FortiSandbox Alert Details
Alert ID: FORTI-BINARY-PACK-1027-7842 Alert Time: 2024-03-08 11:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Packed Binary Detected – Multiple Packers Used” MITRE ATT&CK: T1027.001 – Obfuscated Files or Information: Binary Packing
Alert Details:
File Analysis Report:
File Name: update_installer.exe
File Size: 1.2 MB (unpacked size: 4.8 MB)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to engineering@company.com
Submission Time: 11:15 EST
Packing Analysis:
Detected packer: UPX (Ultimate Packer for Executables) – version 3.96
Detected packer: Themida (commercial protector) – secondary layer
Entropy: 7.98 (very high, indicates packed/encrypted)
Packing ratio: 75% compressed (1.2 MB vs 4.8 MB unpacked)
Unpacking Process (FortiSandbox emulation):
Layer 1: UPX unpacked (custom UPX with modified header)
Layer 2: Themida anti-debugging checks, decrypted final payload
Final payload: Cobalt Strike beacon (SHA256: b2c3d4e5…)
Behavior After Unpacking:
Connected to 185.143.221[.]89:443
Injected into explorer.exe
Established persistence via scheduled task
Detection Logic:
Multiple packers detected (UPX + Themida)
High entropy (indicates encrypted/compressed)
Unpacked payload identified as Cobalt Strike
Pattern matches advanced malware obfuscation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed packed binary (UPX+Themida)
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to engineering@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block C2 IP and domain
Palo Alto, Cisco Umbrella
185.143.221[.]89 blocked
6. Threat Hunting
Check for similar packed files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-188 Summary: T1027.001 – Packed Malware (UPX+Themida) Delivered via Email Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1027, binary-packing, upx, themida, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Packed Binary Detected – Multiple Packers Used”.
File: update_installer.exe (email attachment).
Target: Engineering Department.
Time: 2024-03-08 11:30 EST.
Technique: MITRE ATT&CK T1027.001 – Obfuscated Files or Information: Binary Packing.
2. Technical Analysis:
Attack Chain:
11:10 – Email sent from “vendor@software-update[.]net”
11:11 – Email delivered to engineering@company.com
11:12 – FortiSandbox analyzes attachment (inline)
11:15 – Analysis begins
11:20 – Packing detected
11:25 – Unpacking successful, payload identified
11:30 – Alert triggers
11:31 – Email quarantined
Packing Analysis:
Layer 1 (UPX): Standard packer, but with modified header to evade signature detection
Layer 2 (Themida): Commercial protector with anti-debugging, anti-sandbox, and encryption
Entropy: 7.98 (maximum is 8.0) – clear indicator of packing
Unpacked Size: 4.8 MB (original PE)
Final Payload:
Type: Cobalt Strike beacon
SHA256: b2c3d4e5…
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
Email Details:
Sender: vendor@software-update[.]net
Subject: “Critical Security Update – Install Immediately”
Attachment: update_installer.exe
3. Investigation Findings:
Timeline:
11:10 – Email sent
11:11 – Email delivered
11:12-11:30 – FortiSandbox analysis
11:30 – Alert triggers
11:31 – Email quarantined
11:32 – SOC investigates
11:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– update_installer.exe (SHA256: a1b2c3d4…)
– Unpacked Cobalt Strike (SHA256: b2c3d4e5…)
Network:
– C2: 185.143.221[.]89:443
Packers:
– UPX (modified)
– Themida
Email:
– Sender: vendor@software-update[.]net
– Subject: “Critical Security Update – Install Immediately”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hashes to blocklists.
User Notification:
Engineering team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .exe attachments.
Enhanced filtering for update-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending packed malware via email.
Contributing Factors:
.exe attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all .exe attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for high-entropy/packed files.
8. Conclusion:
A sophisticated malware used multiple packers (UPX and Themida) to obfuscate its payload and evade signature-based detection. FortiSandbox detected the packing and unpacked the file, revealing a Cobalt Strike beacon. The email was quarantined before any user could open it.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 12:30 EST