letsdefend.io WriteUp - SOC109 - Emotet Malware Detected

November 22nd 2024 | #en #soc

Malware was detected on endpoint RichardPRD (172.16.17.45). Infected file is 1word.doc. VT (48/63) https://www.virustotal.com/gui/file/d34849e1c97f9e615b3a9b800ca1f11ed04a92b1014f55aa0158e3fffc22d78f Maldoc with VBA code. First Seen In The Wild on 2020-06-11 at 13:11:14 UTC. IoCs relate this document to Emotet Malware.

Summary

EventID : 85
Event Time : Mar, 22, 2021, 09:06 PM
Rule : SOC109 - Emotet Malware Detected
Level : Security Analyst
Source Address : 172.16.17.45
Source Hostname : RichardPRD
File Name : 1word.doc
File Hash : 349d13ca99ab03869548d75b99e5a1d0
File Size : 188.95 Kb
Device Action : Cleaned
File (Password:infected)

Malware was detected on endpoint RichardPRD (172.16.17.45). Infected file is 1word.doc. VT (48/63) https://www.virustotal.com/gui/file/d34849e1c97f9e615b3a9b800ca1f11ed04a92b1014f55aa0158e3fffc22d78f Maldoc with VBA code. First Seen In The Wild on 2020-06-11 at 13:11:14 UTC. IoCs relate this document to Emotet Malware.

Timeline

User oi.dnefedstel@drahcir‎ received an email from ac.notelrac.liamc@gnitnuocca‎ on 31.01.2021 at 15:48. The email contains a malicious attachment (c9ad9506bcccfaa987ff9fc11b91698d; https://www.virustotal.com/gui/file/44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795)

The user accessed URL hxxp[://]andaluciabeach[.]net/image/network[.]exe on 31.01.2021 at 16:15. This URL has been identified on VT https://www.virustotal.com/gui/url/7359461b693314a3c84fd589a9b8bda0813f58b6548d08840f2f03085651f477/detection. Website is classified as "Malware Site" by Webroot and "Spyware/Malware" by Sophos. It is related to (https://www.virustotal.com/gui/url/7359461b693314a3c84fd589a9b8bda0813f58b6548d08840f2f03085651f477/community) the exploitation of CVE-2017-1182, aka Microsoft Equation Editor exploit (see: https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/).

Firewall logs show that the malicious domain was accessed from endpoint 172.16.17.45 at 16:15 over https by process EQNEDT32.EXE (parent process excel.exe). This access was successful. No blocking by firewall.

At 16:20 the process JuicyPotato.EXE is executed by NT Authority/SYSTEM on the endpoint. This hacking tool is used by threat actors to escalate privileges on a victim system.

Two connections to the endpoint from IP 172.16.17.35 (host "Katie") have been blocked on 06.02.2024 at 13:40.

Conclusion

At some time (no event time in the logs) c:/program files (x86)/symantec/symantec endpoint protection/14/bin/ccsvchst.exe is executed. This is Sophos Antimalware and in the summary the initial finding is marked as cleaned, but without further forensic investigation of the compromised endpoint it is recommended to contain and conduct appropriate IR and root cause analysis.

  • Email from ac.notelrac.liamc@gnitnuocca has been deleted. Sender did not send email to any other users on the domain.
  • Endpoint RichardPRD has been contained.
  • IP 5.135.143.133 and or FQDN andaluciabeach[.]net need to be blocked on Firewall.
  • None of the IoC IPs identified on VT have been accessed by the endpoint

< La contraseƱa tiene que morir | MonitorsThree (htb) >