SOC104 - Malware Detected Alert
Malware disguised as a WinRAR clone? Let's investigate....
Last updated
Malware disguised as a WinRAR clone? Let's investigate....
Last updated
Hello, blue teamers. It’s the first week of sunny March and that means completing Let’s Defend’s 5 monthly SOC challenges. These are a set of real-world SOC Alerts, where you are tasked to review, analyze and mitigate the threat(if any).
Today, let's solve the SOC104 — Malware Detected alert, the first one in the series.
NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.
These are the background details of the alert. Have a good read, as this information comes in handy later
Proceed to take ownership of the alert
Create case
Start the playbook
Now, let’s delve into the questions
Select Threat Indicator
As of now, we cannot determine the indicator. To pinpoint the cause, let’s proceed to download the .zip attachment, provided with the alert
Upon unzipping the zip file, we find a .exe named winrar600
To see how this works, let’s have it run on Anyrun and VirusTotal
Running the .exe file on a VM, we are met with this WinRAR installation screen
The green circle is welcome news of the analyzed file not being malicious
MD5 Hash of .exe file — aff4bb9b15bccff67a112a7857d28d3f2f436e2e42f11be14930fe496269d573
To gain some closure, let’s consult Hybrid-Analysis to analyze the exe file
We have been given the all-clear. The SOC Alert looks like a false-positive so far
Since the file is marked as clean, there are other threat indicators
Let’s go with Other
A)Other
A) Malware is not cleaned
Analyze malware in 3rd party tools and find C2 address
You can use the free products/services below.
AnyRun VirusTotal URLHouse URLScan HybridAnalysis
As we have previously analyzed the exe file and found that it was not malicious, let’s proceed by marking it as non-malicious
A)Non malicious
Let’s add the artifacts so far collected
Preceding the closure of the alert, let’s provide some notes on things observed while working. Detail this section as much as you can. A good SOC Analyst gives attention to detail.
Finish playbook
Close Alert
All right! Onward ahoy to the next alert
The SOC Analyst was alerted to an instance of malware being downloaded and which was subsequently detected. An analysis was made on the .exe attachment, which was a WinRAR software clone, on VirusTotal and AnyRun.It gave us the conclusion of the downloaded file testing as a false positive for malware
Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting one of the emojis below!