[Writeup] LetsDefend - SOC104 - Malware Detected - EventID 14

---

Welcome!

#

• LetsDefend is a Blue Team Training platform.
• This writeup is for an alert on the LetsDefend simulated SOC.

---

The Alert:

#

I’ll copy the alert details into my scratch notepad for easy recollection, and throw that MD5 hash into VirusTotal!

---

VirusTotal:

#

Oh, looks like we got the answer early. Binary is signed by Google, commonly scanned, and commonly flagged as okay, so it’s likely a false positive. Still gotta investigate though.

---

Playbook:

#

Let’s start the Playbook!

The alert rule doesn’t really fit any of those, so “Other”.

I’ll open Log Management and Endpoint Security other tabs, so we don’t lose where we are in the playbook.

---

Log Management:

#

For LetsDefend, keep an eye on the Date/Time; the details you are looking for should be around the same time as the event you are investigating. No network logs for the period of time we’re looking for.

---

Endpoint Management:

#

In the processes, you can see that GoogleUpdate.exe is indeed running, and the hash matches the alert.

---

Playbook (continued):

#

So, no, it’s not quarantined.

Looked at this at the start. The binary is a known-good, signed binary for updating Google Chrome.

Since we have the MD5 Hash on hand, we’ll just attach that and comment that it’s Benign.

The analysis was simple, so my notes were too:

False Positive, Benign. Google Chrome Installer/Updater, signed by Google.

Personally, I paste my notes into the Alert closing note as well.

False Positive, Benign. Google Chrome Installer/Updater, signed by Google.

---

Result:

#

Hope you found this helpful!