The article outlines the steps taken by a junior cybersecurity analyst to investigate a suspicious file (image.exe) found on a company workstation. It details both static and behavioral analysis methods utilized to understand the file’s behavior and how it may impact the network. The analysis uncovers obfuscation methods and network connections, setting the groundwork for further investigation into Indicator of Compromise (IoC) and the remote Command and Control (C2) server. Affected: cybersecurity, medium-sized companies, Windows operating systems
Keypoints :
- The analyst discovered unusual network activity linked to a suspicious file (image.exe).
- Static and behavioral analysis were performed to understand the file’s operations and potential impacts.
- The malware appears to be obfuscated to evade detection.
- Various tools were used for analysis including Pestr, Process Monitor, Regshot, and Wireshark.
- Hash values for the suspicious file were obtained and analyzed using VirusTotal.
MITRE Techniques :
- T1059 – Command and Scripting Interpreter: The malware executes commands via scripts possibly using PowerShell.
- T1071 – Application Layer Protocol: Network communication is established to contact a remote C2 server, likely using HTTP/HTTPS.
- T1027 – Obfuscated Files or Information: The malware has randomized module names and is heavily obfuscated to avoid detection.
- T1218 – Signed Binary Proxy Execution: The malware installs or executes a legitimate application (CefSharp) as a way to mask malicious activity.
- T1123 – Audio Capture: Assumed behavior of monitoring or capturing audio via the system’s capabilities, based on tool usage.
Indicator of Compromise :
- [MD5] 5a2130294cbf034d87e455853928d027
- [SHA256] 2ec2867f57fdd49916421c63b8da7c13b18d089df8a8d771e184bc8cf8ec37ba
- [File Name] image.exe
- [PDB File] C:xampphtdocsAspirefilesog25_YTxKgIMzVUUplEBRYTxKgIMzVUUplEBRma.pdb
- [Image File] CefSharp.WinForms.ChromiumWebBrowser.bmp