SOC145 - Ransomware Detected Alert
Ransomware, you say? Let's have a look at it
Welcome to this blog entry,as I document my journey,into the world of blue teaming.We will be tackling the âSOC145âââRansomware Detectedâ case on the Letâs Defend platform,which is of hard difficulty
Letâs jump head first into it.
NOTE: Always remember to investigate alerts from Let's Defend, on a VM.
Introduction to the Alert
Alert particulars provided to the analyst:-
We first take a look at the mailbox, to find any pointers about the case âwhich we couldn't find
Enumeration
Now take the IP Addressâââ172.16.17.88 and perform a check on the endpoint and log sections
We get this from the Endpoint section, giving a description about the source IP Addressâ host machineâ
Endpoint Machine NameâââMarkPRD
Windows 10 OS
User nameâââMarkGuna
Last LoginâââAug 29 2020 08:12 PM
No entries were found for Browser, Network, or Command History. We get these entries for Process List, however:-
â
We get a corresponding match for someone named Mark, receiving a mail on Aug 29, when conducting a more thorough search in the LetsDefend mailboxâ
Analysis of Evidence
Having performed initial enumeration, let's download the file and unzip it, using the passphrase: infected
We uncover a file named ab.bin.Running file command against it tells us that it is an executable file, with GUI Interface
â
Next, we take the file for analysis on VirusTotal and Hybrid-Analysis tools
Reconnaissance using Hybrid-Analysis
Hybrid Analysisâââ(File is classified as Ransomware)
Related Hashâââd5e2584ff2c17966ac150adfaeaab508af50354c7611884d64207d9c5d6b969câ
File Analysis of the file on Hybrid-Analysis brings us:-
Reconnaisance using VirusTotal
VirusTotalâââ60/68 vendors find the file suspicious
Threat NameâââAvaddon (dark web intelligence)
MD5 Hash of malicious fileâââ0b486fe0503524cfe4726a4022fa6a68
Executed Shell commands and process tree of the suspected file
More notes about the ransomware fileâ
No relevant HTTP Traffic or DNS Requests for this file(checked on Hybrid Analysis).This is a big blow, as we don't know the origin (country) of the ransomware
IOCâs of infected fileâSuspicious and Malicious
â
Steps to solve and close this Ransomware alert
Create a case
We select âOther threat indicatorâ as classification for this file Malware quarratined or not?âââNo File is malicious or not?âââYes Check if any address accessed this malicious file?âââYes (we found IP- 81.169.145.105 had accessed this file,from the Log section)
Contain the machineâââYes
Now,we add artifacts to the case:-
IP Address 81.169.145.105âââAddress that accessed the malicious file
IP Address 172.16.17.88âââSource address of ransomware
MD5 Hash 0b486fe0503524cfe4726a4022fa6a68âââHash of file
Finish Playbook
Close the alert and state that it is a true positive
Alert Scorecard
15/20 points acquired! Thatâs not bad in my book!
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
Summary of the alert
A SOC alert came in, detailing the case as Ransomware. Analyzing the file brought us to the conclusion that it was a binary file. Further enumeration found that the file was flagged previously on security and sandbox platforms, where we were able to gather more intelligence about the suspected file, concluding the alert to be a true positive
Conclusion
Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alertsâŠâŠ
Your opinion matters
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!
Last updated