Answers not Alerts: From Hours or Days to Less than 15 Minutes

Tyler Fornes explains that a central goal of Expel is to provide “answers not alerts” to their many customers relying on them for protection. Watch Tyler walk us through how VMRay Analyzer assists him and his team with the analysis of a Word phishing document that has a malicious macro. With the help of VMRay Analyzer, he is able to determine if the malicious document ran in the client environment, starting with the overall verdict of Malicious and the classification of the document as a Trojan, a Dropper, a Keylogger and a Downloader. Next, the Monitored Processes view within the VMRay Analyzer GUI indicates another red flag as we see winword.exe open a cmd.exe followed by powershell.exe. This is “not ideal’’ and it is indicative of a “classic kill chain”.

To investigate further, Tyler pulls up the screenshots taken during Dynamic Analysis (i.e., during detonation within the VMRay Analyzer sandbox) and sees exactly how the attacker tries to fool the user, and he can see that the user clicked on an Enable Content button in the Word document, which invoked the malicious macro. To dive deeper, Tyler uses VMRay’s proprietary VMRay Threat Identifiers (VTIs) and discovers that a randomly named PE file was dropped and executed. Another VTI flags the actual VBA Macro that ran. The Network Tab and the YARA tab in the VMRay Analyzer Reports provide further evidence and intelligence to help Expel formulate a response. Specifically, the Network tab identifies compromised hosts and helps with broader-based investigation of other compromised hosts. The YARA tab provides the results of cross-referencing malware behavior with VMRay’s own built-in YARA Rulesets, which also identify this as a malicious document with VBA code.

Tyler summarizes the overall value by saying that typically, in the past, they might have had to wait hours or even days for L2 or L3 teams to investigate such an attack but “within VMRay I can have that done in less than 15 minutes.”