LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 16
Details
EventID: 16
Event Time: Sept. 20, 2020, 10:54 p.m.
Rule: SOC105 - Requested T.I. URL address
Level: Security Analyst
Source Address 172.148.17.47
Source Hostname BillPRD
Destination Address 5.188.0.251
Destination Hostname pssd-ltdgroup.com
Username Mike01
Request URL https[:]//pssd-ltdgroup[.]com
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063
Device Action Allowed
playbook
Analyze Threat Intel Data
URL https[:]//pssd-ltdgroup[.]com/
VirusTotal 9/93: https://www.virustotal.com/gui/url/59da6e4583f0ceeb2b5d3933f883ccad9bfc91cd3bbfc0c4afb37c0eafc9ce48/detection
登録数は少ないが、Avira,Bitdefender,ESET,Fortinet,Sophosといった有名どころに登録されている。
Forcepoint ThreatSeeker elevated exposure Sophos spyware and malware Webroot Phishing and Other Frauds
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/e06dcdb951cbef8ffddd75a9a2d38382d41a4c9ce98569409ab21133c8bfb981?environmentId=100
こちらでも、Maliciousの判定が出ている。
Domain pssd-ltdgroup[.]com
VirusTotal 9/90: https://www.virustotal.com/gui/domain/pssd-ltdgroup.com/relations
ドメインでも検知数はあまり変わらないが、Communicating Filesには明らかにマルウェアが多い。
5.188.0.251
AbuseIPDB: https://www.abuseipdb.com/check/5.188.0.251
登録はあるが、レポートは少ない。
ip-sc: https://ip-sc.net/ja/r/5.188.0.251
SCAMALYTICS: https://scamalytics.com/ip/5.188.0.251
ip-scでは脅威として登録されていないが、SCAMALYTICSではVery high Riskとなっている。
Connection type wireless?
Answer:Malicious
Interaction with TI data
Log
| DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|
| Sep, 20, 2020, 10:54 PM | Firewall | 172.16.17.47 | 54211 | 5.188.0.251 | 443 |
| Sep, 20, 2020, 10:54 PM | Proxy | 172.16.17.47 | 54211 | 5.188.0.251 | 443 |
Main Process: Krankheitsmeldung_092020_07.xlsm Request URL: https://pssd-ltdgroup.com
おや、xlsmからのURLへのアクセスのようだ。
Endpoint
Process History Krankheitsmeldung_092020_07.xlsm MD5:14970ce0a3d03c46a4180db69866d0d1 Path:c:/users/Bill/desktop/Krankheitsmeldung_092020_07.xlsm Size:558.83 KB Username:Bill01 Start Time:20.09.2020 22:51
ちなみに、
14970ce0a3d03c46a4180db69866d0d1 - VirusTotal 45/64: https://www.virustotal.com/gui/file/0e3a83e441951860929c99e24bf19e76fe281c3e1b1f7f3aea49b0a38673f873
Malicious!
Answer:Accessed
Containment
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| https[:]//pssd-ltdgroup[.]com | URL Address | accessed from malicious xlsm file |
| 14970ce0a3d03c46a4180db69866d0d1 | MD5 Hash | Requested T.I. URL address |
True Positive
End
