- STEPS FOR DETAILED ANALYSIS AND COLLECTING IOCs
- Gather few basic informations like IP address , username , hostname of the machines and capture it in a excel sheet.
- Now start documenting about the file and process informations like identification of malware, filename , path , created at (local) , Modified at (local) , modified by , original filename , MD5 , SHA1 , SHA256
- To get hashes go to the malware path open it in powershell , then run the below commands.
COMMANDS : get-filehash -algorithm md5 <exe file>
get-filehash -algorithm sha1 <exe file>
get-filehash <exe file> ( Because in powershell the default algorithm we get is SHA256 , so no need to specify keyword here )
- After getting file info , we will get the process info. Open process explorer as admin. Analyse further more process informations.
- After analyzing process information , move for service info analysis.
- Open services and gather few information from it.
- Similary collect the file , process and service information on all the suspicious processes present in process explorer and capture it in an excel sheet.
- Finally after capturing all the evidences run the below powershell script to find out all the files that has been modified by the ransomware from the start of the ransomware execution time till its modified time. Note these time details will be gathered by us during evidence collection.
- Now open sysinternals and run the autorun application as admin. Wait for sometime to let it collect the informations and display it on the screen.
- You can save the autorun output to an “.arn” file which can be reviewed later , also you can collect some values like registry , path , time stamp , etc.. and capture it on your evidence excel sheet.
- Now go to the below website and download the HXD editor to review the hexa values.
LINK : https://mh-nexus.de/en/hxd/
- After downloading install the editor and open it as admin. Now go to the malware folder and review each and every executables using HXD editor.
NOTE :