Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

[Writeup] LetsDefend - SOC104 - Malware Detected - EventID 36

LetsDefend Hybrid-Analysis Malware SIEM SOC True_Positive VirusTotal Writeup
Table of Contents

Welcome!
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup is for an alert on the LetsDefend simulated SOC.

The Alert:
#

Invoice.exeand it was allowed?? Oh boy. Actions:

  • Copy alert details into notes, including download link for sample.
  • Throw the file hash into VirusTotal to see if it’s a known sample.
  • Create the case.

VirusTotal:
#

…Ah. Yep, that’s about as clear as you can get.

Playbook:
#

Let’s get that playbook going.

The indicator was a malware detection on the endpoint, so let’s go with “Other.”

Let’s open Log Management and Endpoint Security in new tabs and take a look!

Log Management:
#

(Taking into account the event time) We only see 1 relevant log, and inside the endpoint is connecting to that IP straight, no domain name. I’m guessing C2. Let’s use VirusTotal on that URL.

VirusTotal
#

As guessed, MAZE C2. That endpoint is 100% infected. Let’s go contain it in Endpoint Security.

Endpoint Security:
#

Agent isn’t installed. Yikes. Back to the Playbook in Case Management.

Playbook (continued):
#

Not Quarantined, that box is infected with Maze Ransomware.

Well, we found a C2 address it was connecting out to, but we’ll follow the playbook. Let’s check Hybrid-Analysis.

Hybrid-Analysis:
#

There’s a list of C2; the first one is the one the endpoint connected to in our case.

Playbook (continued)
#

MAZE Ransomware- it is indeed Malicious.

We know this from checking the logs earlier! The endpoint did indeed access the C2.

Already did! Next!

We have the MD5 hash; might as well use it: Comment: “Malicious - ransomware.maze”

Note:

  • File verified via VirusTotal and Hybrid-Analysis to be Maze Ransomware.
  • Endpoint connected out to the C2 server: 92.63.8.47
  • Endpoint is infected.
  • EDR Agent missing on endpoint.
  • Endpoint containment initiated.
  • True Positive

Clean Up:
#

Same note:

  • File verified via VirusTotal and Hybrid-Analysis to be Maze Ransomware.
  • Endpoint connected out to the C2 server: 92.63.8.47
  • Endpoint is infected.
  • EDR Agent missing on endpoint.
  • Endpoint containment initiated.
  • True Positive

Result:
#

Hope this helps!

Reed Eggleston
Author
Reed Eggleston
Exploring Cybersecurity from Policy to Packets