I uploaded a document for analysis and saw very different reports when running in 32-bit vs. 64-bit. I was wondering if anyone has seen similar activity or might be able to help shed some light on why some of the activity below was reported.
Hybrid Analysis Reports (32 & 64 bit):https://www.hybrid-analysis.com/sample/c123968619dccdda53e9ec9a7d4985f550bbcc30a6b2ff24f06139edcebed750
I initially ran the scan in a Windows 7 32-bit Falcon Sandbox. There were a few malicious indicators, particularly the following:
cmd.exe cmd /c wmic ntdomain get domainname (PID: 2344)
cmd.exe cmd /c net localgroup administrators (PID: 2680)
cmd.exe cmd /c net group “domain admins” /domain (PID: 2032)
powershell.exe -exec bypass “import-module %WINDIR%m2.ps1” (PID: 2128)
DNS request: info.beahh.com
However, after analyzing this file in the 64-bit Falcon Sandbox we didn’t see any of these suspicious processes.
When I searched for information on that domain in alienvault I came across a number of similar samples that executed the same processes/parameters
Has anyone seen these processes show up in their reports? We had a 3rd party analyze the file and as far as we can tell the initial 32-bit scan was a false positive but it’s disconcerting to see that kind of activity show up in a report.