SOC145 - Ransomware Detected Alert
Ransomware, you say? Let's have a look at it
Last updated
Ransomware, you say? Let's have a look at it
Last updated
Welcome to this blog entry,as I document my journey,into the world of blue teaming.We will be tackling the “SOC145 — Ransomware Detected” case on the Let’s Defend platform,which is of hard difficulty
Let’s jump head first into it.
NOTE: Always remember to investigate alerts from Let's Defend, on a VM.
Alert particulars provided to the analyst:-
We first take a look at the mailbox, to find any pointers about the case —which we couldn't find
Now take the IP Address — 172.16.17.88 and perform a check on the endpoint and log sections
We get this from the Endpoint section, giving a description about the source IP Address’ host machine
Endpoint Machine Name — MarkPRD
Windows 10 OS
User name — MarkGuna
Last Login — Aug 29 2020 08:12 PM
No entries were found for Browser, Network, or Command History. We get these entries for Process List, however:-
We get a corresponding match for someone named Mark, receiving a mail on Aug 29, when conducting a more thorough search in the LetsDefend mailbox
Having performed initial enumeration, let's download the file and unzip it, using the passphrase: infected
We uncover a file named ab.bin.Running file command against it tells us that it is an executable file, with GUI Interface
Next, we take the file for analysis on VirusTotal and Hybrid-Analysis tools
Hybrid Analysis — (File is classified as Ransomware)
Related Hash — d5e2584ff2c17966ac150adfaeaab508af50354c7611884d64207d9c5d6b969c
File Analysis of the file on Hybrid-Analysis brings us:-
VirusTotal — 60/68 vendors find the file suspicious
Threat Name — Avaddon (dark web intelligence)
MD5 Hash of malicious file — 0b486fe0503524cfe4726a4022fa6a68
Executed Shell commands and process tree of the suspected file
More notes about the ransomware file
No relevant HTTP Traffic or DNS Requests for this file(checked on Hybrid Analysis).This is a big blow, as we don't know the origin (country) of the ransomware
IOC’s of infected file—Suspicious and Malicious
Create a case
We select ‘Other threat indicator’ as classification for this file Malware quarratined or not? — No File is malicious or not? — Yes Check if any address accessed this malicious file? — Yes (we found IP- 81.169.145.105 had accessed this file,from the Log section)
Contain the machine — Yes
Now,we add artifacts to the case:-
IP Address 81.169.145.105 — Address that accessed the malicious file
IP Address 172.16.17.88 — Source address of ransomware
MD5 Hash 0b486fe0503524cfe4726a4022fa6a68 — Hash of file
Finish Playbook
Close the alert and state that it is a true positive
15/20 points acquired! That’s not bad in my book!
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
A SOC alert came in, detailing the case as Ransomware. Analyzing the file brought us to the conclusion that it was a binary file. Further enumeration found that the file was flagged previously on security and sandbox platforms, where we were able to gather more intelligence about the suspected file, concluding the alert to be a true positive
Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!