Investigating a malware attack using Binalyze AIR’s Investigation Hub

Navigating through a common incident use case.

From the shadowed corners of cyberspace, a seemingly innocuous act such as the downloading of a zip file can set the stage for a personal or corporate cybersecurity catastrophe. 

The background

This use case seeks to demonstrate and explore a malware attack that begins with just such an event, an act that triggers a chain of malevolent activities that may go unnoticed for a significant time and is always never advantageous for the victims.

The realization of such a problem could have been alerted by a detection system such as an EDR /XDR or as part of an automated and scheduled proactive health check, carried out by Binalyze’s Automated Incident Response (AIR) platform.

AIR's integration with many common alert systems is a crucial feature, enabling the automation of evidence collection and analysis from your assets upon specific triggers. This functionality ensures that when you or your analysts begin their workday, the Investigation Hub is already populated, ready to go with evidence. 

This evidence will have been systematically gathered, thoroughly analyzed, and flagged with verdicts and scores, ready for a prioritized and focused investigation. This seamless and continuous 24/7 operation enhances efficiency, ensuring that critical analysis is underway well before any manual intervention is needed.

Collection and analysis

AIR's lightning-fast and comprehensive evidence-acquisition capabilities mark the initial phase of our response, swiftly collecting digital evidence from the compromised asset. 

Following this, DRONE, AIR’s automated evidence analyzer, assumes a pivotal role. It meticulously scans and evaluates the collected evidence which soon focuses analysis on the role of 'invoice.zip', in this example, as the critical ‘detonation point’ located within the Temp directory. This process acts as a decision support capability that ensures a detailed and prompt examination of key evidence, setting the stage for an effective forensic investigation. 

In the Investigation Hub, within a matter of minutes, AIR is presenting to us the findings of the compromise assessment tasking we initiated. We can clearly and immediately see that this system has significant issues. 

Of immediate concern and highlighted across the top of the Investigation Hub are 4 dangerous verdicts that have been arrived at along with another 5 items that are scored as high risk:

We can, without even navigating to any other view, see that malware protection was disabled and the Binalyze DFIR Lab analyzers have identified the presence of the Havoc Framework - but more on that later as we’ll now take a structured walk through one possible workflow for an analyst to follow.

Let's start by taking a look at those high scores in the window below the MITRE ATT&CK results, and sure enough we can immediately see that ‘invoice.exe’ makes its first appearance:

 When we click on the ‘+3’ icon, the three reasons why this has been highlighted as high are displayed:

1. File executed just once - this could be unusual.

2. This happened at a time super-relevant to our investigation.

3. The location is ‘rare’ - an executable running in the Temp folder is unusual.

Clearly, we need to dig deeper and establish exactly what has occurred here and then remediate, perhaps with interACT, AIR’s remote shell capability, and then check all other assets using AIR’s Triage capability and automated analyzers. 

Unravelling the Attack in Investigation Hub with MITRE ATT&CK.

Guided by AIR’s integration of the MITRE ATT&CK framework, in this case, we can delve into the digital debris highlighted in the Investigation Hub. MITRE ATT&CK is based on adversary tactics, techniques, and procedures from real-world observations allowing us to trace the malware's lifecycle from deployment to discovery. This aids dissecting evidence such as; the auto-runs registry key's cryptic cues, the genesis of the new 'abx' user and '114' service, and the traces left within the event logs. 

In what follows we will take a look at some of the findings that are automatically ‘served up’ to the investigator, there are plenty of other items flagged in the Investigation Hub, allowing you to choose the right route for your investigation. The verdicts and scores allow you to cherry-pick and focus on the most significant evidence. 

MITRE ATT&CK Tactics - Initial Access

Two items are highlighted to us in connection with Initial Access. When inspected you can see that they point to password-protected zip files that have been placed in the recycle bin, as indicated by the file names $RKEZQSR.zip, $R9EYK9E.zip, and the file path. 

These files have been allocated a Finding: Rule: Password_protected_ZIP, (author: Binalyze DFIR Lab)

These files have a hash value, which can be searched in the Investigation Hub global search, and when done, we notice some hits of the hash in the Event Records Lists: 

Inspection of the Event Records Lists quickly reveals that Microsoft Edge was used to download ‘invoice.zip’ on 2023-10-21 at 14:59:39 into C:\\Users\\john\\Downloads:

So, within just a few minutes we have potentially identified the root cause of the attack and how initial access was achieved.

MITRE ATT&CK Tactics - Execution - Command and Scripting Interpreter - T1059:

Cyber adversaries will misuse script and command-line interfaces, such as the Unix shell in macOS and Linux, or the Windows Command Shell and PowerShell, to execute malicious operations on nearly any platform.

 In our case when we click on ‘Command and Scripting Interpreter’, the Investigation Hub filters on T1059 and 3 suspicious entries which warrant further investigation. 

‘Anti_defender.bat’ has been identified as an issue for us as it’s a ‘.bat’ file that is running from a suspicious location: 

The hash identified here will also be useful to search across other assets, having confirmed in VirusTotal that it clearly is something to be concerned about: 

MITRE ATT&CK Tactics - Persistence 

Having found a way in, staying there will now be high on the attacker's wish list, and in our case, three methods of doing just that stand out:

1. To protect its presence, the malware establishes an ‘autorun registry key’ (not too cunningly hidden in our example) named 'aaa', signaling its intention to establish a permanent foothold on this new host: 

1. To further achieve this permanency, attackers may establish or alter Windows services to persistently run the malicious code. These services, which are programs that execute background tasks, are launched automatically by Windows during startup.

   In our case the creation of the Service; '114' is used to do exactly that by launching ‘invoice.exe' after every restart. 

1. Another common tactic from attackers is to create their own permanent user account, truly embedding in the victim's environment, and in our case, we will see such an account with the user name; ‘abx’ used to solidify the attacker's presence:

MITRE ATT&CK Tactics - Privilege Escalation - TA0004 

Privilege Escalation involves methods used by attackers to obtain higher access rights on a system or network. Typically, attackers start with basic access and seek greater privileges to achieve their goals, exploiting vulnerabilities or system misconfigurations. 

 Elevated privileges can range from SYSTEM/root access to a local administrator or user accounts with admin-level permissions or rights to specific systems or functions. 

 MITRE ATT&CK Tactics - Defence Evasion - TA0005

Defence Evasion involves strategies by attackers to evade detection, such as disabling security tools, cloaking data, and mimicking legitimate processes to conceal malware. Techniques that also undermine defences are additionally catalogued under this category:

 Our incident unfolds with the deceptive simplicity of a downloaded file named, 'invoice.zip'. This was a password-protected file, which as a ‘digital Trojan horse,’ was concealing dual ‘agents of chaos’:  

As identified here by the Binalyze DFIR Lab, the executable 'invoice.exe' was actually a potent command and control mechanism borne from the Havoc Framework, often used as a red-teaming tool. 

The second element of our Trojan horse was 'anti-defender.bat' which in this case was a script engineered to stop Windows Defender's safeguards. These seemingly mundane files can lay in wait in unusual directories such as C:\Windows\Temp directory, poised to orchestrate a symphony of destruction!

MITRE ATT&CK Tactics - Credential Access - OS Credential Dumping:

Attackers target ‘lsass.exe’, a crucial Windows process, to extract NTLM hashes, the cryptographic format for storing Windows user passwords. These hashes are essential for Windows authentication and are used in various communication protocols.

Clicking on ‘OS Credential Dumping’ filters the listing in our case to show that this activity has indeed been used here:

The goal of credential dumping from ‘lsass.exe’ is to acquire NTLM hashes, which can be decrypted using tools like Mimikatz to reveal plaintext passwords. This poses a significant security risk as it allows attackers to bypass the need for actual passwords.

The details window for the entry above confirms that ‘invoice.exe’ is indeed launching ‘lsass.exe’:

NTLM hashes are stored in the Security Account Manager (SAM) on local machines, access to them enables attackers to move laterally within a network, access sensitive information, and increase their access privileges. 

 MITRE ATT&CK Tactics - Discovery - TA0007

At this stage the attacker is probing your system and network to gather information, using discovery techniques that often leverage built-in OS tools. This intelligence-gathering step helps them map out the environment and plan their subsequent actions.

The attacker now has a foothold that allows them to deploy SharpHound and with the help of a beacon cloaked as 'Sp.exe', the malware now embarks on a cartographic mission, mapping the network's Active Directory landscape in search of new domains to compromise.

 SharpHound is a data-collecting tool from the well-known BloodHound toolset, used by red teamers to simulate attacks, and for defenders to identify and mitigate potential paths of compromise within AD infrastructures. 

 They are particularly useful for understanding complex permission structures and uncovering attack routes that would otherwise be difficult to detect through manual analysis.

 ‘Sp.exe’ is also clearly associated with our bad actor and when searching on that filename in the Global Search you’ll find plenty of evidence of its activity throughout the system:

These search hits will take the investigator to any part of the system where there is further evidence of sp.exe’s activity. 

• The file was only executed once.

• It happened at a super-relevant time.

• The entropy is suspiciously high.

• The location from where it ran is ‘rare’.

• And the file name is unusually short.

A Forensic Deep Dive

All of the above was related to how we can use AIR’s Investigation Hub to dissect the attacker's activity - this is just one way to progress your investigation, now we will look at another way in which you can exploit the Investigation Hub. 

Each piece of evidence can then be methodically examined, utilizing reliable references like VirusTotal to ascertain the capability of the artifacts revealed by DRONE in the Investigation Hub.

The Evidence main menu also flags DRONE’s findings with a colored badge and count number, making it easy for investigators to focus on this additional investigative route. 

Let's take a look at some such hits in this case remembering that it’s often impossible for attackers to remove their footprints from these system areas.

SRUM Application Resource Usage

As seen below the Investigation Hub provides the ability, with surgical precision, for investigators to navigate many forensically sound artifacts such as the SRUM (System Resource Usage Monitor) database. In this case, having identified ‘invoice.exe’ as important, some keyword matches have been identified by DRONE in SRUM.

This SRUM data helps us establish when ‘invoice.exe’ was run and, which account, it was run by. 

 Processes

In this case, we can see that there are 4 items highlighted by the Investigation Hub for us to investigate: 

When you hover the mouse over the suspicious badge you can see what has been highlighted to you:

• Strange child process started by svchost.exe

• Happened in a super-relevant time period

• The file size is small

 In the Details/TCP window for one of these flagged processes the remote IP address for this  suspicious process is displayed - so now we may have identified how and from where the attacker is operating on our system:

Prefetch Parsed

The Prefetch file can be a great source of information to support investigations, used by the system to speed up performance by preloading commonly used applications; it can be used in DFIR to track when and from where any applications were launched.

In our case we can evidence from this high score the fact that ‘SP.exe’ was launched and DRONE is telling us that there is plenty to be suspicious about with this activity:

• No digital signature was found.

• The file was only executed once.

• It happened at a super-relevant time.

• The entropy is suspiciously high.

• The location from where it ran is ‘rare’.

• And the file name is unusually short.

Registry - App Compat Cache

 Also known as the Shim Cache, this will contain details of program execution and its function of backward compatibility gets us to the name; ‘ App Compat - Application Compatibility’. This cache is one of those areas where the attacker will struggle to hide their activities. 

In our case, we can see that one of the entries for App Compat Cache is marked as relevant and shows how the attacker ran ‘whoami’ in the command line as part of their reconnaissance activities.

Amcache

 For DFIR, Amcache entries are crucial as they log executed programs, providing timestamps, file paths, and hashes, which are key for tracing malicious activity and building event timelines, even when other traces have been removed.

In our case this means that we can find evidence here of ‘invoice.exe’ and its sha1 hash value. The tracking of this sha1 on this system or on others after using AIR to triage for the presence of the hash will help to identify and contain any compromise.

Collaborative endeavor

 The Investigation Hub's collaborative framework enables a concerted effort among a group of analysts. Findings are shared, strategies are formulated, and the collective intelligence of the team is harnessed to work the case and remediate the attack with speed and accuracy.

Toward remediation and future defense:

 Using Binalyze AIR's Investigation Hub, incident response teams can analyze intelligence to remove attackers from compromised assets. The Investigation Hub also helps teams move quickly from analysis to action, shortening investigation times and allowing them to eliminate threats, recover systems, and strengthen defenses, all powered by AIR's automated analysis features.

The convergence of technology and methodology

 This use case highlights how Binalyze AIR’s Investigation Hub, paired with DRONE's automated analysis and tactical insights, simplifies the complex process of analyzing a sophisticated malware attack.  

It showcases the power of the AIR platform's user-friendly design, which supports a systematic and collaborative investigative operation, accessible to a mixture of skill levels within any DFIR team.

To learn more about how AIR’s Investigation Hub could help with your reactive and proactive incident response use cases you can contact us today or try it for yourself.