This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outlook.exe categorized as trojan due to its connection outbound and modification on registry keys.

Outlook.exe performed all these actions, and due to it, it is shown as Trojan. And As far as it seems all the outbound connection has been to Microsoft. And I would like to know if this action is normal or should I be concered and if so what action should I take. 
Here is the hash of the root cause [ outlook.exe ].
SHA256:
ee343bf28cb3269dc154ce0acde4ecbf46f415c48b6dc9a344c5c9c930bd09e5
Actions performed by this artifact:
200 DNS lookups
200 File deletions
200 File reads
200 File writes
200 IP connections
200 Registry creations
200 Registry deletions
200 Registry value sets
200 URL accesses
92 Registry value deletions


This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    As QC says, we need to clarify if this is a Threat Case in Sophos Central. If it is, and you are seeing Outlook as the root node in the case - then your infection vector was an email and someone clicked on it and it did the malicious actions.

    If this isn't a Threat Case in your Central Dashboard - please post a screenshot of what you are referencing.

  • Hi, 

    Sorry about that, i should have clarified about it. Yes it is generated through the threat analysis, and like you said "Outlook as the root node in the case - then your infection vector was an email and someone clicked on it and it did the malicious actions", you are correct, but since there has been many files and registry keys that has been affected by it, how should I go about it. 

  • FormerMember
    +1 FormerMember in reply to Prabin Tamang

    So, you really don't need to worry about Outlook. The malicious element was the email. Has that been removed? As for the other elements - the endpoint detected the action and stopped it - that is the only way you get a Threat Case. So, what you want to do now is go take a look at the items touched before the actions were stopped. Were there any network calls to other machines in your environment - if yes, are those machines protected by Sophos? Where there any calls to external resources that could be CnC servers? If yes, what happened at your firewall? Were any critical system or data files touched? If yes, verify the contents and signatures.

    I would also suggest you do a full system scan with the Sophos Endpoint on the reporting machine - just to make sure there isn't any lingering bits sitting around. 

Reply
  • FormerMember
    +1 FormerMember in reply to Prabin Tamang

    So, you really don't need to worry about Outlook. The malicious element was the email. Has that been removed? As for the other elements - the endpoint detected the action and stopped it - that is the only way you get a Threat Case. So, what you want to do now is go take a look at the items touched before the actions were stopped. Were there any network calls to other machines in your environment - if yes, are those machines protected by Sophos? Where there any calls to external resources that could be CnC servers? If yes, what happened at your firewall? Were any critical system or data files touched? If yes, verify the contents and signatures.

    I would also suggest you do a full system scan with the Sophos Endpoint on the reporting machine - just to make sure there isn't any lingering bits sitting around. 

Children