Soc Analyst Report #1 Jason Reeves
Tyler Wall, MSc., CISSP, CCSK
CEO @ Cyber NOW Education | SOC Consultant | Award-Winning Author of Best Selling Book | Online Course Creator | Microsoft Cloud Advocate
Reason
Connection to Honeypot
Severity:High
Supporting Evidence
Date:2024-11-13T17:54:50.525760
Destination:20[.]217.82.118
Port:445
Hostname:mhn-server
Protocol TCP
Server type: Dionaea
Source ip: 109[.]62.172.126
Source port:63874
MD5:996c2b2ca30180129c69352a3a3515e4
Analysis
WHOIS:
Handle: 109.62.172.0 - 109.62.175.255
Status:active
Address Range: 109.62.172.0 - 109.62.175.255
IP version: v4
Name: MACROREGIONAL_CENTER
Type: ASSIGNED PA
Country Code: RU
Parent Handle: 109.62.128.0 - 109.62.255.255
Whois Server: whois.ripe.net
Location: Belgorod, Belgorod Oblast ,Russia
SRCIP Address
IPVOID Blacklist 1/93
Virustotal 0/94
AbuseIP not found
Talos Intelligence IP reputation Poor
TOR Exit node:No
SpamHaus: Ip is listed on Policy Block List
Reports as attacking port 445 which is similar to the activity we've seen.
HASH
VirusTotal 67/72(WannaCry)
Any.Run:Suspicious activity
Joe Sandbox:Verdict Malicious
malicious Hash Registry:61%
Hybrid Analysis:96%
Conclusion
Attack was caputured by the Dionaea Honeypot sending a Wannacry variant over port 445 to infect the host. The source IP address has no reputation. Due to the payload I conclude this is malicious behavior.
Next Steps
Block Ip address at firewall and blacklist the hash on the endpoints.
former network technician currently Aspiring SOC analyst
1moSince you posted it . I'm figuring it was good. Nothing else I should've added or removed? Thanks for the confidence builder it really helps.