In this lab, I used VirusTotal to investigate a password-protected spreadsheet’s SHA256 hash and then captured its key indicators of compromise in the Pyramid of Pain template. I explored vendor detections, community feedback, and static/sandboxed details to build a complete picture of the threat.
As an L1 SOC analyst at a financial firm, I received an alert for a suspicious spreadsheet file. After extracting its SHA256 hash (54e6ea47eb04634d3e87fd7787e2136c6efbcc80ade34f246a12cf93bab527f6b), my task was to determine whether it was malicious and then identify three types of IoCs to enter into the Pyramid of Pain.
Has this file hash been reported as malicious? I saw that 55 out of 68 security vendors flagged the hash as malicious. Research shows this sample matches the FlagPro malware family, which is associated with the BlackTech threat group.
| IoC Type | Details |
|---|---|
| Hash values |
• SHA256: 54e6ea47eb04634d3e87fd7787e2136c6efbcc80ade34f246a12cf93bab527f6b • MD5: 287d612e29b71c90aa54947313810a25 |
| Domain names | org.misecure.com |
| IP addresses | 207.148.109.242 |
| TTPs |
• Command and Control traffic • Keystroke or input capture • Malicious HTTP requests |
By walking through the VirusTotal report, I confirmed the file’s malicious status via high vendor detection rates, extracted multiple IoC types, and mapped them to the Pyramid of Pain. This structured output will help our SOC prioritize blocking these indicators and strengthen our defenses.