ID14 - SOC104
Malware Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat Intel
Initial CTI shows the hash is not flagged by security vendors.
However, Yomi Hunter sandbox reports the file as malware.
Log Management
No inbound or outbound traffic involving the host 172.16.17[.]82 is recorded during the timeline.
Endpoint Security
Browser history (no timestamp) shows a Google search for: “how to update chrome”
The page visited:
hxxps://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DAndroid&hl=en
appears legitimate on urlscan.io.
Process tab (again without timestamp) shows:
googleupdate.exe executed by taskeng.exe
Followed by chrome.exe
Followed by execution of:
C:/Users/John/Downloads/Purchase-Order_NO.231101.exe
MD5 of this pe is flagged as malicious / malware trojan/Purchase-Order_NO.231101.exe
While malware was executed, there’s no evidence it is related to this specific alert or event timeline.
Network action: No data shown
Terminal history reveals discovery commands (dir /s, net user, etc.), but again, no timestamp is available to correlate with the event.
Playbook Execution
Select Threat Indicator
Other
Malware quarantined/cleaned?
Not quarantined
Analyze Malware
non malicious
Verdict
False Positive
Analyst Summary Report
Summary of findings
This alert was triggered by the execution of googleupdate.exe on the host JohnComputer on September 20th at 21:02 UTC.
After investigation, we determined that the behavior aligns with a legitimate Google Chrome update. The user had recently searched for “how to update Chrome” and visited the official Google support site. No suspicious network traffic was observed, and the process path and behavior are consistent with standard update activity.
Although a malicious executable (Purchase-Order_NO.231101.exe) was later observed, there is no timestamp to confirm its connection to the event in question. Similarly, suspicious CLI commands were logged without any timing correlation.
Given the context and available evidence, the event is considered a false positive.
Remediation recommendations
- Confirm with the user whether they manually initiated the Chrome update.
If confirmed as expected behavior, whitelist the hash or associated process to prevent future false positives.
Ensure endpoint agent coverage is active on this machine for better visibility and timeline correlation in future events.
Consider flagging unrelated malware activity for separate investigation if recurrence or escalation is observed.
More Alerts!
- ID-120 | SOC170 – Password Found in Requested URL | LetsDefend Walkthrough
- ID-208 | SOC246 – Forced Authentication Detected | Letsdefend Walkthrough
- ID-234 | SOC176 – RDP Brute Force Detected | Letsdefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.