FortiSandbox Alert Details
Alert ID: FORTI-SANDBOX-EVASION-1497-7842 Alert Time: 2024-02-20 15:30:15 EST Severity: HIGH (85/100) Source: Fortinet FortiSandbox Rule: “Sandbox Evasion Techniques Detected – Malware Refuses to Run” MITRE ATT&CK: T1497.001 – Virtualization/Sandbox Evasion: System Checks
Alert Details:
File Analysis Report:
File Name: invoice_7842.exe
File Size: 2.4 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to user in Finance
Submission Time: 15:15 EST
Sandbox Behavior Analysis:
File executed in sandbox environment
Malware performed multiple evasion checks:
Check 1: Detected VMware artifacts (presence of VMware tools) -> Exited
Check 2: Detected sandbox hostname patterns (“SANDBOX”, “ANALYSIS”) -> Exited
Check 3: Checked CPU core count (<2 cores) -> Exited
Check 4: Checked RAM size (<2GB) -> Exited
Check 5: Checked for debugging tools (IsDebuggerPresent) -> Exited
Malware exited without showing malicious behavior
After 10 minutes of no activity, sandbox forced deeper analysis
Forced execution revealed:
Decrypted payload: Cobalt Strike beacon
Connected to 185.143.221[.]89:443
Injected into legitimate process
Evasion Techniques Detected:
VMware Artifact Check: 10/10
Debugger Detection: 9/10
Resource Checks: 8/10
Overall Evasion Score: 9/10 (High)
Threat Score: 10/10 (Malicious)
Overall: 10/10 (Critical)
Additional Context:
Malware designed to evade automated analysis
Only runs on real user machines
Requires advanced sandbox bypass capabilities to analyze
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed malware with evasion techniques
2. Email Investigation
Find email with attachment
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block URLs and IPs
Palo Alto, Cisco Umbrella
C2 IP added to blocklists
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-104 Summary: T1497 – Malware with Sandbox Evasion Techniques Detected Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1497, sandbox-evasion, virtualization, fortisandbox, malware Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Sandbox Evasion Techniques Detected – Malware Refuses to Run”.
File: invoice_7842.exe (email attachment).
Target: Finance Department.
Time: 2024-02-20 15:30 EST.
Technique: MITRE ATT&CK T1497.001 – Virtualization/Sandbox Evasion: System Checks.
2. Technical Analysis:
Attack Chain:
15:10 – Email sent from “vendor@payment-update[.]net”
15:11 – Email delivered to finance@company.com
15:12 – FortiSandbox analyzes attachment (inline)
15:15 – Analysis begins
15:16-15:25 – Malware performs evasion checks, exits
15:26 – Sandbox forces deeper analysis
15:28 – Malicious behavior triggered
15:30 – Alert triggers
15:31 – Email quarantined (before user opened)
Evasion Techniques Used:
VMware Detection: Checks for VMware tools, registry keys, processes
Sandbox Hostname Detection: Looks for “SANDBOX”, “ANALYSIS” in computer name
Resource Checks: CPU <2 cores, RAM <2GB -> assumes sandbox
Debugger Detection: IsDebuggerPresent, NtQueryInformationProcess
Timing: Sleep calls, delayed execution
True Payload:
After bypassing sandbox, decrypted Cobalt Strike beacon
C2: 185.143.221[.]89:443
Persistence via scheduled task
Capabilities: Keylogging, credential theft, file exfiltration
Email Details:
Sender: vendor@payment-update[.]net
Subject: “Invoice #7842 – Overdue Payment”
Attachment: invoice_7842.exe (masquerading as PDF)
3. Investigation Findings:
Timeline:
15:10 – Email sent
15:11 – Email delivered
15:12-15:30 – FortiSandbox analysis
15:30 – Alert triggers
15:31 – Email quarantined
15:32 – SOC investigates
15:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.exe (SHA256: a1b2c3d4…)
Network:
– C2: 185.143.221[.]89:443
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .exe attachments.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending sophisticated malware via email.
Contributing Factors:
.exe attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all .exe attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for any files with sandbox evasion techniques.
8. Conclusion:
A sophisticated malware with multiple sandbox evasion techniques was delivered via email. FortiSandbox detected the evasion attempts and forced deeper analysis, revealing the true malicious payload. The email was quarantined before any user could open it.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 16:30 EST