CrowdStrike Alert Details
Alert ID: CS-SOFTWARE-PACK-1027-7842 Alert Time: 2024-03-08 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Packed Process Detected – Obfuscated Code in Memory” MITRE ATT&CK: T1027.002 – Obfuscated Files or Information: Software Packing
Alert Details:
Detection: Process with packed/obfuscated code detected in memory
Host: DEV-WS-089 (Development Workstation) User: rpatel@company.com (Raj Patel, Engineer) Process: C:\Users\rpatel\Downloads\dev_tool.exe (PID: 4789) Time: 16:25 EST
Memory Analysis:
Process memory has high entropy (7.9)
Sections: .text, .data, .rdata are packed/encrypted
Expected for unpacked PE: entropy ~5.0-6.0
Packer signature: ASPack (detected)
Behavioral Analysis:
Process allocated memory with write and execute permissions (RWX)
Wrote decrypted code to new memory region
Transferred execution to decrypted code
Connected to 185.143.221[.]89:443
Detection Logic:
High entropy in process memory (indicates packed code)
RWX memory allocation (unusual for legitimate software)
Self-modifying code (decryption at runtime)
Pattern matches packed malware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed packed process (ASPack)
2. Process Investigation
Analyze memory
CrowdStrike Falcon Memory
Unpacked Cobalt Strike beacon
3. User Interview
Contact rpatel
Teams, Phone
User downloaded “tool” from forum; unaware
4. Immediate Action
Terminate process
CrowdStrike
Process killed
5. Host Isolation
Isolate DEV-WS-089
CrowdStrike
Host quarantined
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-189 Summary: T1027.002 – Packed Malware (ASPack) Executed on Development Workstation Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1027, software-packing, aspack, crowdstrike, user-error Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Packed Process Detected – Obfuscated Code in Memory”.
Host: DEV-WS-089 (Development, user rpatel).
Process: C:\Users\rpatel\Downloads\dev_tool.exe.
Packer: ASPack.
Time: 2024-03-08 16:30 EST.
Technique: MITRE ATT&CK T1027.002 – Obfuscated Files or Information: Software Packing.
2. Technical Analysis:
Attack Chain:
16:00 – User downloads “developer tool” from forum
16:05 – Executes dev_tool.exe
16:10 – Packed process runs, unpacks in memory
16:15 – Unpacked payload (Cobalt Strike) connects to C2
16:25 – CrowdStrike detects
Packing Details:
Packer: ASPack (popular executable packer)
Entropy: 7.9 in process memory (highly packed)
Unpacking: Process allocated RWX memory, decrypted payload, jumped to it
Unpacked Payload:
Type: Cobalt Strike beacon
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
User Intent:
User thought it was legitimate tool
Unaware of malware
3. Investigation Findings:
Timeline:
16:00 – Tool downloaded
16:05 – Executed
16:10-16:15 – Unpacking and C2
16:25 – Alert
16:27 – SOC investigates
16:28 – Process terminated
16:29 – Host isolated
Indicators of Compromise (IoCs):
Files:
– C:\Users\rpatel\Downloads\dev_tool.exe (SHA256: a1b2c3d4…)
Process Memory:
– High entropy (7.9)
– RWX allocation
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated dev_tool.exe process.
Isolated host.
Disabled rpatel account.
Reset password.
Blocked C2 IP.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
User Education:
Counseled on downloading untrusted software.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted software.
Contributing Factors:
No application control.
User unaware of packing risks.
6. Business Impact:
Operational Impact: Development workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malware terminated.
Account secured.
User educated.
Technical Controls Enhanced:
Enabled application control.
Enhanced monitoring for packed processes.
8. Conclusion:
A user downloaded a packed executable that unpacked in memory and connected to C2. CrowdStrike detected the packed process and enabled rapid termination.
Closure Rationale: Malware terminated; account secured; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 17:30 EST