ID92 - SOC145
Ransomaware Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat Intel
CTI shows the hash malicious, delete volume snapshots often used by ransomware.
Reads system information using Windows Management Instrumentation Commandline (WMIC)
Log Management
No logs related to the host were recorded during the timeline of the event.
Endpoint Security
No agent is installed — so:
No network action, terminal, or browser history available
Process tab shows malware activity, but with no timestamps, making timeline correlation impossible
Despite this, we can see the execution of ab.exe, followed by WMIC and other commands consistent with known malware behavior.
Playbook Execution
Select Threat Indicator
Other
Malware quarantined/cleaned?
Not quarantined
Analyze Malware
Malicious
Check If Someone Requested the C2
Not accessed
Verdict
True Positive
Analyst Summary Report
Summary of findings
On 23/5/2021 at 7:32 PM an alert was triggered by a malicious hash associated with behaviors commonly observed in ransomware campaigns. Threat intelligence confirms the file attempts to delete volume shadow copies, an early-stage anti-recovery technique. It also executes WMIC commands to gather system information.
Endpoint telemetry is limited due to the absence of an agent — no network, terminal, or browser activity could be retrieved. However, process data (without timestamps) reveals execution of suspicious binaries such as ab.exe, followed by known ransomware-related behavior (all file encrypted on the machines).
No logs were available in the central log management system, and email telemetry yielded no relevant findings.
Despite the visibility gaps, the presence of ransomware-indicative commands and threat intel confirmation lead to a true positive verdict.
Remediation recommendations
- Initiate full forensic analysis of the system if still available, including memory capture and disk imaging.
- Verify endpoint coverage — ensure the security agent is properly deployed and active across all assets.
- Block the malicious hash in EDR/AV and network controls.
- Review system backups and confirm integrity, given the attempt to remove shadow copies.
- Initiate threat hunting for similar indicators (e.g., use of WMIC, vssadmin delete, or ab.exe) across the environment.
More Alerts!
- ID-257 | SOC282 – Phishing Alert | LetsDefend Walkthrough
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
- ID-045 | SOC114 – Malicious Attachment Detected | LetsDefend Walkthrough
- ID-036 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.