SOC104.2 - Malware Detected

In this LetsDefend alert, I was presented with the detection of a yet another potentially malicious file.

Upon opening a case for the alert, the playbook was identical to the previous malware analysis alert. My first task was to define the threat indicator. With limited information provided in the alert details, this again was not immediately apparent. The alert involved a file called "Invoice.exe." I downloaded the file for further analysis.

Following the same process to identify the threat indicator, I opened the file in an AnyRun sandbox. Initially upon execution, there was no suspicious activity. I added 60 seconds to the time to allow the environment to continue running. Sure enough, about 60-70 seconds following the initial execution, a litany of suspicious HTTP requests, connections as well as an additional process were generated.

The original file was committed to performing a number of malicious tasks, such as modifying Chrome extensions, creating a maze and maze ransom note in addition to deleting shadow copies. Before doing so, it also activated a process called WMIC.exe, responsible for first obtaining shadow copy information. For those who may not know, Shadow Copy is a Windows technology that allows the operating system to create consistent and reliable manual and automatic backups/snapshots. You can use a shadow copy to recover files.

Now understanding the function of the malware, it was clear to me that it was designed to extract information from and about the victim machine and then damage it by deleting valuable backups. But what was it doing with this information? The file simultaneously created a connection to an external IP and URL, which upon further investigation, are assumed to be the attacker's command and control (C2) server.

Based on these findings, I selected "Unknown or unexpected outbound traffic" as the threat indicator. Following the playbook, I analyzed the source IP to discover the name of the victim machine, "AdamPRD," which was a device located on the company network. The device's log history showed a successful connection request to the attacker IP discovered during malware analysis. I therefore determined that the malware was not quarantined by the network.

It was evident from my investigation that the malware was legitimately malicious and carried out its designed attack. I also confirmed that the victim machine made a direct request to the attacker's C2. In response, I contained the device, reported my artifacts, and declared the alert a true positive.