I uploaded a document for analysis and saw very different reports when running in 32-bit vs. 64-bit. I was wondering if anyone has seen similar activity or might be able to help shed some light on why some of the activity below was reported.

Hybrid Analysis Reports (32 & 64 bit):https://www.hybrid-analysis.com/sample/c123968619dccdda53e9ec9a7d4985f550bbcc30a6b2ff24f06139edcebed750

I initially ran the scan in a Windows 7 32-bit Falcon Sandbox. There were a few malicious indicators, particularly the following:

Processes:

cmd.exe cmd /c wmic ntdomain get domainname (PID: 2344)

cmd.exe cmd /c net localgroup administrators (PID: 2680)

cmd.exe cmd /c net group “domain admins” /domain (PID: 2032)

powershell.exe -exec bypass “import-module %WINDIR%m2.ps1” (PID: 2128)

DNS request: info.beahh.com

However, after analyzing this file in the 64-bit Falcon Sandbox we didn’t see any of these suspicious processes.

When I searched for information on that domain in alienvault I came across a number of similar samples that executed the same processes/parameters

https://otx.alienvault.com/indicator/hostname/info.beahh.com

Has anyone seen these processes show up in their reports? We had a 3rd party analyze the file and as far as we can tell the initial 32-bit scan was a false positive but it’s disconcerting to see that kind of activity show up in a report.

Thanks

submitted by /u/TM3150
[link] [comments]

Go to Source of this post
Author Of this post: /u/TM3150

By admin