FortiSandbox Alert Details
Alert ID: FORTI-SANDBOX-EVASION-1497-7842 Alert Time: 2024-03-05 10:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Sandbox Evasion Techniques Detected – System Checks” MITRE ATT&CK: T1497.001 – System Checks (Virtualization/Sandbox Evasion)
Alert Details:
File Analysis Report:
File Name: invoice_7842.docm (email attachment)
File Size: 2.4 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email to finance@company.com
Submission Time: 10:15 EST
Sandbox Behavior Analysis:
File executed in sandbox environment
Malware performed multiple system checks before revealing malicious behavior:
Check 1: VMware Detection
Checked for presence of VMware tools: C:\Windows\System32\drivers\vmhgfs.sys (found → exit)
Checked for VMware registry keys: HKLM\SOFTWARE\VMware, Inc.\ (found → exit)
Check 2: Sandbox Hostname Detection
Enumerated computer name: “SANDBOX-01” (found → exit)
Checked for “ANALYSIS” in computer name (found → exit)
Check 3: CPU Core Count
Get-Processor Cores: 1 core (less than 2 → exit)
Check 4: RAM Size
Get-WMI Win32_ComputerSystem | TotalPhysicalMemory: 1.5 GB (less than 2GB → exit)
Check 5: Disk Size
Get-WMI Win32_LogicalDisk | Size: 40 GB (less than 60GB → exit)
Check 6: Debugger Detection
IsDebuggerPresent API call (detected → exit)
NtQueryInformationProcess with ProcessDebugPort (detected → exit)
Check 7: Sleep Calls
Long sleep (10 minutes) to bypass time-based sandboxes
After sleep, performed same checks again
Check 8: Mouse Movement Detection
Checked for mouse movement (no movement in sandbox → exit)
Forced Analysis:
After 15 minutes of evasion, sandbox forced deeper analysis
Malware eventually decrypted payload: Cobalt Strike beacon
Connected to 185.143.221[.]89:443
Detection Logic:
Multiple evasion techniques detected
Malware refused to run in sandbox environment
System checks indicate advanced evasion
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed sandbox evasion techniques
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block C2 IP and URL
Palo Alto, Cisco Umbrella
185.143.221[.]89 blocked
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-175 Summary: T1497.001 – Malware with Sandbox Evasion Techniques Detected Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1497, sandbox-evasion, system-checks, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Sandbox Evasion Techniques Detected – System Checks”.
File: invoice_7842.docm (email attachment).
Target: Finance Department.
Time: 2024-03-05 10:30 EST.
Technique: MITRE ATT&CK T1497.001 – System Checks (Virtualization/Sandbox Evasion).
2. Technical Analysis:
Attack Chain:
10:10 – Email sent from “vendor@payment-update[.]net”
10:11 – Email delivered to finance@company.com
10:12 – FortiSandbox analyzes attachment (inline)
10:15 – Analysis begins
10:15-10:30 – Malware performs evasion checks, exits
10:30 – Sandbox forces deeper analysis, reveals payload
10:30 – Alert triggers
10:31 – Email quarantined
Evasion Techniques Used:
VMware Detection: Checks for VMware tools, registry keys
Sandbox Hostname Detection: Looks for “SANDBOX”, “ANALYSIS”
Resource Checks: CPU <2 cores, RAM <2GB, disk <60GB
Debugger Detection: IsDebuggerPresent, NtQueryInformationProcess
Timing: Long sleep (10 minutes)
Human Interaction: Checks for mouse movement
True Payload:
After evasion, decrypted Cobalt Strike beacon
C2: 185.143.221[.]89:443
Persistence via scheduled task
Capabilities: Keylogging, credential theft, file exfiltration
Email Details:
Sender: vendor@payment-update[.]net
Subject: “Invoice #7842 – Overdue Payment”
Attachment: invoice_7842.docm (macro-enabled)
3. Investigation Findings:
Timeline:
10:10 – Email sent
10:11 – Email delivered
10:12-10:30 – FortiSandbox analysis
10:30 – Alert triggers
10:31 – Email quarantined
10:32 – SOC investigates
10:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.docm (SHA256: a1b2c3d4…)
Network:
– C2: 185.143.221[.]89:443
Evasion:
– VMware checks, resource checks, debugger detection, long sleep
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block macro-enabled documents from external senders.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending sophisticated malware with evasion techniques.
Contributing Factors:
Macro-enabled documents allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all macro-enabled documents from external sources.
Enabled FortiSandbox inline analysis for all emails.
Created alert for sandbox evasion techniques.
8. Conclusion:
A sophisticated malware used multiple sandbox evasion techniques, including system checks for VMware, resources, debuggers, and human interaction. FortiSandbox detected the evasion and forced deeper analysis, revealing the Cobalt Strike payload. The email was quarantined before any user could open it.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 11:30 EST
End of Batch 27
Ready for your next batch of prompts whenever you are.
Batch 28: Process Injection Incident Reports
Here are the next 5 detailed SOC incident reports covering T1055 and its sub-techniques.