Hello, blue teamers. It’s the first week of sunny March and that means one thing, doing all of Let’s Defend’s 5 monthly challenges. These are a set of real-world SOC Alerts, where you are tasked to review, analyze and mitigate the threat(if any). Today I will be guiding you through SOC104 — Malware Detected alert
NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.
These are the background details of the alert. Have a good read, as this information comes in handy later
Proceed to take ownership of the alert
Start the playbook
Now, let’s delve into the questions
Define Threat Indicator
Select Threat Indicator
As of now, we cannot determine the indicator. To pinpoint the cause, let’s proceed to download the .zip attachment, provided with the alert
Upon unzipping the zip file, we find a .exe named winrar600
Analysis with Anyrun
Running the .exe file on a VM, we are met with this WinRAR installation screen
Analysis with VirusTotal
The green circle is welcome news of the analyzed file not being malicious
MD5 Hash of .exe file — aff4bb9b15bccff67a112a7857d28d3f2f436e2e42f11be14930fe496269d573
To gain some closure, let’s consult Hybrid-Analysis to analyze the exe file
We have been given the all-clear. The SOC Alert looks like a false-positive so far
Since the file is marked as clean, there are other threat indicators
Let’s go with Other
Check if the malware is quarantined/cleaned
A) Malware is not cleaned
Analyze malware in 3rd party tools and find C2 address
You can use the free products/services below.
As we have previously analyzed the exe file and found that it was not malicious, let’s proceed by marking it as non-malicious
Let’s add the artifacts so far collected
Preceding the closure of the alert, let’s provide some notes on things observed while working.
All right! Onward ahoy to the next alert
Summary of the alert
The SOC Analyst was alerted to an occurrence of malware being downloaded and subsequently detected. An analysis was made on the .exe attachment, which was a WinRAR software clone, on VirusTotal and AnyRun.It gave us the conclusion of the downloaded file testing as a false positive for malware
Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……
Your opinion matters
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by giving it a clap!