SOC109  -  Emotet Malware Detected Alert

Malware you say? Let's have a look at it

Hello, blue teamers and welcome to this blog entry, as I attempt to solve Let’s Defend ’s SOC109 — Emotet Malware alert. It was fun to work with real-world malware and trace back its origins and characteristics.

Keep your investigation armor at the ready!

NOTE: Always remember to investigate alerts from Let's Defend, on a VM.

Introduction to the Alert

We are met with the following alert summary, which will prove beneficial as we keep investigating

Proceed to download the 349d13ca99ab03869548d75b99e5a1d0.zip file

Next steps:-

Proceed to take ownership of the case Create case

We receive the incident details, with all necessary information for our investigation

Now, let’s start the playbook

Playbook Questions

Detection of Threat Indicator

To detect the Threat Indicator, let’s first analyze the attached zip sample

Upon unzipping it, we get a file named ‘1word.doc’

It would be wise to open it on Anyrun

Two .exe files execute as we open it (namely powershell.exe and ntvdm.exe)

What does the PowerShell file do?

Expanding the log to find more information, we get:-

Check if the malware is quarantined/cleaned

Go to the ‘Endpoint Security section and contain the victim host(RichardPRD)

A) Quarantined

Analyzing the Malware sample

Q) Analyze malware in 3rd party tools and find C2 address

You can use the free products/services below.

AnyRun VirusTotal URLHouse URLScan HybridAnalysis

Let’s enumerate once more, using Anyrun tool

The file is malicious

A) Malicious

Check If Someone Requested the C2 Server

Q) Please go to the “Log Management” page and check if the C2 address accessed. You can check if the malicious file is run by searching the C2 addresses of the malicious file.

Please click “Yes” if someone access the malicious address. Otherwise please click “No” button.

Searching ‘Log Management’, for the victim host, we get 7 connection log entries

We know for a fact that Emotet spreads via phishing emails, so it is wise to limit ourselves to ports 80 and 443 connection attempts

Keeping a note of these IP’s, let’s see the related IP Addresses that have been contacted from this malicious file(can be received from the ‘Relations’ tab under VirusTotal)

We can safely assume that the C2 Server was never accessed because none of the IP’s match with the ones found in the Log Management section

From my research, I found that Emotet uses disposable C2 servers to propagate

A) Not accessed

Adding case artifacts

From Hybrid-Analysis, let’s note down outgoing traffic from this malicious file, to be added to our collection of artifacts

This finally boils down to:-

Analyst's Notes

We fill in the necessary details

Finish the playbook

Alert Scorecard

Not bad, not bad at all!

Every alert solved is a step towards perfection and I am pretty happy with the score I received.

Summary of the alert

A phishing mail was sent from the source, disguised as a harmless document, which the receiver did not fall victim to. The attachment was responsibly analyzed and determined to have connections to the Emotet malware

The case was a true positive for a phishing attack and the analyst responsibly provided artifacts and notes, discussing the case characteristics and results.

Conclusion

Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting any one of the emojis below!