Malware Investigation Unmasking the Unknown Signer

[00:00:00]I just think it's important to highlight some of these things because we just went through all that work for the last 20 minutes and now look, we got to actual we're we're getting to the root cause. Now, one of the other things like when you scroll on the side here, you can see you have you know, directly embedded VirusTotal reputation score. Um You can see we keep scrolling down and now look, we have different hashes, okay? So, you can see here up until that point we're looking at like SHA-1, but you can see there's SHA-256. Now, when we clicked on this, what did it put?

[00:00:30]513. Okay, so it actually re- it actually submits the 256, which is good.

[00:00:36]You can see here it's an unsigned file.

[00:00:39]That should also trigger an alarm because it's not signed. All the other sign All the other files we were looking at were signed, which is why they weren't they weren't triggering. You can see here signer was Microsoft. So, we knew right out the gate that that's a legitimate PowerShell file process because it was signed by a legitimate source. If we scroll down here further into our investigation, well, this malware this that's why it's associated with this malware label because look, the signer is unknown. And there's 32 out of 70.