WannaCry Ransomware Analysis Using Logpoint SIEM
Hack-A-Flag 2025 challenge experience
We, Team Y3ti@Sec, had participated in the first ever SIEM CTF Hack-A-Flag 2025, organized by IEEE Computer Society Pulchowk & Logpoint. The article is about the first flag pwned in the competition.
Executive Summary
Date/Time: July 8, 2025, 10:50:31 AM EDT
Type of Incident: Ransomware Attack Detection
Systems Affected: WINDOWS_USER47.local workstation
Status: Resolved - Threat Contained and Eliminated
Key Findings
A WannaCry ransomware variant (Mal/Ransom-WCRY) was detected on workstation WINDOWS_USER47.local through a malicious file download via Internet Explorer. The Trend Micro Deep Security Agent successfully detected and automatically deleted the threat in real-time, preventing any system compromise or data encryption.
Immediate Actions Taken
Real-time detection and automatic deletion by Deep Security Agent
Threat quarantined and removed from system
Comprehensive log analysis conducted
Workstation operational status confirmed
Stakeholder Impact
Minimal Impact: No business operations disrupted, no data compromised, no financial losses incurred. The incident was contained before any malicious activity could occur.
Incident Details
Nature of Threat
Malware Type: WannaCry Ransomware (Mal/Ransom-WCRY)
Detection Method: Trend Micro Deep Security real-time behavioral monitoring
File Hash: E889544AFF85FFAF8B0D0DA705105DEE7C97FE26
File Size: 443 bytes
Severity Level: 6 (Medium)
When and How Incident Occurred
Timeline:
10:50:31 AM: Malicious file downloaded by user47
10:50:31 AM: Immediate detection by Deep Security Agent
10:50:31 AM: Automatic deletion and quarantine executed
10:50:31 AM: Security event logged for analysis
Who and What Was Affected
Primary Target: user47 account on WINDOWS_USER47.local workstation
IP Address: 10.45.3.100
Host ID: 6303
User Impact: None - user unaware of threat due to automatic remediation
Overall Scope
Single Endpoint: One workstation affected
Containment: Immediate and automatic
Spread: No lateral movement detected
Data Impact: No data compromised or encrypted
Attack Vector Details
Entry Point Analysis
Primary Vector: Web-based download through Internet Explorer
File Location: C:\Users\user47\AppData\Local\Microsoft\Windows\INetCache\Low\IE\87AI39Z8\corporate_files.zip(eicar.com)
Social Engineering: File disguised as "corporate_files.zip" to appear legitimate
User Interaction: Required user to actively download the malicious archive
Technical Vulnerabilities Exploited
Browser Security: Internet Explorer download mechanism
User Awareness: Insufficient recognition of suspicious file names
File Handling: ZIP archive containing EICAR test file bypassed initial user scrutiny
Source Information
Delivery Method: Direct download (likely from compromised or malicious website)
File Type: ZIP archive containing executable payload
Detection Category: EICAR test file (controlled test scenario)
Systems and Assets Affected
Technology Assets Impacted
| Asset Type | Details | Impact Level |
| Workstation | WINDOWS_USER47.local | Minimal - Threat Removed |
| User Account | user47 | None - No compromise |
| Network | 10.45.3.100 subnet | None - No spread |
| Data | User files | None - No encryption |
Damage Assessment
System Integrity: Maintained - No system files modified
Data Integrity: Preserved - No files encrypted or corrupted
Network Security: Intact - No lateral movement detected
Service Availability: Unaffected - All services remained operational
Business Impact Assessment
Operational Impact
Business Continuity: No disruption to operations
Service Availability: 100% uptime maintained
Productivity Loss: None - User unaware of incident
Customer Impact: No customer-facing services affected
Financial Assessment
Direct Costs: $0 - No ransom paid, no data loss
Recovery Costs: $0 - Automatic remediation
Business Interruption: $0 - No downtime experienced
Regulatory Fines: None - No data breach occurred
Long-term Consequences
Reputation: No impact - Incident contained internally
Compliance: No violations - Proper security controls functioned
Trust: Enhanced confidence in security infrastructure effectiveness
Incident Response Actions
Preparation Phase
Security Infrastructure: Trend Micro Deep Security deployed across environment
Monitoring Systems: Real-time behavioral analysis active
Response Team: Automated response capabilities enabled
Policies: Anti-malware policies properly configured
Detection and Analysis
Detection Time: Immediate (real-time)
Analysis Method: Automated behavioral monitoring
Signature Matching: Mal/Ransom-WCRY identified
Threat Classification: Ransomware variant confirmed
Containment Actions
Immediate Containment: Automatic file deletion executed
Isolation: Threat quarantined before execution
Network Segmentation: Not required - no spread detected
System Lockdown: Not necessary - threat eliminated
Eradication Measures
Malware Removal: Complete - File deleted from system
System Cleaning: Automatic - Deep Security handled cleanup
Vulnerability Patching: Ongoing - Regular security updates maintained
Configuration Hardening: Reviewed - Settings confirmed optimal
Recovery Process
System Restoration: Not required - No system compromise
Data Recovery: Not needed - No data affected
Service Restoration: Immediate - No services interrupted
Monitoring Enhancement: Continued surveillance of affected workstation
Post-Incident Activities
Forensic Analysis: Log review completed
Documentation: Comprehensive incident report prepared
Lessons Learned: Security awareness training identified as improvement area
Process Updates: User education protocols to be enhanced
Communication and Notification Logs
Internal Communications
Security Team: Immediate notification through automated alerting
IT Management: Incident report prepared for review
User Notification: user47 to be informed of detection and prevention
Executive Summary: Prepared for senior management review
External Notifications
Regulatory Reporting: Not required - No data breach or business impact
Customer Notification: Not necessary - No customer data affected
Vendor Communication: Trend Micro support not required - system functioned properly
Law Enforcement: Not applicable - No criminal activity evidence
Compliance Documentation
Audit Trail: Complete log records maintained
Evidence Preservation: Security logs archived
Regulatory Requirements: All compliance obligations met
Documentation Standards: Report follows industry best practices
Root Cause Analysis
Primary Cause
User Behavior: user47 downloaded suspicious file without proper verification
File Naming: Malicious file disguised with legitimate-sounding name
Browser Security: Internet Explorer allowed download of potentially harmful content
Contributing Factors
Security Awareness: Insufficient user training on identifying suspicious downloads
Web Filtering: Potential gap in web content filtering policies
Email Security: Possible phishing email led user to malicious download site
System Vulnerabilities
Browser Configuration: Internet Explorer security settings may need enhancement
Download Policies: File download restrictions could be strengthened
User Permissions: Review of user download capabilities recommended
Technical Timeline
Detailed Event Sequence
10:50:31 AM - Initial Compromise Attempt
user47 downloads corporate_files.zip from internet
File saved to IE cache directory
ZIP archive contains EICAR test file (eicar.com)
10:50:31 AM - Detection Phase
Deep Security Agent scans downloaded file
Behavioral analysis identifies ransomware characteristics
Mal/Ransom-WCRY signature matched
Threat severity assessed as level 6
10:50:31 AM - Response Phase
Automatic deletion action triggered
File quarantined and removed from system
Security event logged with full details
Host isolation not required due to successful containment
10:50:31 AM - Verification Phase
System integrity confirmed
No additional malicious activity detected
User session remained stable
Network traffic normal
Indicators of Compromise (IoCs)
File-based Indicators
File Hash (SHA1): E889544AFF85FFAF8B0D0DA705105DEE7C97FE26
File Name: corporate_files.zip
File Path: C:\Users\user47\AppData\Local\Microsoft\Windows\INetCache\Low\IE\87AI39Z8\ File Size: 443 bytes
Malware Family: Mal/Ransom-WCRY
Network Indicators
Source IP: Not available in current logs
Download URL: Not captured in available data
Communication Attempts: None detected - file deleted before execution
DNS Queries: No suspicious DNS activity observed
System Indicators
Registry Changes: None - file deleted before execution
Process Creation: None - malware prevented from running
Service Modifications: None detected
Scheduled Tasks: No malicious tasks created
Executive Summary
Date/Time: July 8, 2025, 10:50:31 AM EDT
Type of Incident: Ransomware Attack Detection
Systems Affected: WINDOWS_USER47.local workstation
Status: Resolved - Threat Contained and Eliminated
Key Findings
A WannaCry ransomware variant (Mal/Ransom-WCRY) was detected on workstation WINDOWS_USER47.local through a malicious file download via Internet Explorer. The Trend Micro Deep Security Agent successfully detected and automatically deleted the threat in real-time, preventing any system compromise or data encryption.
Immediate Actions Taken
Real-time detection and automatic deletion by Deep Security Agent
Threat quarantined and removed from system
Comprehensive log analysis conducted
Workstation operational status confirmed
Stakeholder Impact
Minimal Impact: No business operations disrupted, no data compromised, no financial losses incurred. The incident was contained before any malicious activity could occur.
Incident Details
Nature of Threat
Malware Type: WannaCry Ransomware (Mal/Ransom-WCRY)
Detection Method: Trend Micro Deep Security real-time behavioral monitoring
File Hash: E889544AFF85FFAF8B0D0DA705105DEE7C97FE26
File Size: 443 bytes
Severity Level: 6 (Medium)
When and How Incident Occurred
Timeline:
10:50:31 AM: Malicious file downloaded by user47
10:50:31 AM: Immediate detection by Deep Security Agent
10:50:31 AM: Automatic deletion and quarantine executed
10:50:31 AM: Security event logged for analysis
Who and What Was Affected
Primary Target: user47 account on WINDOWS_USER47.local workstation
IP Address: 10.45.3.100
Host ID: 6303
User Impact: None - user unaware of threat due to automatic remediation
Overall Scope
Single Endpoint: One workstation affected
Containment: Immediate and automatic
Spread: No lateral movement detected
Data Impact: No data compromised or encrypted
Attack Vector Details
Entry Point Analysis
Primary Vector: Web-based download through Internet Explorer
File Location: C:\Users\user47\AppData\Local\Microsoft\Windows\INetCache\Low\IE\87AI39Z8\corporate_files.zip(eicar.com)
Social Engineering: File disguised as "corporate_files.zip" to appear legitimate
User Interaction: Required user to actively download the malicious archive
Technical Vulnerabilities Exploited
Browser Security: Internet Explorer download mechanism
User Awareness: Insufficient recognition of suspicious file names
File Handling: ZIP archive containing EICAR test file bypassed initial user scrutiny
Source Information
Delivery Method: Direct download (likely from compromised or malicious website)
File Type: ZIP archive containing executable payload
Detection Category: EICAR test file (controlled test scenario)
Systems and Assets Affected
Technology Assets Impacted
| Asset Type | Details | Impact Level |
| Workstation | WINDOWS_USER47.local | Minimal - Threat Removed |
| User Account | user47 | None - No compromise |
| Network | 10.45.3.100 subnet | None - No spread |
| Data | User files | None - No encryption |
Damage Assessment
System Integrity: Maintained - No system files modified
Data Integrity: Preserved - No files encrypted or corrupted
Network Security: Intact - No lateral movement detected
Service Availability: Unaffected - All services remained operational
Business Impact Assessment
Operational Impact
Business Continuity: No disruption to operations
Service Availability: 100% uptime maintained
Productivity Loss: None - User unaware of incident
Customer Impact: No customer-facing services affected
Financial Assessment
Direct Costs: $0 - No ransom paid, no data loss
Recovery Costs: $0 - Automatic remediation
Business Interruption: $0 - No downtime experienced
Regulatory Fines: None - No data breach occurred
Long-term Consequences
Reputation: No impact - Incident contained internally
Compliance: No violations - Proper security controls functioned
Trust: Enhanced confidence in security infrastructure effectiveness
Incident Response Actions
Preparation Phase
Security Infrastructure: Trend Micro Deep Security deployed across environment
Monitoring Systems: Real-time behavioral analysis active
Response Team: Automated response capabilities enabled
Policies: Anti-malware policies properly configured
Detection and Analysis
Detection Time: Immediate (real-time)
Analysis Method: Automated behavioral monitoring
Signature Matching: Mal/Ransom-WCRY identified
Threat Classification: Ransomware variant confirmed
Containment Actions
Immediate Containment: Automatic file deletion executed
Isolation: Threat quarantined before execution
Network Segmentation: Not required - no spread detected
System Lockdown: Not necessary - threat eliminated
Eradication Measures
Malware Removal: Complete - File deleted from system
System Cleaning: Automatic - Deep Security handled cleanup
Vulnerability Patching: Ongoing - Regular security updates maintained
Configuration Hardening: Reviewed - Settings confirmed optimal
Recovery Process
System Restoration: Not required - No system compromise
Data Recovery: Not needed - No data affected
Service Restoration: Immediate - No services interrupted
Monitoring Enhancement: Continued surveillance of affected workstation
Post-Incident Activities
Forensic Analysis: Log review completed
Documentation: Comprehensive incident report prepared
Lessons Learned: Security awareness training identified as improvement area
Process Updates: User education protocols to be enhanced
Communication and Notification Logs
Internal Communications
Security Team: Immediate notification through automated alerting
IT Management: Incident report prepared for review
User Notification: user47 to be informed of detection and prevention
Executive Summary: Prepared for senior management review
External Notifications
Regulatory Reporting: Not required - No data breach or business impact
Customer Notification: Not necessary - No customer data affected
Vendor Communication: Trend Micro support not required - system functioned properly
Law Enforcement: Not applicable - No criminal activity evidence
Compliance Documentation
Audit Trail: Complete log records maintained
Evidence Preservation: Security logs archived
Regulatory Requirements: All compliance obligations met
Documentation Standards: Report follows industry best practices
Root Cause Analysis
Primary Cause
User Behavior: user47 downloaded suspicious file without proper verification
File Naming: Malicious file disguised with legitimate-sounding name
Browser Security: Internet Explorer allowed download of potentially harmful content
Contributing Factors
Security Awareness: Insufficient user training on identifying suspicious downloads
Web Filtering: Potential gap in web content filtering policies
Email Security: Possible phishing email led user to malicious download site
System Vulnerabilities
Browser Configuration: Internet Explorer security settings may need enhancement
Download Policies: File download restrictions could be strengthened
User Permissions: Review of user download capabilities recommended
Technical Timeline
Detailed Event Sequence
10:50:31 AM - Initial Compromise Attempt
user47 downloads corporate_files.zip from internet
File saved to IE cache directory
ZIP archive contains EICAR test file (eicar.com)
10:50:31 AM - Detection Phase
Deep Security Agent scans downloaded file
Behavioral analysis identifies ransomware characteristics
Mal/Ransom-WCRY signature matched
Threat severity assessed as level 6
10:50:31 AM - Response Phase
Automatic deletion action triggered
File quarantined and removed from system
Security event logged with full details
Host isolation not required due to successful containment
10:50:31 AM - Verification Phase
System integrity confirmed
No additional malicious activity detected
User session remained stable
Network traffic normal
Indicators of Compromise (IoCs)
File-based Indicators
File Hash (SHA1): E889544AFF85FFAF8B0D0DA705105DEE7C97FE26
File Name: corporate_files.zip
File Path: C:\Users\user47\AppData\Local\Microsoft\Windows\INetCache\Low\IE\87AI39Z8\ File Size: 443 bytes
Malware Family: Mal/Ransom-WCRY
Network Indicators
Source IP: Not available in current logs
Download URL: Not captured in available data
Communication Attempts: None detected - file deleted before execution
DNS Queries: No suspicious DNS activity observed
System Indicators
Registry Changes: None - file deleted before execution
Process Creation: None - malware prevented from running
Service Modifications: None detected
Scheduled Tasks: No malicious tasks created
Lessons Learned and Recommendations
Immediate Improvements
User Education: Implement mandatory security awareness training for all users
Download Policies: Review and strengthen file download restrictions
Browser Security: Enhance Internet Explorer security configurations
Incident Communication: Develop user notification procedures for security events
Process Enhancements
Threat Intelligence: Integrate additional threat feeds for improved detection
Monitoring: Enhance user activity monitoring for suspicious download patterns
Response Procedures: Document automated response capabilities for staff awareness
Training Programs: Develop role-specific security training modules
Technology Improvements
Web Filtering: Implement advanced web content filtering solutions
Email Security: Strengthen email security to prevent phishing attacks
Endpoint Protection: Continue leveraging Deep Security's advanced capabilities
Network Segmentation: Review network architecture for additional isolation capabilities
Policy Updates
Acceptable Use: Update acceptable use policies regarding file downloads
Incident Response: Enhance incident response procedures for similar events
Security Awareness: Mandate regular security training for all personnel
Vendor Management: Ensure security tool configurations remain optimal
Preventive Measures
Technical Controls
Enhanced Web Filtering: Deploy advanced URL filtering and content inspection
Email Security Gateway: Implement comprehensive email threat protection
Browser Hardening: Apply restrictive security settings to all browsers
Application Control: Consider application whitelisting for critical systems
Administrative Controls
Security Training: Quarterly cybersecurity awareness sessions for all staff
Policy Updates: Regular review and update of security policies
Incident Drills: Conduct regular incident response exercises
Vendor Reviews: Periodic assessment of security tool effectiveness
Physical Controls
Workstation Security: Ensure physical security of all endpoints
Access Controls: Implement strict physical access controls
Environmental Monitoring: Maintain secure physical environment
Asset Management: Track and monitor all technology assets
Conclusion
The ransomware detection incident on WINDOWS_USER47.local demonstrates the effectiveness of the organization's security infrastructure. Trend Micro Deep Security's real-time behavioral monitoring successfully identified and eliminated a WannaCry ransomware variant before any system compromise could occur.
Key Successes
Automated Response: Security tools functioned exactly as designed
Zero Impact: No business disruption or data compromise
Rapid Detection: Immediate identification of malicious activity
Complete Containment: Threat eliminated before execution
Areas for Improvement
User Awareness: Enhanced training needed for recognizing suspicious downloads
Preventive Controls: Additional web filtering and email security measures
Communication: Improved user notification procedures for security events
Monitoring: Enhanced visibility into user download activities
Final Assessment
This incident validates the organization's investment in advanced endpoint protection and demonstrates the critical importance of layered security controls. The automatic detection and remediation capabilities prevented what could have been a significant security event, highlighting the value of proactive security measures.
The incident serves as a valuable learning opportunity to strengthen user awareness and enhance preventive controls while confirming that the organization's incident response capabilities are functioning effectively.
Incident Status: CLOSED
Follow-up Actions: Security awareness training scheduled, policy reviews initiated
Next Review: 30 days post-incident for effectiveness assessment
This report provides a comprehensive analysis of the ransomware detection incident and serves as documentation for organizational learning and compliance purposes. All technical details have been verified through log analysis and security tool reporting.
Lessons Learned and Recommendations
Immediate Improvements
User Education: Implement mandatory security awareness training for all users
Download Policies: Review and strengthen file download restrictions
Browser Security: Enhance Internet Explorer security configurations
Incident Communication: Develop user notification procedures for security events
Process Enhancements
Threat Intelligence: Integrate additional threat feeds for improved detection
Monitoring: Enhance user activity monitoring for suspicious download patterns
Response Procedures: Document automated response capabilities for staff awareness
Training Programs: Develop role-specific security training modules
Technology Improvements
Web Filtering: Implement advanced web content filtering solutions
Email Security: Strengthen email security to prevent phishing attacks
Endpoint Protection: Continue leveraging Deep Security's advanced capabilities
Network Segmentation: Review network architecture for additional isolation capabilities
Policy Updates
Acceptable Use: Update acceptable use policies regarding file downloads
Incident Response: Enhance incident response procedures for similar events
Security Awareness: Mandate regular security training for all personnel
Vendor Management: Ensure security tool configurations remain optimal
Preventive Measures
Technical Controls
Enhanced Web Filtering: Deploy advanced URL filtering and content inspection
Email Security Gateway: Implement comprehensive email threat protection
Browser Hardening: Apply restrictive security settings to all browsers
Application Control: Consider application whitelisting for critical systems
Administrative Controls
Security Training: Quarterly cybersecurity awareness sessions for all staff
Policy Updates: Regular review and update of security policies
Incident Drills: Conduct regular incident response exercises
Vendor Reviews: Periodic assessment of security tool effectiveness
Physical Controls
Workstation Security: Ensure physical security of all endpoints
Access Controls: Implement strict physical access controls
Environmental Monitoring: Maintain secure physical environment
Asset Management: Track and monitor all technology assets
Conclusion
The ransomware detection incident on WINDOWS_USER47.local demonstrates the effectiveness of the organization's security infrastructure. Trend Micro Deep Security's real-time behavioral monitoring successfully identified and eliminated a WannaCry ransomware variant before any system compromise could occur.
Key Successes
Automated Response: Security tools functioned exactly as designed
Zero Impact: No business disruption or data compromise
Rapid Detection: Immediate identification of malicious activity
Complete Containment: Threat eliminated before execution
Areas for Improvement
User Awareness: Enhanced training needed for recognizing suspicious downloads
Preventive Controls: Additional web filtering and email security measures
Communication: Improved user notification procedures for security events
Monitoring: Enhanced visibility into user download activities
Final Assessment
This incident validates the organization's investment in advanced endpoint protection and demonstrates the critical importance of layered security controls. The automatic detection and remediation capabilities prevented what could have been a significant security event, highlighting the value of proactive security measures.
The incident serves as a valuable learning opportunity to strengthen user awareness and enhance preventive controls while confirming that the organization's incident response capabilities are functioning effectively.
Incident Status: CLOSED
Follow-up Actions: Security awareness training scheduled, policy reviews initiated
Next Review: 30 days post-incident for effectiveness assessment
This report provides a comprehensive analysis of the ransomware detection incident and serves as documentation for organizational learning and compliance purposes. All technical details have been verified through log analysis and security tool reporting.
