SOC104 - Malware Detected Alert

Malware disguised as a WinRAR clone? Let's investigate....

Hello, blue teamers. It’s the first week of sunny March and that means completing Let’s Defend’s 5 monthly SOC challenges. These are a set of real-world SOC Alerts, where you are tasked to review, analyze and mitigate the threat(if any).

Today, let's solve the SOC104 — Malware Detected alert, the first one in the series.

NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.

Introduction to the Alert

These are the background details of the alert. Have a good read, as this information comes in handy later

Proceed to take ownership of the alert

Create case

Start the playbook

Now, let’s delve into the questions

Define Threat Indicator

Select Threat Indicator

As of now, we cannot determine the indicator. To pinpoint the cause, let’s proceed to download the .zip attachment, provided with the alert

Enumeration and Analysis

Upon unzipping the zip file, we find a .exe named winrar600

To see how this works, let’s have it run on Anyrun and VirusTotal

Analysis with Anyrun

Running the .exe file on a VM, we are met with this WinRAR installation screen

Analysis with VirusTotal

The green circle is welcome news of the analyzed file not being malicious

MD5 Hash of .exe file — aff4bb9b15bccff67a112a7857d28d3f2f436e2e42f11be14930fe496269d573

To gain some closure, let’s consult Hybrid-Analysis to analyze the exe file

We have been given the all-clear. The SOC Alert looks like a false-positive so far

Since the file is marked as clean, there are other threat indicators

Let’s go with Other

A)Other

Check if the malware is quarantined/cleaned

A) Malware is not cleaned

Analyze Malware

Analyze malware in 3rd party tools and find C2 address

You can use the free products/services below.

AnyRun VirusTotal URLHouse URLScan HybridAnalysis

As we have previously analyzed the exe file and found that it was not malicious, let’s proceed by marking it as non-malicious

A)Non malicious

Add Artifacts

Let’s add the artifacts so far collected

Analyst Note

Preceding the closure of the alert, let’s provide some notes on things observed while working. Detail this section as much as you can. A good SOC Analyst gives attention to detail.

Finish playbook

Close Alert

Alert Scorecard

All right! Onward ahoy to the next alert

Summary of the alert

The SOC Analyst was alerted to an instance of malware being downloaded and which was subsequently detected. An analysis was made on the .exe attachment, which was a WinRAR software clone, on VirusTotal and AnyRun.It gave us the conclusion of the downloaded file testing as a false positive for malware

Conclusion

Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting one of the emojis below!