Lets Defend — Ransomware Detected

5 min readJan 30, 2022

LetsDefend

LetsDefend is a platform for practical training for blue team members. You can improve your skills in log analysis, incident handling, malware analysis and endpoint analysis.

https://letsdefend.io

SOC145 — Ransomware Detected

Today we will analyze a ransomware used in a real cyber attack. Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unsuable. Malicious actors then demand ransom in exchange for decryption.

Monitoring

Our investigation start at the Monitoring page (Figure 1) which simulates a real working SOC environment. More details about the incident can be found. Looking at the details, we can see the Source IP Address, Workstation Name, the suspicious executable and a zip file. Our next step is to download the zip file.

Analyzing Executable

Once we’ve downloaded the zip file and extracted content, we can generate the MD5 and SHA256 hashes of “ab.bin”. By using md5sum and sha256sum, we calculate the hashes of the file in the zip folder. Hashes are useful for positively identifying a malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware (a sort of fingerprint).

Virus Total

Next, we perform a hash search on VirusTotal (VT). VT allows us to search through their dataset in order to identify files that match certain criteria. To search for a file that has a given MD5, just type in the hash under consideration in the main search box.

According to VT, the ab.bin is malicious. At the time of our scan, 60 antivirus engines detected it.

Further information can be found by navigating to the Community tab. In the Community tab, we can find a section devoted to comments.

In the comments section, we found a Joesecurity report. Joe Sandbox is one of the industry’s most advanced automated and deep malware analysis engine. By visiting the link on the comment, we have access to a report.

The report detected that “ab.bin” is malicious and triggers multiple malware signatures.

By analyzing the process tree, we can clearly notice that the “ab.exe” or ”ab.bin” is spawning wmic to delete shadow copies.

The Windows Volume Shadow Copy Service is a built-in OS feature that can be used to create backup copies of files and volumes.

Adversaries may delete these shadow copies, typically through the usage of system utilities such as vssadmin.exe or wmic.exe, in order to prevent file and data recovery. This technique is commonly employed for this purpose by ransomware.

Hybrid Analysis

Hybrid Analysis is malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

We uploaded “ab.bin” for analysis and had once again results that the executable is malicious.

A helpful section is the Falcon Sandbox Reports analysis.

Falcon Sandbox performs deep analysis of evasive and uknown threats, enriches the results with threat intelligence and delivers actionable indicators of compromise (IOCs), enabling us to better understand sophisticated malware attacks and strenghten defenses.

Two reports were generated for our “ab.bin” executable. Let’s click on both of them.