Scribd Logo
Upload

Welcome to Scribd!

  • 199 views

    Incident Investigation of Suspicious Activity Alert File Execution

    Uploaded by

    Harsha wings
    Upon analyzing the incident details, it appears a suspicious activity was detected involving the execution of a file with MD5 hash "f64ccd0988a69af2fb4c1a2686c5572f" on March 3, 2022 at 17:17:24 UTC. The file contained malware and prompted the user to visit a malicious website. Investigations found the file execution initiated a network connection to a domain associated with malware. The infected system was isolated, cleaned, and security measures were taken to prevent future incidents.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Incident Investigation of Suspicious Activity Alert File Execution

    Uploaded by

    Harsha wings
    199 views6 pages
    Upon analyzing the incident details, it appears a suspicious activity was detected involving the execution of a file with MD5 hash "f64ccd0988a69af2fb4c1a2686c5572f" on March 3, 2022 at 17:17:24 UTC. The file contained malware and prompted the user to visit a malicious website. Investigations found the file execution initiated a network connection to a domain associated with malware. The infected system was isolated, cleaned, and security measures were taken to prevent future incidents.

    Original Description:

    Original Title

    Incident investigation of Suspicious Activity Alert File Execution

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Upon analyzing the incident details, it appears a suspicious activity was detected involving the execution of a file with MD5 hash "f64ccd0988a69af2fb4c1a2686c5572f" on March 3, 2022 at 17:17:24 UTC. The file contained malware and prompted the user to visit a malicious website. Investigations found the file execution initiated a network connection to a domain associated with malware. The infected system was isolated, cleaned, and security measures were taken to prevent future incidents.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    199 views6 pages

    Incident Investigation of Suspicious Activity Alert File Execution

    Uploaded by

    Harsha wings
    Upon analyzing the incident details, it appears a suspicious activity was detected involving the execution of a file with MD5 hash "f64ccd0988a69af2fb4c1a2686c5572f" on March 3, 2022 at 17:17:24 UTC. The file contained malware and prompted the user to visit a malicious website. Investigations found the file execution initiated a network connection to a domain associated with malware. The infected system was isolated, cleaned, and security measures were taken to prevent future incidents.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 6

    INC003547 || Suspicious Activity

    Alert || File Execution || True Positive

    Classification: Suspicious Activity at End User


    system

    Triage of Incident

    IOC:

    - Source IP: 10.60.12.30

    - User Name: Harish

    - Host Name: Asus-Harish-322

    - Date & Time: 3rd March 2022, 17:17:24 UTC

    - OS Version – Windows 10

    - Location – Hyderabad

    IOA:

    - Destination IP: 209.126.10.71

    - DNS Name: knvacuumbrazil.com

    - URL: knvacuumbrazil.com/
    - HOSTNAME: knvacuumbrazil.com

    - DOMAIN: knvacuumbrazil.com

    - NETWORK OWNER: NL-811

    - CONTENT CATEGORY: Business and Industry

    - LOCATION : UNITED STATES

    File Execution:

    - Command Line: “C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE”


    “C:\Users\tom\AppData\Local\Temp\iuaemfng.zip\iuaemfng.xlsb”

    - File Hash MD5: f64ccd0988a69af2fb4c1a2686c5572f

    Severity: HIGH

    Risk Score: 80

    Investigation:

    1.The program initiated a network connection from source IP 10.60.12.30, port 54494, to
    destination IP 209.126.10.71, port 443. The domain associated with the destination IP is
    “knvacuumbrazil.com.”

    2.The program executed a command line: “C:\Program Files (x86)\Microsoft


    Office\Root\Office16\EXCEL.EXE”
    “C:\Users\tom\AppData\Local\Temp\iuaemfng.zip\iuaemfng.xlsb.”

    3.The MD5 hash of the executed file is “f64ccd0988a69af2fb4c1a2686c5572f.”

    IP Address Reputation:

    As per Virus Total.Com – 2/88 are Reported

    As per ipvoid – 1/45 are Reported

    2
    URL Validation:

    As per Virus Total.com – 8/90 are Reported – Malicious

    As per Symmantec site Review – Malicious

    Hash value Reputation:

    As per Virus Total.com – 32/62 are Reported

    Actions Taken:

    - Isolation of the infected system

    - Replacement of the end user’s laptop

    - Deletion of malware-contained files

    - Blocking of the file hash in EDR

    - Antivirus scan and cleanup

    - URL blocked in proxy

    - IP address blocked in firewall

    - Cache and cookies cleared, browser reinstalled

    - DLP prevented data upload to public websites

    - Data recovered from backup

    - Bring End User from Abnormal to Normal

    3
    Prevention & Mitigation:

    Regular backups are essential

    - Maintain active EDR agents

    - Consistently Patch Updates for System & Software

    - Configure threat intelligence feeds in security tools

    - Educate employees to report suspicious activities

    Summary:

    Upon analyzing the provided incident details, it appears that a suspicious activity has been
    detected involving the execution of a file. On 3rd March 2022 at 17:17:24 UTC, the program with
    the MD5 hash “b2244a1c33f1426b525f91c24aa8aadc” exhibited behavior warranting investigation.
    That file contains Malware – Trojan virus, User Wantedly open the website for downloading
    software file.

    4
    For your reference, I’m attaching the Reports & My Analysis:

    IP Reputation:

    Virus Total.com - https://www.virustotal.com/gui/ip-address/209.126.10.71

    IP Void : https://www.ipvoid.com/domain-reputation-check/209.126.10.71

    5
    URL Reputation:

    VirusTotal.com –
    https://www.virustotal.com/gui/url/719fcb58e2a2f8f8c8d93cc8917609c4a4eda95fd10d0ce6d9
    b0a8057911a506

    Hash value Reputation:

    Virus Total.com-
    https://www.virustotal.com/gui/file/5971286ca4ab45f7708f4ff41e14695301b71a8a200d4ad4b2
    658a9e49cd7689

    You might also like