Threat Hunting:

in the post-macro world

ANALYSIS OF A MALICIOUS FILE

Follow a step-by-step walkthrough to see what you can get through advanced malware analysis on VMRay.

Overview:
Unveiling Malware Analysis

Embark on a journey into the world of malware analysis as we decode the initial steps of scrutinizing a malicious file. In this first video, we delve into the fundamental process of dissecting a suspicious Windows patch file, equipping you with the essential knowledge to kick-start your analysis.

Through the lens of our platform, we navigate the VMRay Web User Interface to unravel the file’s true nature. Discover the power of behavioral and static rules known as Threat Identifiers (VTIs), which serve as key indicators of malicious activity. Delve deeper into the extracted Emotet configuration, unveiling its defense evasion tactics, YARA and antivirus matches, and the nefarious actions it carries out within the host environment.

Process map
Revealing the Hidden Layers of Suspicious Behavior

Delve into the depths of a malicious process tree as we dissect the intricate steps of its execution. Scroll down the report to witness the transformation of an innocent-looking LNK file into a series of malicious processes. Starting as a CMD exe, it transitions seamlessly into PowerShell exe and further evolves into regsrv32.exe, all while pursuing its malicious objectives.

With this tab, you can explore the dynamic journeys of process trees and delve into the compelling indicators of malicious behavior embedded within. So, you can gain valuable insights into the inner workings of sophisticated threats and enhance your understanding of evolving cyber threats.

Decoding the Threat:
Unveiling the Intricate Mapping of MITRE ATT&CK Framework

Discover the power of the MITRE ATT&CK mapping within our analysis. Witness how behavioral rules are meticulously categorized, shedding light on the techniques employed by the malicious sample. This helps you delve into the defense evasion column, where intriguing tactics unfold. Among them, the “NTFS file attribute” technique stands out, employed to obfuscate the origin of files by deleting the zone Identifier. You can explore the extensive range of behavioral rules that come into play, with numerous triggers and potential matches, unveiling the depth of our analysis capabilities.

Connecting the Dots:
Navigating the Networking Tab

You can get clear summaries and detailed reports on the network tab of our analysis reports, enabling you to explore the global reach of the analyzed sample. You can delve into the intricacies of each connection, examining the HTTP requests, precise responses, and the underlying functions and timing.

If needed, you can dive even deeper by accessing and downloading the raw PCAP file for manual analysis and discover the valuable insights that can be derived from this dynamic analysis environment, enabling the creation of targeted detection rules and a comprehensive understanding of the sample’s behavior.

Leveraging Extracted Malware Configurations
for Actionable Insights

The overview page of the analysis report reveals a treasure trove of information in the form of the extracted malware configuration. Within this configuration, we find an extensive list of over 60 unique URLs associated with the sample. While the analysis may not display all of these URLs, our advanced capabilities allow us to extract and decipher the complete configuration, providing valuable insights for your investigations.

This collection presents a significant opportunity to enhance your threat hunting. Armed with this information, you can initiate targeted searches within your own environment, seeking any traces or connections to these URLs and proactively investigating and responding.

Exploring Malware Behavior:
Analyzing Malware Behavior for Proactive Defense

The behavior tab of our analysis report enables you to uncover a wealth of valuable information. You can explore each process to reveal details on malicious behavior. In this example, we can see the semi-obfuscated command lines and obfuscated PowerShell commands, offering opportunities to develop custom sigma rules or fine-tune your EDR solution to effectively counter these behaviors. You can even delve deeper into the function log to discover the exact Windows API calls, complete with human-readable parameters and timestamps. With access to network traffic, module creation details, memory dumps, dropped files, registry operations, and associated usernames, you can comprehensively understand the malware’s activities. Leveraging these insights empowers analysis and threat hunters to
proactively detect and respond to evolving malware families and sophisticated threats, bolstering your overall security posture.

Extracting Actionable IOCs:
A Comprehensive Overview for Enhanced Malware Analysis

By navigating to the Indicators of Compromise (IOCs) tab, you can gain insights into the IOCs, including domain names, file and IP addresses, URLs, their corresponding verdicts, and much more. To ensure clarity amidst numerous indicators, they are carefully scored, highlighting the most relevant ones that demand your attention.

If desired, you can easily unfilter the results to explore the clean indicators and delve into the analysis report’s additional 454 artifacts. This broader view may unveil important details, such as the order of execution or appearance of these indicators, providing valuable insights for rule creation and tracking in your larger context.

In the pursuit of better threat detection and analysis, these IOCs and artifact details serve as valuable resources. By leveraging this information, you can enhance your rule-writing capabilities and identify promising paths for further investigation.

Accelerate Your Analysis:
A Time-Saving Solution for Enhanced Threat Hunting

With VMRay’s powerful platform, conducting file analysis is not only thorough but also incredibly efficient. In just a matter of two minutes, you can gain valuable insights into potential threats, making it a significant time-saver for your analysis processes.

By leveraging the capabilities of VMRay, your threat hunting workflows and detection engineering efforts will experience a substantial boost. The platform empowers you to uncover crucial details about malicious files swiftly, enabling you to enhance your overall security posture and stay one step ahead of evolving threats.