Simple Writeup let's defend SOC 145 Ransomware Detected. Monitoring, Log Management, Case Management, Endpoint Security.
- Any run : https://app.any.run/
- Virus Total :https://www.virustotal.com/gui/home/search
- Malwaoverview with Trigae : https://github.com/alexandreborges/malwoverview
- HybridAnalysis : https://www.hybrid-analysis.com/
On May 23, 2021, at 7.32 Pm, the SOC lets Defend team found an alert that appears on the Monitoring menu. The result of the event description contains a notification of an attempt to spread ransomware on a client environment. The event was detected with id 92 and source ip 172.16.17.88. It is known that the user is the master "MarkPRD". According to the information we got, the file indicated as ransomware is ab.exe with the hash value shown in the image below. Don't forget, the reason we focus on analyzing the event is the "high" severity value.
After knowing the details of the event, we enter into the analysis process. Starting with the stage of gathering detailed information.
We started collecting information through "Log Management" and "Endpoint Security". More detailed information about "Log Management" & "Endpoint Security" can be read at the following link
- https://www.humio.com/glossary/log-management/
- https://www.trellix.com/en-us/security-awareness/endpoint/what-is-endpoint-security.html#:~:text=Endpoint%20security%20is%20the%20practice,the%20cloud%20from%20cybersecurity%20threats..
Click the "Log Management" menu, we search by keyword source ip 172.16.17.88. The search results show 2 communication traffic on that ip. where the destination ip consists of 81.169.145.105 & 192.64.119.190. This indicates that the host can still communicate with other users.
Continuing the process of gathering information, we enter the "Endpoint Security" menu. The SOC team uses the same keyword, namely 172.16.17.88. Through the "Endpoint Security" menu, we get detailed information such as Hostname, IP Address, OS version, Client/Server and Device Status. Based on the results of the check, we conclude that the malware is not Quarantined .
Through the information that was obtained, the SOC Team concluded that the device indicated by the malware was not in quarantine. so we have to do the analysis immediately so as not to cause problems.
anyrun is one of the many third-party SOC tools that are useful in helping analyze malware. The concept of these tools is a sandbox, so the analysis is based on dynamic analysis.
when we tried to run the ab.bin file which we successfully downloaded. We get information as shown in the image below:
The ab.bin file will run the process behind the scenes. Through the anyrun dashboard, we found as many as 247 file modifications. After we check in more detail. There are lots of delete system backup commands.
VirusTotal is an Alphabet product that analyzes file, URL, domain and IP address searches to detect malware and other types of threats, and automatically shares them with the security community.
To view the VirusTotal report, you need to send the attached file, IP address, or domain to VirusTotal.
we try to do a report search on the online data. this search is based on the hash value we already know.
it can be seen that in the total virus, the hash is indicated to have a bad reputation. of 59/69. other than that the data we got was updated since 5 days ago.
the information we get from virus totals is almost the same as anyrun. where the ab.bin file runs the delete process behind the scenes
Malwoverview is a first response tool used for threat hunting and offers intel information from Virus Total, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, ThreatCrowd, Malware Bazaar, ThreatFox, Triage and it is able to scan Android devices against VT.
using malwoverview, we tried to find more detailed information about the ab.bin file. we use api from triage. information comes from triage, there are several reports that can be seen in the picture.
The ab.bin.zip file is indicated as avaddon malware. where the malware belongs to the ransomware family. This is evidenced by a valid signature.
Hybrid analyst is a sandbox malware tool just like anyrun.
To strengthen the results of our analysis, that the ab.bin file is malware. once again we tried to dynamically analyze the file using another sandbox malware platform.
the results we get through the hybrid analysis tools really strengthen the analysis. where we the information consists of:
- Antivurus detects above 76% that the ab.bin file is malware
- The ab.bin file is indicated as ransomware
- This file has been tested on os version 32 and 64 bit
- Incident response generated by the file is also very dangerous.
and don't forget we also found important notes left by the attacker, namely the website that must be visited avaddonbotrxmuyl.onion
The SOC team is required to carry out threat hunting, whether there are other devices or users related to the IP of the device indicated as avaddon malware.
Go back to the "log management" menu, it appears that the IP has communicated with 2 other IP devices. so we do a "request host contained" process to prevent any other communication.
from the results of the previous analysis we found several indicators of compromise, namely: Source ip : 172.16.17.88 hash : 0b486fe0503524cfe4726a4022fa6a68 Website : avaddonbotrxmuyl.onion
After confirming that the ab.bin file is malware, the SOC Team needs to provide a record for the event.
After the event analysis has been successfully carried out and the results are obtained. So the event will be closed by the SOC Team by providing a description of the results of the analysis and small notes.