Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

[Writeup] LetsDefend - SOC145 - Ransomware Detected - EventID 92

LetsDefend Hybrid-Analysis Malware SIEM SOC True_Positive VirusTotal Writeup
Table of Contents

Welcome!
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup is for an alert on the LetsDefend simulated SOC.

The Alert:
#

Oh… It was allowed… oh no.

Actions:

  • Copy alert details to notes.
  • Check the file hash in VirusTotal to see if it’s known.
  • Create Case.

VirusTotal:
#

oh boy. The ransomware was allowed.

Playbook:
#

Let’s start the playbook.

“Other” is the only one that fits this alert.

Time for Log Management and Endpoint Security.

Log Management:
#

Given the alert date/time, we have no relevant logs.

Endpoint Security:
#

The EDR agent has been removed, and the ransomware is running.

Action:

  • Containing the endpoint.

Playbook (continued):
#

Yeah, the host is not quarantined. That box is infected!

Looking at VirusTotal, I didn’t see any C2. But let’s check out Hybrid-Analysis.

Hybrid Analysis:
#

Thought so, but had to be sure.

Playbook (continued):
#

It is indeed Malicious - Ransomware.

After double-checking with Hybrid Analysis, there is indeed no C2 for this ransomware. So no, not accessed.

We have the MD5 hash, so we add it. Comment: “Malicious - Ransomware.Avaddon”

Note:

  • File was verified to be Ransomware via VirusTotal and Hybrid-Analysis.
  • Endpoint EDR Agent was removed.
  • Endpoint is infected.
  • Endpoint Containment has been enabled.

Clean up:
#

Same note:

  • File was verified to be Ransomware via VirusTotal and Hybrid-Analysis.
  • Endpoint EDR Agent was removed.
  • Endpoint is infected.
  • Endpoint Containment has been enabled.

Result:
#

Hope this helps!

Reed Eggleston
Author
Reed Eggleston
Exploring Cybersecurity from Policy to Packets