ID84 - SOC104
Malware Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat Intel
CTI lookup on the hash c74862e16bcc2b0e02cadb7ab14e3cd6
No flags were raised — the file appears clean based on VirusTotal and other sources.
Log Management
Only one event was logged during the timeline. The connection was made to a whitelisted IP, and the parent process MD5 showed no malicious indicators.
Endpoint Security
Endpoint telemetry is unavailable — the agent is down, and the last login was recorded over a year ago.
A sandbox analysis via Hybrid Analysis reports the file as clean with no malicious behavior.
Playbook Execution
Select Threat Indicator
other
Malware quarantined/cleaned?
not quarantined
Analyze Malware
not malicious
Verdict
False Positive
Analyst Summary Report
Summary of findings
The alert triggered on a file hash (c74862e16bcc2b0e02cadb7ab14e3cd6) that showed no malicious behavior during CTI lookup and sandbox analysis. VirusTotal and Hybrid Analysis returned clean or low-confidence results. The event log showed a single entry tied to a whitelisted IP and a parent process with no threat flags.
Endpoint telemetry was limited — the agent was down, and the system hadn’t logged in for over a year, suggesting the host may be decommissioned or abandoned. No email delivery vector or additional telemetry was found.
Based on the evidence, the alert is a false positive.
Remediation recommendations
- Mark the hash as safe in internal IOC lists if reoccurring.
- Investigate and decommission stale endpoints (agent down, inactive for over a year) to avoid false positives and improve coverage.
- Verify allowlisting policies to ensure whitelisted IPs are regularly reviewed and updated.
More Alerts!
- ID-045 | SOC114 – Malicious Attachment Detected | LetsDefend Walkthrough
- ID-085 | SOC109 – Emotet Malware Detected | LetsDefend Walkthrough
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
- ID-036 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.