Scenario
As a novice Security Operations Center (SOC) analyst employed by a financial
services company, you recently received an alert regarding a potentially
suspicious file download on an employee's computer. To address this concern,
you proceeded to investigate the matter.
During your investigation, you discovered that the employee had received an
email containing an attachment—an encrypted spreadsheet file. Surprisingly,
the email included the password required to unlock the file. The employee
proceeded to download the file and subsequently entered the provided
password to access its contents. However, upon opening the file, a harmful
payload was executed on the employee's computer.
In response, you took action by retrieving the malicious file and generating
a SHA256 hash of it. This hash serves as a unique identifier for the file
and cannot be decrypted. Employing hashing as a cryptographic technique, it
acts as a distinctive fingerprint for identifying malware.
Now equipped with the file's hash, your next step involves leveraging
VirusTotal to uncover additional Indicators of Compromise (IoCs) associated
with the file.
SHA256 file hash:
54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
A malicius actor trought a mail send a trojan with a spredsheet looking, then an employee opened it.
- 1:11 p.m.: An employee receives an email containing a file attachment.
- 1:13 p.m.: The employee successfully downloads and opens the file.
- 1:15 p.m.: Multiple unauthorized executable files are created on the employee's computer.
- 1:20 p.m.: An intrusion detection system detects the executable files and sends out an alert to the SOC.
VirusTotal analysis:
The VirtusTotal report classify it as a trojan executable in Windows machines, with a size of 430.00 KB.
Behavior:
- It spawns processes
- Create files inside the user directory
- Acquire credentials from Windows Credential Manager
- May sleep (evasive loops) to hinder dynamic analysis
No comments:
Post a Comment