cuckoosandbox / community

Repository of modules and signatures contributed by the community
324 stars 175 forks source link

New sig for when Office products use WMI #508

Closed cccs-kevin closed 2 years ago

cccs-kevin commented 3 years ago

When an Office product uses WMI, this should be flagged as malicious or at least very suspicious.

Samples that raise this signature: https://www.virustotal.com/gui/file/5d3c9aebb0cae9d71e339df6dda52da6679ea1b95090eb51c66032f93516e800 https://www.virustotal.com/gui/file/1efd860e8367e87cfeb1cd59bfdf022f08bd4cf6411c29fdb514730d2f498018 https://www.virustotal.com/gui/file/7e76ae4f9778aa69a4adbf9766d0404ceb040c7db68f9358437c47f96151ee95