Take ownership of the alert.
Create case
There is a malicious process named svohost.exe which is named close to svchost.exe. Svchost.exe (Service Host) is an essential Windows system process that loads and manages multiple background services (DLL-based) to save system resources and improve stability.
Weird name for the process user
EC2AMAZ-ILGVOIN\LetsDefend enough to spark doubt and take the alert seriously.
Looking at the file hash, I decided to search for it on Virustotal.
50 out of 72 vendors flag this file as malicious on Virustotal
Moving onto Endpoint security:
This PowerShell script downloads a password-protected ZIP file (service-installer.zip) from a remote S3 bucket to C:\temp, then uses 7-Zip to extract the archive with the password infected into the same directory. After extraction, it deletes the original ZIP file and executes svohost.exe from the extracted service_installer folder. This behavior is highly indicative of malware delivery and execution, as it retrieves a payload from an external source, extracts it using a hardcoded password (often used to evade static scanning), and launches an executable with a name (svohost.exe) that mimics a legitimate Windows process (svchost.exe) to avoid detection.
This is the information from svohost.exe on the endpoint "Victor"
When I search for the affected host's (Victor) IP in Log Management, and run through the logs, I find there have been multiple failed logon attempts targeting the destination's RDP port (port 3389).
- EventID 4625 (failed logon)
- Error code 0xC000006D (bad username or password)
- Attempts for accounts like "admin" and "guest"
- Source IP: 185[.]107[.]56[.]141
For successful logon:
- EventID 4624 (successful logon)
- Logon Type 10 (RemoteInteractive) (typically RDP)
- Username: Victor
Next, I search for the source IP 185[.]107[.]56[.]141 in Threat Intel on Letsdefend, and the IP is tagged "Brute Force"
a strong confirmation that the activity was malicious.
EventID: 313
Event Time: Jan 22, 2025, 02:37 AM
Rule: SOC335 — CVE-2024–49138 Exploitation Detected
Alert category: True Positive
For answering the questions of the playbook
I pick the first option because of the command we saw that downloads a malicious file from a remote S3 bucket and then executes svohost.exe. Such behavior is a red flag for outbound connections to Command and Control (C2) infrastructure.
The malware was allowed and not quarantined or cleaned up.
Next we move ahead with analyzing the malware. From the Virustotal scan, we know it is malicious.
In Log Management, the suspicious IP (185.107.56.141) appears in events targeting the host (172.16.17.207) and is also tied to remote access activity, so the malicious address was observed in logs.
Next, we move ahead with containing the affected host.
Adding the artifacts, the malicious sender IP, the MD5 hash of the malicious file (from Virustotal), and the malicious code snippet that was running on the terminal.
Analyst's notes:
I have determined this alert to be a True Positive, as the host Victor (172.16.17.207) executed a suspicious look-alike binary, svohost.exe, from C:\temp\service_installer\ under an unusual user context with powershell.exe as its parent, and the file hash is tagged in Threat Intel with CVE-2024-49138. Log Management reveals that the source IP 185.107.56.141 repeatedly targeted the host over RDP (port 3389), with Windows security events showing multiple failed logons (4625 / 0xC000006D) followed by a successful remote logon (4624, Logon Type 10) from the same IP, indicating a successful brute force attack—further supported by Threat Intel flagging the IP as "Brute Force." Since the device action was logged as "Allowed," real-world containment would require immediate isolation of the endpoint, blocking the malicious IP, quarantining svohost.exe, and resetting compromised credentials.
Top comments (0)