SOC119 - Proxy - Malicious Executable File Detected

Posted Feb 25, 2022 2022-02-25T09:21:00+03:00 by CEngover

Event Details

EventID: 83

Event Time: March 21, 2021, 1:02 p.m.

Rule: SOC119 - Proxy - Malicious Executable File Detected

Level: Security Analyst

Source Address 172.16.17.5

Source Hostname SusieHost

Destination Address 51.195.68.163

Destination Hostname win-rar.com

Username Susie

Request URL https://www.win-rar.com/postdownload.html?&L=0&Version=32bit

User Agent Chrome - Windows

Device Action Allowed

Here are some notes about the event.

**Request URL:** https://www.win-rar.com/postdownload.html?&L=0&Version=32bit

**Request Method:** GET

**Device Action:** Allowed

**Process:** chrome.exe

**Parent Process:** explorer.exe

**Parent Process MD5:** 8b88ebbb05a0e56b7dcc708498c02b3e

We’ve one GET request to URL. Request details are;

Date : Mar, 21, 2021, 01:02 PM Type : Proxy Source IP : 172.16.17.5 Source Port : 43213 Destination IP : 51.195.68.163 Destination Port : 443

After checking the url if that is malicious or not, Virustotal returns that the IP and domain are non-malicious.

Q1 -- Not Malicious

That’s it :)

LetsDefend, Soc Analyst

SOC

This post is licensed under CC BY 4.0 by the author.

SOC119 - Proxy - Malicious Executable File Detected

Event Details

Recent Update

Trending Tags

Contents

Trending Tags

SOC119 - Proxy - Malicious Executable File Detected

Event Details

Recent Update

Trending Tags

Contents

Further Reading

LetsDefend SOC147 - SSH Scan Activity

LetsDefend SOC141 - Phishing URL Detected

LetsDefend SOC142 - Multiple HTTP 500 Response

Trending Tags