SOC138 - Detected Suspicious Xls File

Detected Suspicious Xls File

Mar, 13, 2021, 08:20 PM

Event ID: 77

Event Time: Mar, 13, 2021, 08:20 PM

Rule Name: SOC138 - Detected Suspicious Xls File

Alert Type: Malware

MITRE Technique:T1112 - Defense Evasion - Modify Registry,

Severity: Medium

Security Analyst

To start off we notice this when we take ownership of the alert ticket

Quick question to mine is why is this device allowed? Also more information whats the hash of the file? Can we use dynamic malware analysis ?

hybrid analysis: https://hybrid-analysis.com/sample/7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813/65889ce9182ab6fe0c0880d0 Virus total: https://www.virustotal.com/gui/file/7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813/behavior anyrun analysis: https://app.any.run/tasks/2f6d8418-4986-4e5c-af91-29b8fac74a16/

Based on our analysis of the file, we have strong reason to believe it is malicious. Immediate isolation and containment of the affected device or user is recommended.

Action: Initiate device isolation via EDR.
Next Steps: Review suspicious command-line activity or browser history associated with the user prior to the XLS file incident for further insight.