In this exercise we’re notified of suspicious Rundll32 activity and told to check it out.
Define Threat Indicator
First of all we need to check if the alert actually checks out, and doing a quick checkup in Log Management and cross-referencing the match found with Endpoint Security tells us that this is indeed a True Positive, and that we need to dig in deeper.
Check if the malware is quarantined/cleaned
Like the alert we’ve received tells us, the device action is set to Allowed, meaning that the malware is not quarantined and is allowed to roam free.
Analyze Malware
For the analysis we can quickly just throw the MD5 hash into VirusTotal to immediately see that we get 63 positive hits, and while we can find a bunch of known C2 addresses in the Relations tab we should still check the sample we have with AnyRun
Check If Someone Requested the C2
Running the malware with AnyRun shows us few contacted IP addresses, and checking our logs we can see that one connection to the IP 162.241.242.173 was made, so se know that the infected host has indeed reached out. We’ll be listing the rest of the addresses as IOC’s later on, so take a note of those.
Containment
Since we have now confirmed not only that the file in question is malicious but that it also has infected the host and started operation we need to contain the host to limit the damage.
Add Artifacts
Artifacts for this excercise are as follows:
C2 Server Addresses:
- 45.55.36.51
- 162.241.242.173 - This being the one that was actually accessed
- 67.68.210.95
- 45.55.219.163
Malicious File Hash: a4513379dad5233afa402cc56a8b9222
Malicious file server: //ru-uid-507352920.pp.ru