30. DeepDive
A DeepDive
on memory images or disk space cannot be analyzed
by THOR events alone. You typically need the memory dumps or
restored chunks to evaluate the findings. This typically takes
a lot more time, know-how and effort to complete.
We recommend the analysis of DeepDive module events only in case other indicators give a sufficient initial suspicion.
30.1. Samples
Sep 5 17:23:56 server44.local.net/10.16.3.7
THOR: Alert: MODULE: DeepDive
MESSAGE: YARA Score Rule Match
TARGET: C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\thor.exe.20170904-154909-00.hdmp
TYPE: file
NAME: HurricanePanda_C2_Server
SCORE: 180
DESCRIPTION: Hurricane Panda C2 Server in file http://goo.gl/Fm00Q8
OFFSET: 203423744
MATCHING_STRINGS:
S1: 203.135.134.243
IN: 1dns.dubkill.com.in$s2203.135.134.243$s3newss.effers.com$s4
S2: 202.181.133.237
IN: upport.proxydns.com$s13202.181.133.237MobileDevicesUsedtoExecu
S3: 223.29.248.9
IN: e.authorizeddns.org$s11223.29.248.9$s12googlesupport.proxy
S4: 61.78.34.179
...
Aug 26 22:20:18 server44.local.net/10.10.1.4
THOR: Alert: MODULE: DeepDive
MESSAGE: YARA Score Rule Match
TARGET: C:\Program Files (x86)\Common Files\McAfee\TalkBack\Data\RPCSERV(1).dmp
TYPE: file
NAME: WindowsCredentialEditor
SCORE: 140
DESCRIPTION: Windows Credential Editor
OFFSET: 203423744
MATCHING_STRINGS:
S1: Windows Credentials Editor
IN: %.2X%.2XttcaWindows Credentials Editor-- by Hernan Ochoa (herna
...
30.2. Typical False Positives
Antivirus signatures in pagefile.sys or in disk surface scans
Findings in
\McAfee\TalkBack\Data\RPCSERV
THOR process dump files