SOC104 - Malware Detected

Moving on to Malware Analysis! In this LetsDefend alert, we were presented with the detection of a potentially malicious file.

Upon opening a case for the alert, the playbook first tasked me with defining the threat indicator. This was not immediately apparent. Looking at the alert information, I could see the involvement of a "googleupdate.exe" file, which I downloaded for analysis.

In order to identify the threat indicator, I opened the file in an AnyRun sandbox. It did not appear to perform any malicious activity. It did not generate new connections, HTTP or DNS requests, nor did it execute child processes. I additionally ran the file through VirusTotal and Hybrid Analysis, neither of which reported the executable as being malicious throughout the community. I therefore reported the threat indicator as "other."

At this point I needed to determine if the suspected malware had been quarantined by our network. I searched for the source IP in our endpoint detection module and identified that the device was part of our network, named "JohnComputer." I examined the device's process history, which showed the file had been executed successfully. This means that the malware had not been quarantined.

I rounded off my investigation by classifying the alert as a false positive with the determination that the file/executable was not malicious. I supported this determination with the artifacts described above. Once submitted, I closed the alert.