Popular

Wednesday, July 5, 2023

Indicator of compromise (IoC) activity

 Scenario

As a novice Security Operations Center (SOC) analyst employed by a financial services company, you recently received an alert regarding a potentially suspicious file download on an employee's computer. To address this concern, you proceeded to investigate the matter.

During your investigation, you discovered that the employee had received an email containing an attachment—an encrypted spreadsheet file. Surprisingly, the email included the password required to unlock the file. The employee proceeded to download the file and subsequently entered the provided password to access its contents. However, upon opening the file, a harmful payload was executed on the employee's computer.

In response, you took action by retrieving the malicious file and generating a SHA256 hash of it. This hash serves as a unique identifier for the file and cannot be decrypted. Employing hashing as a cryptographic technique, it acts as a distinctive fingerprint for identifying malware.

Now equipped with the file's hash, your next step involves leveraging VirusTotal to uncover additional Indicators of Compromise (IoCs) associated with the file.

SHA256 file hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b

A malicius actor trought a mail send a trojan with a spredsheet looking, then an employee opened it.

  • 1:11 p.m.: An employee receives an email containing a file attachment.
  • 1:13 p.m.: The employee successfully downloads and opens the file.
  • 1:15 p.m.: Multiple unauthorized executable files are created on the employee's computer.
  • 1:20 p.m.: An intrusion detection system detects the executable files and sends out an alert to the SOC.

VirusTotal analysis:

The VirtusTotal report classify it as a trojan executable in Windows machines, with a size of 430.00 KB. Behavior:
  • It spawns processes
  • Create files inside the user directory
  • Acquire credentials from Windows Credential Manager
  • May sleep (evasive loops) to hinder dynamic analysis
The analysis was made via virtual machines.

No comments:

Post a Comment

Indicator of compromise (IoC) activity

 Scenario As a novice Security Operations Center (SOC) analyst employed by a financial services company, you recently received ...