USB Malware Infection — SOC Case Study

📋 Scenario

On April 14, 2026 at 11:42 AM, a TechNova Solutions employee inserted an unvetted USB drive into a corporate workstation. Within seconds the SOC detected: powershell.exe launching with encoded commands, outbound C2 connections, and persistent RAT installation via scheduled task.

🧰 Tools Used

EDR / SIEMSysmonWireshark Magnet RAM CaptureVolatilityVirusTotal Windows Event LogsAny.run Sandbox

🔬 Investigation Process

Alert Triage (L1) — 11:43 AM

EDR alert: "Suspicious Process — powershell.exe + C2 Outbound." Confirmed powershell.exe spawned by explorer.exe (unusual parent chain). C2 connection to 91.108.4.33:4444 (Telegram infrastructure) confirmed. USB insertion logged at 11:42 AM via Event ID 2003. TRUE POSITIVE — escalated to L2.

Host Isolation (L2) — 11:50 AM

TECHNOVA-WKS-047 isolated via EDR console. Memory dump acquired with Magnet RAM Capture before remediation.

Malware Analysis

Static/dynamic analysis of svchost32.exe: AsyncRAT variant with keylogger, screenshot, file exfiltration, reverse shell. Payload decoded from base64 PowerShell command.

Persistence Removal

Registry key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemHost. Scheduled task removed. C2 IP blocked at firewall.

Threat Hunt

Searched all endpoints for svchost32.exe, file hash, registry key, C2 IP — no lateral movement confirmed. WKS-047 reimaged from gold image.

🚨 IOCs

C2 IP

91.108.4.33:4444

Malicious File

C:\Users\Public\svchost32.exe

Registry

HKCU\...\Run\SystemHost

Scheduled Task

\Windows\SystemMaintenance\HostUpdate

PowerShell

-EncodedCommand -WindowStyle Hidden

USB AutoRun

autorun.inf OPEN=malware.exe

✅ Conclusion

Detection: Under 60 seconds from USB insertion to SIEM alert. Infection contained to single workstation. No lateral movement. Root cause: uncontrolled USB access — a preventable policy failure.

← All Projects ⬇ CV

USB Malware Infection & RAT Detection