Scribd
Upload
428 views6 pages

Incident Investigation of Suspicious Activity Alert File Execution

Upon analyzing the incident details, it appears a suspicious activity was detected involving the execution of a file with MD5 hash "f64ccd0988a69af2fb4c1a2686c5572f" on March 3, 2022 at 17:17:24 UTC. The file contained malware and prompted the user to visit a malicious website. Investigations found the file execution initiated a network connection to a domain associated with malware. The infected system was isolated, cleaned, and security measures were taken to prevent future incidents.

Uploaded by

Harsha wings
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
428 views6 pages

Incident Investigation of Suspicious Activity Alert File Execution

Upon analyzing the incident details, it appears a suspicious activity was detected involving the execution of a file with MD5 hash "f64ccd0988a69af2fb4c1a2686c5572f" on March 3, 2022 at 17:17:24 UTC. The file contained malware and prompted the user to visit a malicious website. Investigations found the file execution initiated a network connection to a domain associated with malware. The infected system was isolated, cleaned, and security measures were taken to prevent future incidents.

Uploaded by

Harsha wings
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

INC003547 || Suspicious Activity

Alert || File Execution || True Positive

Classification: Suspicious Activity at End User


system

Triage of Incident

IOC:

- Source IP: 10.60.12.30

- User Name: Harish

- Host Name: Asus-Harish-322

- Date & Time: 3rd March 2022, 17:17:24 UTC

- OS Version – Windows 10

- Location – Hyderabad

IOA:

- Destination IP: 209.126.10.71

- DNS Name: knvacuumbrazil.com

- URL: knvacuumbrazil.com/
- HOSTNAME: knvacuumbrazil.com

- DOMAIN: knvacuumbrazil.com

- NETWORK OWNER: NL-811

- CONTENT CATEGORY: Business and Industry

- LOCATION : UNITED STATES

File Execution:

- Command Line: “C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE”


“C:\Users\tom\AppData\Local\Temp\iuaemfng.zip\iuaemfng.xlsb”

- File Hash MD5: f64ccd0988a69af2fb4c1a2686c5572f

Severity: HIGH

Risk Score: 80

Investigation:

1.The program initiated a network connection from source IP 10.60.12.30, port 54494, to
destination IP 209.126.10.71, port 443. The domain associated with the destination IP is
“knvacuumbrazil.com.”

2.The program executed a command line: “C:\Program Files (x86)\Microsoft


Office\Root\Office16\EXCEL.EXE”
“C:\Users\tom\AppData\Local\Temp\iuaemfng.zip\iuaemfng.xlsb.”

3.The MD5 hash of the executed file is “f64ccd0988a69af2fb4c1a2686c5572f.”

IP Address Reputation:

As per Virus Total.Com – 2/88 are Reported

As per ipvoid – 1/45 are Reported

2
URL Validation:

As per Virus Total.com – 8/90 are Reported – Malicious

As per Symmantec site Review – Malicious

Hash value Reputation:

As per Virus Total.com – 32/62 are Reported

Actions Taken:

- Isolation of the infected system

- Replacement of the end user’s laptop

- Deletion of malware-contained files

- Blocking of the file hash in EDR

- Antivirus scan and cleanup

- URL blocked in proxy

- IP address blocked in firewall

- Cache and cookies cleared, browser reinstalled

- DLP prevented data upload to public websites

- Data recovered from backup

- Bring End User from Abnormal to Normal

3
Prevention & Mitigation:

Regular backups are essential

- Maintain active EDR agents

- Consistently Patch Updates for System & Software

- Configure threat intelligence feeds in security tools

- Educate employees to report suspicious activities

Summary:

Upon analyzing the provided incident details, it appears that a suspicious activity has been
detected involving the execution of a file. On 3rd March 2022 at 17:17:24 UTC, the program with
the MD5 hash “b2244a1c33f1426b525f91c24aa8aadc” exhibited behavior warranting investigation.
That file contains Malware – Trojan virus, User Wantedly open the website for downloading
software file.

4
For your reference, I’m attaching the Reports & My Analysis:

IP Reputation:

Virus Total.com - https://www.virustotal.com/gui/ip-address/209.126.10.71

IP Void : https://www.ipvoid.com/domain-reputation-check/209.126.10.71

5
URL Reputation:

VirusTotal.com –
https://www.virustotal.com/gui/url/719fcb58e2a2f8f8c8d93cc8917609c4a4eda95fd10d0ce6d9
b0a8057911a506

Hash value Reputation:

Virus Total.com-
https://www.virustotal.com/gui/file/5971286ca4ab45f7708f4ff41e14695301b71a8a200d4ad4b2
658a9e49cd7689

You might also like