Embedded Files
Let's consider a scenario in which I am a security operations centre (SOC) analyst at a financial services company. I received an alert about a suspicious file being downloaded on an employee's computer. I investigated this alert and discovered that the employee received an email containing an attachment. The attachment was a password-protected spreadsheet file. The spreadsheet's password was provided in the email. The employee downloaded the file and then entered the password to open the file. When the employee opened the file, a malicious payload was executed on their computer.
I retrieved the malicious file and created a SHA256 hash of the file using a sandbox (isolated virtual machine). Hashing is a cryptographic method that is used to uniquely identify malware, acting as the file's unique fingerprint. I used VirusTotal (an online service that analyzes suspicious files and URLs to detect types of malware and malicious content) to uncover additional IoCs that are associated with the file.
SHA256 file hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
In this activity, I analyzed the file using VirusTotal and captured details about its related indicators of compromise (IoCs) using the Pyramid of Pain.
Security researcher David J. Bianco created the concept of the Pyramid of Pain, with the goal of improving how indicators of compromise are used in incident detection. The Pyramid of Pain captures the relationship between indicators of compromise (IoC) and the level of difficulty that malicious actors experience when indicators of compromise are blocked by security teams. It lists the different types of indicators of compromise that security professionals use to identify malicious activity.
Pyramid of pain
Here’s a breakdown of the different types of indicators of compromise found in the Pyramid of Pain.
Hash values: Hashes that correspond to known malicious files. These are often used to provide unique references to specific samples of malware or to files involved in an intrusion.
IP addresses: An Internet protocol address
Domain names: A web address
Network artifacts: Observable evidence created by malicious actors on a network. For example, information found in network protocols such as User-Agent strings.
Host artifacts: Observable evidence created by malicious actors on a host. A host is any device that’s connected to a network. For example, the name of a file created by malware.
Tools: Software that’s used by a malicious actor to achieve their goal. For example, attackers can use password-cracking tools like John the Ripper to perform password attacks to gain access into an account.
Tactics, techniques, and procedures (TTPs): This is the behaviour of a malicious actor. Tactics refer to the high-level overview of the behaviour. Techniques provide detailed descriptions of the behaviour relating to the tactic. Procedures are highly detailed descriptions of the technique. TTPs are the hardest to detect.
I used VirusTotal to uncover additional IoCs that are associated with the file. Please find below the additional IoCs associated with the file.
Screenshot of VirusTotal's detection tab
The file hash has been reported as malicious by over 50 vendors. Upon further investigation, this file hash is known as the malware Flagpro, which has been commonly used by the advanced threat actor BlackTech.
Screenshot of VirusTotal's details tab
Hash value: 287d612e29b71c90aa54947313810a25 is a MD5 hash listed under the Details tab in the VirusTotal report.
Screenshot of VirusTotal's relations tab
IP address: 207.148.109.242 is listed as one of many IP addresses under the Relations tab in the VirusTotal report. This IP address is also associated with the org.misecure.com domain as listed in the DNS Resolutions section under the Behavior tab from the Zenbox sandbox report.
Domain names: org.misecure.com is reported as a malicious contacted domain under the relations tab in the VirusTotal report.
Screenshot of VirusTotal's behaviour tab
Network/host artifacts: Network-related artifacts that have been observed in this malware are HTTP requests made to the org.misecure.com domain. This is listed in the Network Communications section under the Behavior tab from the report.
Tools: Input capture is listed in the Collection section under the Behavior tab from the report. Malicious actors use input capture to steal user input such as passwords, credit card numbers, and other sensitive information.
Tactics, techniques, and procedures (TTPs): Command and control is listed as a tactic under the Behavior tab from the report. Malicious actors use command and control to establish communication channels between an infected system and their own system.
Indicators of compromise using the Pyramid of Pain
Google Sites
Report abuse