MALWARE ANALYSIS / THREAT DETECTION USING SPLUNK

Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. 

Question 1:

What is the malicious process that infected the victim's system?

Answer:

EventCode 1: Process Creation.

index= sysmonsplunklab EventCode=1

From the image below we see that there are 6 events and i spotted a suspicious process Preventivo.exe.exe  

Next i grabbed the Hash of the process file just the SHA256 followed by checking it using VirusTotal, 47 AV vendors on VirusTotal detect this file as being malicious.