Professional Documents
Culture Documents
Incident Investigation of Suspicious Activity Alert File Execution
Incident Investigation of Suspicious Activity Alert File Execution
Incident Investigation of Suspicious Activity Alert File Execution
Triage of Incident
IOC:
- OS Version – Windows 10
- Location – Hyderabad
IOA:
- URL: knvacuumbrazil.com/
- HOSTNAME: knvacuumbrazil.com
- DOMAIN: knvacuumbrazil.com
File Execution:
Severity: HIGH
Risk Score: 80
Investigation:
1.The program initiated a network connection from source IP 10.60.12.30, port 54494, to
destination IP 209.126.10.71, port 443. The domain associated with the destination IP is
“knvacuumbrazil.com.”
IP Address Reputation:
2
URL Validation:
Actions Taken:
3
Prevention & Mitigation:
Summary:
Upon analyzing the provided incident details, it appears that a suspicious activity has been
detected involving the execution of a file. On 3rd March 2022 at 17:17:24 UTC, the program with
the MD5 hash “b2244a1c33f1426b525f91c24aa8aadc” exhibited behavior warranting investigation.
That file contains Malware – Trojan virus, User Wantedly open the website for downloading
software file.
4
For your reference, I’m attaching the Reports & My Analysis:
IP Reputation:
IP Void : https://www.ipvoid.com/domain-reputation-check/209.126.10.71
5
URL Reputation:
VirusTotal.com –
https://www.virustotal.com/gui/url/719fcb58e2a2f8f8c8d93cc8917609c4a4eda95fd10d0ce6d9
b0a8057911a506
Virus Total.com-
https://www.virustotal.com/gui/file/5971286ca4ab45f7708f4ff41e14695301b71a8a200d4ad4b2
658a9e49cd7689