SOC119 - Proxy - Malicious Executable File Detected

In this LetsDefend alert, I was presented with an event that occurred when a device on our network contacted a web page and ran a malicious executable. I opened a case for the alert and began my investigation.

The first step of the playbook required me to collect data on the event. I began by noting that the destination hostname in this case was "win-rar[.]com." Most people are familiar with the popular compression tool "WinRar," and a quick Google search would tell me that the legitimate site for WinRar is "win-rar.com." Okay, so this might be a false positive, but I documented the IP for the hostname. I additionally noted the device on the network that requested the webpage, including its source address, in this case SusieHost, IP and user agent.

My next objective was to analyze the URL. As expected, VirusTotal and Hybrid Analysis reports of the URL came back unremarkable for malicious activity or history. Hybrid Analysis showed that a successful connection with the webpage executed a number of other DNS and host requests. To be thorough, I ran these IPs and hostnames through both tools but nothing came back positive for being dangerous or suspicious.

Having no evidence thus far to validate an attack, I investigated the source device. The device had no active browser, command, network or process agents active, which was unhelpful. However, there was one log involving the destination IP, which upon further investigation, I determined was not evidence of a malicious connection.

To close out our playbook, I reported that this activity was not malicious. I submitted the artifacts of my investigation and closed the alert.