Lab - Attack Analysis
Objectives
Part 1: Investigate IOCs
Part 2: Investigate the Malicious Activity
Part 3: Investigate the More Malicious Activity
Introduction
Once an alert has been reported and validated, digital forensics and incident response analysis must be
completed. In a large organization, members of the incident response team (i.e., CSIRT) are responsible for
this process. The response team typically consists of veteran threat hunters and select cybersecurity analysts
and technicians. To help the incident response team, various tools and resources are available.
In this lab, you will use the ANY.RUN online interactive malware hunting service and the Mitre ATT&CK
Matrix to investigate potential malicious activity.
ANY.RUN offers a free service in which community users can upload suspected malware files for analysis. It
provides a very rich set of analyses features that lets you safely investigate the behavior of malware. The
ANY.RUN sandbox can dynamically run the malware and display details of what the malware does in safe
and secure analysis interface.
Note: You will use the free version of ANY.RUN which has limited features and can only run malware
samples on a 32-bit Windows 7 virtual machine. Two more advanced versions are available for a monthly
subscription. The Searcher and Hunter versions provide access to advanced features and other operating
systems (e.g., Windows 10).
Scenario
You are working as a cyber technician and you have been selected to work with the incident response team
at XYZ, Inc. A cybersecurity analyst has asked you to evaluate hash values from security alerts that have
been generated by the Intrusion Prevention System (IPS). The IPS has flagged a series of events as
potentially malicious.
You will use the ANY.RUN online tool and Mitre ATT&CK Matrix to perform forensic analysis based on the
provided hash values.
Required Resources
= A device with internet access
Instructions
Part 1: Investigate IOCs
In this part, you will use the ANY.RUN website to categorize identified hash values to see if they are
malicious, suspicious, or benign.
Step 1: Explore the ANY.RUN site
a. Open a web browser and navigate to the ANY.RUN webpage.
b. At the top of webpage are available links starting with “WHY US”. Click SERVICE from the horizontal
menu to move to the sandbox service interface.
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5
�Lab - Attack Analysis
c. Click one of the countries in the map to show the list of public submissions from that country. Community
users can view a detailed analysis for each submission.
d. Explore and become familiar with this dashboard. The ANY.RUN tool has many options available that will
be of great value to a cybersecurity analyst. Use this opportunity to learn more about the tool.
Step 2: Validate Suspicious Hashes
In this step, you will investigate some MD5 hash of files that the cybersecurity analyst has identified in the
table below. You will verify if they are potentially malicious, suspicious, or benign.
a. To search hash values, click Public Tasks in the menu on the left.
This opens the Public submissions page which displays a list of public tasks arranged by the most
recent submission. Notice that each task is labelled with the analysis verdict identifying the submission as
no threat detected (i.e., benign), suspicious activity, or malicious activity.
b. The Cybersecurity analyst has asked you to validate several hash values. Complete the following table by
copying and pasting the identified MD5 hash value in the search box in the upper right of the window and
press Enter.
Malicious / Suspicious /
IOCs MD5 Hash Values Benign Associated Filename
2fd03624e271ec70349ce56fb30f563b
c419df63e0121d72411285780c2fc6cc
3acf52e5a62d50bdcedcb89174bf5492
766b774626947000e67e0b318f558e94
422a6ca28a7e4d8e5e498523c6f049f4
b497845beb135740e6caed03a2020036
Blank Line, No additional information
Note: These malicious hash values will also be used in Part 2 and 3.
Blank Line, No additional information
Part 2: Investigate the Malicious Activity
In this part, you will use the ANY.RUN website to investigate the malicious activity identified in the previous
part. From the ANY.RUN tool, you will pivot to different tools to examine the malicious activity. Finally, you will
use the Mitre ATT&K Matrix to identify the tactics and techniques used by the threat actors.
Step 1: Investigate the first malicious hash process tree.
a. From the ANY.RUN Public submissions page, search for the first identified malicious hash value in Part 1,
Step 2b.
b. Click the resulting entry to open it in the ANY.RUN sandbox. The ANY.RUN analysis interface provides
insights to many aspects of the malware behavior.
Note: If more than one submission is displayed, then click the submission with the wireframe.exe
filename.
c. On the right-hand side of the screen, you will see the process tree which displays a group of horizontal
blue bars in a nested tree-like structure. It shows all the software processes that were used in the exploit.
Some of them are windows software components, and others are part of the malware.
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5
�Lab - Attack Analysis
What are the names of the processes used in this activity?
Type your answers here.
Step 2: Investigate the malicious activity text report.
Above the process tree are three text boxes labelled “Text report”, “Processes graph”, and ATT&CK matrix.
a. Click the Text report to open a report in a new web browser window.
b. Scroll through the document to see the generated report.
Question:
What is the SHA256 value associated with this activity?
Type your answers here.
Step 3: Investigate the malicious activity processes graph.
a. Return to the analysis webpage and click the Processes graph.
Questions:
Which process was executed first?
Type your answers here.
What is the process name in the red highlighted box?
Type your answers here.
b. Click the red highlighted box.
Question:
What is the identified danger?
Type your answers here.
Step 4: Investigate the malicious activity in the ATT&CK matrix
a. Return to the analysis webpage and click the ATT&CK matrix to open the Mitre ATT&CK Matrix page.
Questions:
How many Tactics, Techniques, and Events are there related to this malicious activity?
Type your answers here.
What are the tactics that were used by the threat actors?
Type your answers here.
b. Click the various techniques that were used.
Question:
Which technique is identified as a Danger?
Type your answers here.
Part 3: Investigate the More Malicious Activity
In this part, you will repeat the steps in Part 2 to examine the other two malicious entries discovered in Part 1.
Step 1: Investigate the second malicious hash process tree.
a. Return to the ANY.RUN Public submissions page, and search for the second identified malicious hash
value discovered in Part 1, Step 2b.
b. Click the resulting entry to open it in the ANY.RUN sandbox.
Question:
What is the name in the process tree of the process used in this activity?
Type your answers here.
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5
�Lab - Attack Analysis
c. Open the Text report.
Question:
What is the SHA256 value associated with this activity?
Type your answers here.
d. Return to the analysis webpage and open the Processes graph.
Question:
What are the identified dangers?
Type your answers here.
e. Return to the analysis webpage open the ATT&CK matrix.
Questions:
How many Tactics, Techniques, and Events are there related to this malicious activity?
Type your answers here.
What are the tactics that were used by the threat actors?
Type your answers here.
c. Click the various techniques that were used.
Question:
d. Which techniques are identified as a Danger?
Type your answers here.
Step 2: Investigate the third malicious hash process tree
a. Return to the ANY.RUN Public submissions page, and search for the third identified malicious hash value
discovered in Part 1, Step 2b.
b. Click the resulting entry to open it in the ANY.RUN sandbox.
Question:
What is the name in the process tree of the process used in this activity?
Type your answers here.
c. Open the Text report.
Questions:
What is the SHA256 value associated with this activity?
Type your answers here.
d. Return to the analysis webpage and open the Processes graph.
Question:
What Dangers does it display?
Type your answers here.
e. Return to the analysis webpage open the ATT&CK matrix.
Questions:
How many Tactics, Techniques, and Events are there related to this malicious activity?
Type your answers here.
What are the tactics that were used by the threat actors?
Type your answers here.
Reflection Questions
1. Explain how forensic analysis and incident response is very much like law enforcement trying to solve a
criminal case.
Type your answers here.
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5
�Lab - Attack Analysis
2. Two of our malicious activities referred to Redline. What is Redline?
Type your answers here.
End of document
2017 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5
