LetsDefend: SOC104 - Malware Detected - EventID: 14

Email from Oliva - LetsDefend

Pretext

I'm doing the SOC Analyst Learning Path at LetsDefend and after finishing the investigation of the alert i got an Email from the team at Letsdefend asked if i can publish my findings and provide a walkthrough.

I want to state that I'm not an expert in any shape or form just a curious mind. Lets Down into this as we would be in a real SOC.

What's the content of SOC104 - Malware Detected

EventID : 14

Event Time : Sep, 15, 2020, 09:02 PM

Rule : SOC104 - Malware Detected

Level : Security Analyst

Source Address : 172.16.17.82

Source Hostname : JohnComputer

File Name : googleupdate.exe

File Hash : 0bca3f16dd527b4150648ec1e36cb22a

File Size : 152.45 KB

Device Action : Allowed

What does the Event tells us?

John encountered googleupdate.exe at Sep, 15, 2020, 09:02 PM it was allowed to run but still it was flagged with High severity in our SIEM. Lets first create a case of this event, grab a drink lets dig into it.

First thing first is that we are going to follow the Playbook provided so we are making sure we all investigate the in the same way at the company.

Download the file into our secure environment so we can analyze it closer.

Playbook

Check if the malware is quarantined/cleaned in Log Management and Endpoint Security to determine if Malware quarantined/cleaned? not quarantined or quarantined

Log management - Search for any logs that have John's ip, im using the basic mode since its a quick search. and what's going on here.

what we are interest in any time around 15 September, but what we find is that its not been any activity during dates of the Event that already is a red flag and we have to keep that in mind going forward. but we are still going to have a look at the logs since its not that many so we can manually read through them.

Proxy entries are HTTPS traffic to a github repo and the URLS https://github.com / Neo23x0/sigma and https:// github.com / Neo23x0/sigma/issues
Firewall entries are empty in the raw log but lets look at the ports, 1 is HTTPS and the and SMTPS
Exchange entry is a un-encrypted email to Sender Mail: john@ letsdefend.io Destination Mail: susie@ letsdefend.io

In my eyes there is a few things that stick out, at the same time john went on Github there was mail activity but he was visiting the issues part so i can be that he reported something wrong in the git, but for now just keep this in our mind and we are going to cross check this with the Endpoint what is going on.

tip: keep the times and ip's written down

Date Type Src Address Src Port Dest. Address Dest. Port

Oct, 11, 2020, 09:42 PM Proxy 172.16.17.82 2211 140.82.121.4 443

Oct, 11, 2020, 09:47 PM Proxy 172.16.17.82 12212 172.16.17.82 443

Oct, 11, 2020, 09:47 PM Firewall 172.16.17.82 12212 172.16.17.82 443

Feb, 07, 2021, 04:23 AM Exchange 172.16.17.82 49582 172.16.20.3 25

Oct, 29, 2020, 08:06 PM Firewall 172.16.17.82 49758 208.91.199.223 587

Extra note: as i was going over this again is that the SRC and DEST is the same on 2 requests that is also very suspicious.

Endpoint Security - Search for JohnComputer and lets have a look what's going on, We are meet with a there is no timestamps of the events and this is making it a lot harder for us to carry on and create a time line but i think we can make a effort in getting clues and also assume the log order is correct (newest event is on top)

First big clue is that John Last Login: Oct, 10, 2020, 06:53 PM and this in my head is 2 options why this happened, 1st a misconfiguration in the system OR malicious code was running commands without John was logged in.

But we are not going to stop there since we still got the Event and there is some very interesting things going on on the machine,

Processes - the first thing that i want to look deeper into is this file c:/Users/John/Downloads/Purchase-Order_NO.231101.exe by just looking at the file we find something strange a file that perhaps should be a document have a exe extension instead lets run the MD5 hash against Virustotal and we get back that its confirmed that it is trojan.msil/agenttesla (virustoal link) we are now knowing that John have infected computer since the Process was running on the system and we should directly contain the system. We still are going to look at the rest of the things so lets continue, rest of the processes are clean at least according to Virustotal

Network - No information here but we can reference the logs from before here for context, with this information we need to cross check these ips with the known CnC servers and known ip's of the malware.

Date Type Src Address Src Port Dest. Address Dest. Port

Oct, 11, 2020, 09:42 PM Proxy 172.16.17.82 2211 140.82.121.4 443

Oct, 11, 2020, 09:47 PM Proxy 172.16.17.82 12212 172.16.17.82 443

Oct, 11, 2020, 09:47 PM Firewall 172.16.17.82 12212 172.16.17.82 443

Feb, 07, 2021, 04:23 AM Exchange 172.16.17.82 49582 172.16.20.3 25

Oct, 29, 2020, 08:06 PM Firewall 172.16.17.82 49758 208.91.199.223 587

Looking at all the ip's there is one that sticks out 208.91.199.223 and it have been reported multiple times so knowing that this machine is sending emails to a known malicious server and agentTesla is often imbedded with a keylogger so with this conclusion the John is keystrokes is being collected.

Terminal - this is some clues of what the Trojan is doing also can have a look over at Virustotal to see if this one follows the same behavior of the "standard" AgentTesla

First it lists all the users on the system and then followed with just user since it was done with 2 events we should still look into the system to see if ther was a new user created or not but the information we have is that it wasnt successfull adding a new user, after that it displays all files and subdirectories in the current directory, as well as all files and subdirectories within each subdirectory recursively. This means it will show the entire directory tree starting from the current directory. and the last is checking if it have a connection to github with a ping request.

This can be innocent but since we know the computer is infected we are going to assume this is done from the bad actor.

Network - We are now looking at the browser activity and can see that John was looking into updating the browser, first going to googles support pages and then googling to to get the direct link to download the latest version this by it self is not that bad but its not best practice and the company routines should be looked over and inform/enforce that software should be update only from the program by itself so the risk of misconfigurations and possible malware downloads is mitigated.

Conclusion

Analyst Note

Who, what, where, when and why?

JohnComputer with Ip 172.16.17.82 searched online at unknown time/date to update Google chrome and downloaded a malicious file from unknown website Purchase-Order_NO.231101.exe that containes trojan AgentTesla that is known malware and keylogger, emails have been sent out from the machine under the process "c:/program files (x86)/google/update/googleupdate.exe" to a known malicious server with ip 208.91.199.223:587 at Oct, 29, 2020, 08:06 PM and we can assume that is keystrokes and other information have been leaked.

JohnComputer is compromised by the trojan AgentTesla and needs the immediately quarantined, John haven't been logged in i suggest that we have the IT-department take the computer for further investigation what information that have been extracted from the machine. The suggestion for John is to change all the passwords.

What can we do more?

We can carry out a dynamic investigation of the infected file with for example Any.run to give more information regarding the exe captured, this is going to depend on the amount of resources of the SOC but its that's can also be assigned to another analyst to carry on the investigation. and for c:/Users/John/Downloads/Purchase-Order_NO.231101.exe it needs to be captured and run further analysis to to find IOCs to streghten

Page updated

Google Sites

Report abuse