| Severity | High |
|---|---|
| Date | Dec. 15, 2020, 09:02 PM |
| Rule Name | SOC104 - Malware Detected |
| Event ID | 14 |
| Type | Malware |
Initial Information
| Event ID | 14 |
|---|---|
| Event Time | Sep, 15, 2020, 09:02 PM |
| Rule | SOC104 - Malware Detected |
| Level | Security Analyst |
| Source Address | 172.16.17.82 |
| Source Hostname | JohnComputer |
| File Name | googleupdate.exe |
| File Hash | 0bca3f16dd527b4150648ec1e36cb22a |
| File Size | 152.45 KB |
Log Management
There are no logs with 172.16.17.82 as source/destination address with a date close to the incident.
Endpoint Security
Processes
- One of the processes is from
c:/program files (x86)/google/update/googleupdate.exe, which is the suspicious file (same hash) - However, there is another suspicious process with the following path:
c:/Users/John/Downloads/Purchase-Order_NO.231101.exe(hash:cdde99520664ac313d43964620019c61)
Other
There are no other suspicious activity in Network Action, Terminal History or Browser History
File Analysis
googleupdate.exe
- Hash:
0bca3f16dd527b4150648ec1e36cb22a - According to VirusTotal, no security vendors flagged this file as malicious
- According to majority of Hybrid Analysis reports, it is a benign file
However, there is another suspicious file in John’s computer that needs to be reviewed:
c:/Users/John/Downloads/Purchase-Order_NO.231101.exe
Purchase-Order_NO.231101.exe
- Hash:
cdde99520664ac313d43964620019c61 - According to VirusTotal, 64/74 security vendors flagged this file as malicious
Conclusion
Even though googleupdate.exe is not malicious, there is a process associated with a malicious file in John’s computer.
Playbook
- Contain John’s computer in
Endpoint Securitytab - Open
PlaybookinCase Management - Define Threat Indicator:
Other - Malware quarantined/cleaned?
Quarantined - Analyze Malware:
Not Malicious - Check if Someone Requested the C2:
Not Accessed- there are no indications that C2 was requested
- Confirm Playbook
- Go to
Monitoringtab andClose Alert - Check
False Negativeand close the alert- Even though there is a malicious file,
googleupdate.exeis not malicious, thus a false negative
- Even though there is a malicious file,