3fa6c20e.png

Share this post


Link to post
Share on other sites
Posted (edited)
Quote

NOTE: If a folder includes both EXE and COM files with the same filename (e.g., run.exe and run.com), the DOS or Windows command prompt will run the COM file if you type the filename without the extension.

https://fileinfo.com/extension/com

In other words, malware runs via a batch script.

Quote

Taking advantage of this default behaviour, virus writers and other malicious programmers have used names like notepad.com for their creations, hoping that if it is placed in the same directory as the corresponding EXE file, a command or batch file may accidentally trigger their program instead of the text editor notepad.exe. Again, these .com files may in fact contain a .exe format executable.

On Windows NT and derivatives (Windows 2000, Windows XP, Windows Vista, and Windows 7), the PATHEXT variable is used to override the order of preference (and acceptable extensions) for calling files without specifying the extension from the command line. The default value still places .com files before .exe files. This closely resembles a feature previously found in JP Software's line of extended command line processors 4DOS, 4OS2, and 4NT.

https://en.wikipedia.org/wiki/COM_file

Edited by itman

Share this post


Link to post
Share on other sites

First of all, EEI basically shouldn't have FPs because it doesn't say what is malicious and what is clean but informs you about suspicious and non-standard operations performed in your network. They can be legit or malicious; for legit ones it's possible to create exceptions so that such alerts are no longer triggered and reported.

Share this post


Link to post
Share on other sites
16 minutes ago, Marcos said:

First of all, EEI basically shouldn't have FPs because it doesn't say what is malicious and what is clean but informs you about suspicious and non-standard operations performed in your network. They can be legit or malicious; for legit ones it's possible to create exceptions so that such alerts are no longer triggered and reported.

Hi Marcos,

Yes it's not technically an FP. But I'm asking here if the alert I show is legit or malicious. I think it's legit. Do you know if Office creates .com files or it's a malicious symptom?

Thank you.

Share this post


Link to post
Share on other sites

After I clicked a link pointing to eicar in a document and saved it, the download url could be seen after checking details of firefox:

image.png

 

image.png

Share this post


Link to post
Share on other sites

Hi Marcos,

Unfortunately in this case there are not link involved in the alert.

1054898035_CapturadePantalla2019-07-11ala(s)18_31_03.thumb.png.0863b6be6d834504c4cbc3b5c6ed32dc.png

359669369_CapturadePantalla2019-07-11ala(s)18_32_16.thumb.png.5bd3908a8cc6fe78419fc3251875b25f.png

 

Share this post


Link to post
Share on other sites

Hi Lockbits!

.com extension still can be executed on Windows, let's take as an example system utilities such as tree.com or more.com.

Since content.mso is the folder where office files are cached, it could easily be legit. However, when we look at it with paranoid eye, it could also be the functionality of storing temporary files (or just the location) misused to store arbitrary data in a form that can be executed and then executed. So it's hard to tell for sure unless you have the file, or you know if it was executed.

To be on the safe side I would:
- check if any other suspicious events were done by that instance of winword (aggregated events, raw events)
- check if any other suspicious events happened on that computer
- find the d4ae7e10.com file itself (you already did this)
- find the file which was opened by word (look at the aggregated events tab of winword process or explorer process)
- find if d4ae7e10.com file was executed
    - check the process tree (this process tree doesn't indicate that)
    - use search to find any events for d4ae7e10.com
    - search for d4ae7e10.com file in executables view

Share this post


Link to post
Share on other sites

Hi Lubomir,

Thanks for your reply. We’ll follow your indications. 

Best regards. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...