Detection & Response
Assignments: 1. Investigate a suspicious file hash, 2. Use Playbook.
Embedded Files
Investigate a suspicious file hash
Investigate a suspicious file hash
Scenario:
You are a level one security operations center (SOC) analyst at a financial services company. You have received an alert about a suspicious file being downloaded on an employee's computer.
You investigate this alert and discover that the employee received an email containing an attachment. The attachment was a password-protected spreadsheet file. The spreadsheet's password was provided in the email. The employee downloaded the file, then entered the password to open the file. When the employee opened the file, a malicious payload was then executed on their computer.
You retrieve the malicious file and create a SHA256 hash of the file. You might recall from a previous course that a hash function is an algorithm that produces a code that can't be decrypted. Hashing is a cryptographic method used to uniquely identify malware, acting as the file's unique fingerprint.
Now that you have the file hash, you will use VirusTotal to uncover additional IoCs that are associated with the file.
The details include a file hash and a timeline of the event:
Here is a timeline of the events leading up to this alert:
1:11 p.m.: An employee receives an email containing a file attachment.
1:13 p.m.: The employee successfully downloads and opens the file.
1:15 p.m.: Multiple unauthorized executable files are created on the employee's computer.
1:20 p.m.: An intrusion detection system detects the executable files and sends out an alert to the SOC.
SHA256 file hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
Virus Total Information:
Community Score: 58/72
Security vendors' analysis:
Over fifty security vendors have flagged this file as malicious. Additionally, multiple vendors have categorized the file as Flagpro malware, a well-known malware used by advanced threat actors.
Domain names: org.misecure.com is reported as a malicious contacted domain under the Relations tab in the VirusTotal report.
IP address: 207.148.109.242 is listed as one of many IP addresses under the Relations tab in the VirusTotal report. This IP address is also associated with the org.misecure.com domain as listed in the DNS Resolutions section under the Behavior tab from the Zenbox sandbox report.
Hash value: 287d612e29b71c90aa54947313810a25 is a MD5 hash listed under the Details tab in the VirusTotal report.
Network/host artifacts: Network-related artifacts that have been observed in this malware are HTTP requests made to the org.misecure.com domain. This is listed in the Network Communications section under the Behavior tab from the Venus Eye Sandbox and Rising MOVES sandbox reports.
Tools: Input capture is listed in the Collection section under the Behavior tab from the Zenbox sandbox report. Malicious actors use input capture to steal user input such as passwords, credit card numbers, and other sensitive information.
TTPs: Command and control is listed as a tactic under the Behavior tab from the Zenbox sandbox report. Malicious actors use command and control to establish communication channels between an infected system and their own system.
FInal Summary Details:
Following the initial phishing email at 1:11 p.m. and the employee opening the attachment minutes later, VirusTotal analysis confirmed the file to be highly malicious, with a community score of 58/72 and more than fifty security vendors identifying it as Flagpro malware, a tool commonly leveraged by advanced threat actors. The sample’s MD5 hash (287d612e29b71c90aa54947313810a25) is associated with malicious network behavior, including outbound HTTP requests to the domain org.misecure.com, which VirusTotal and multiple sandbox environments classify as hostile. This domain resolves to the IP address 207.148.109.242, further reinforcing its malicious infrastructure role. Behavioral analysis from several sandboxes highlights key TTPs such as command‑and‑control communication and input capture, indicating credential theft and remote operator control capabilities. These findings align with the unauthorized executables detected at 1:15 p.m. and the subsequent IDS alert at 1:20 p.m., confirming that the attachment initiated a high‑risk compromise attempt consistent with known APT malware behavior.
Use a playbook to respond to a phishing incident
Use a playbook to respond to a phishing incident
Review the scenario.
You are a level-one security operations center (SOC) analyst at a financial services company. Previously, you received a phishing alert about a suspicious file being downloaded on an employee's computer. After investigating the email attachment file's hash, the attachment has already been verified malicious. Now that you have this information, you must follow your organization's process to complete your investigation and resolve the alert.
Your organization's security policies and procedures describe how to respond to specific alerts, including what to do when you receive a phishing alert.
In the playbook, there is a flowchart and written instructions to help you complete your investigation and resolve the alert. At the end of your investigation, you will update the alert ticket with your findings about the incident.
Playbook and Ticketing Alert Status
In the playbook, there is a flowchart and written instructions to help you complete your investigation and resolve the alert. At the end of your investigation, you will update the alert ticket with your findings about the incident.
The Phishing Playbook instructions provide detailed, written instructions about each step represented in the flowchart.
The Phishing Flowchart provides a high-level overview and visual representation of the sequence of steps and substeps you'll take to respond to a phishing alert.
Open Ticket details
AlertTicket.docxPhishing Playbook flowchart Version 1.0
playbook .docxUsing and updating this playbook
Step 1: Receive phishing alert
Recieved a Alert Ticket ID A-2703. Ticket status set to open. Severity status: Medium
Step 2: Evaluate the alert
Begin the investigation by updating the Ticket status dropdown list to Investigating.
The alert detected that an employee downloaded and opened a malicious file from a phishing email. There is an inconsistency between the sender’s email address “76tguy6hh6tgftrt7tg.su’” the name used in the email body “Clyde West,” and the sender’s name, “Def Communications.” The email body and subject line contained grammatical errors. The email’s body also contained a password-protected attachment, “bfsvc.exe,” which was downloaded and opened on the affected machine. Having previously investigated the file hash, it is confirmed to be a known malicious file. Furthermore, the alert severity is reported as medium. With these findings, I chose to escalate this ticket to a level-two SOC analyst to take further action.
Step 3.0: Does the email contain any links or attachments?
The email’s body also contained a password-protected attachment, “bfsvc.exe,” .
Step 3.1: Are the links or attachments malicious?
Having previously investigated the file hash, it is confirmed to be a known malicious file.
Step 3.2: Update the alert ticket and escalate
Updated the alert ticket with evaluation and changed status of ticket to escalated to level-two SOC analyst.
Evaluated and updated ticket with investigation details and changed ticket status to "escalated".
Completed-alert-ticket.docxPage updated
Google Sites
Report abuse