We recently saw several instances of malware\ransomware downloaded via an email URL using sandboxing avoidance techniques. The most obvious was sleep.exe being executed multiple times and was seen in the trace file.
Would it be possible to create a rule (yara?) that would mark a URL\file as malicious if sleep.exe was executed?
thanks for any advice
NSE8
Fortinet Expert partner - Norway
