Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation into a malicious Excel file containing macros that ran on an endpoint, resulting in a compromise.
Alert Details #
| Key: | Value |
|---|---|
| EventID: | 77 |
| Event Time: | Mar, 13, 2021, 08:20 PM |
| Rule: | SOC138 - Detected Suspicious Xls File |
| Level: | Security Analyst |
| Source Address: | 172.16.17.56 |
| Source Hostname: | Sofia |
| File Name: | ORDER SHEET & SPEC.xlsm |
| File Hash: | 7ccf88c0bbe3b29bf19d877c4596a8d4 |
| File Size: | 2.66Mb |
| Device Action: | Allowed |
Initial Triage #
Actions #
- Copied alert details to notes
- Created case
- Began analysis
Thoughts #
“It was a ‘xlsm’ file (Excel sheet containing VBA macros) and yet it was allowed. Oh boy. Let’s start with the network logs of the endpoint in the SIEM to see what it’s been up to. I’ll also throw that file into VirusTotal and Hybrid Analysis.”
Analysis #
Tools Used #
Firewall Logs #
| Key: | Value |
|---|---|
| type: | Firewall |
| source_address: | 172.16.17.56 |
| source_port: | 52155 |
| destination_address: | 177.53.143.89 |
| destination_port: | 443 |
| time: | Mar, 13, 2021, 08:20 PM |
| Data: | ....5...1..K|ÍtV.kE...Ù.c..b§.7rÊb.?&........ÿ.. |
| Key: | Value |
|---|---|
| type: | Firewall |
| source_address: | 172.16.17.56 |
| source_port: | 52155 |
| destination_address: | 177.53.143.89 |
| destination_port: | 443 |
| time: | Mar, 13, 2021, 08:20 PM |
| Data: | ....}...y..K|Í|.....y.<§¢jJê#.....mrZ¡.Ã..../.5..... |
Thoughts #
“Ah, it’s encrypted data being sent to a IP that aligns up perfectly with the time of the Malicious XLS alert… I’m gonna initiate containment.”
Endpoint (EDR Agent) #
Actions #
- Initiate containment on host:
Sofia
Thoughts #
“The logs are barren, like they’ve been wiped.”
File #
| Key | Value |
|---|---|
| VirusTotal: | 46/65 (trojan.acao/docdl) |
| Hybrid Analysis: | 100/100 Malicious (CVE-2017-11882) |
Thoughts #
“The C2 address is
multiwaretecnologia.com.brwhich resolves to177.53.143.89which is indeed the address the endpoint connected to.”
IP #
| Key | Value |
|---|---|
| VirusTotal: | 0/93 |
| Talos Intelligence: | Neutral |
| AbuseIPDB: | Not Found |
Thoughts #
“Eh? The C2 address has no reports… Is this a new campaign, or a targeted campaign?”
Email #
Thoughts #
“No email stating this is a penetration test.”
Determination #
Verdict #
- True Positive
- Escalate Case
Reasoning #
- The file is malware. (VirusTotal & Hybrid-Analysis)
- The endpoint connected to the C2 address, indicating the malware was indeed executed.
Actions #
- Endpoint containment was initiated.
Playbook #
Questions #
| Questions | Answers |
|---|---|
| Check if the malware is quarantined/cleaned | Not Quarantined |
| Analyze Malware | Malicious |
| Check If Someone Requested the C2 | Accessed |
Artifacts #
Value |
Comment | Type |
|---|---|---|
7ccf88c0bbe3b29bf19d877c4596a8d4 |
trojan.acao/docdl |
MD5 Hash |
177.53.143.89 |
C2 IP | IP Address |
https://multiwaretecnologia.com.br/js/Podaliri4.exe |
Next stage for dropper. | URL |
Notes #
“True Positive. Escalating.
Summary: Endpoint obtained and ran malware. Containment Initiated.
Validated via: EDR Logs, Firewall logs, VirusTotal, Hybrid-Analysis.
Actions taken: Endpoint containment initiated.”
Final Thoughts #
“Interesting how the C2 address’s IP wasn’t flagged. Shows that things aren’t always detected at first so don’t hold too much weight on ’neutral’ reputation results.”
