LetsDefend.io SOC114 — Malicious Attachment Detected — Walkthrough
How to first case for resolution in LetsDefend, I selected the case EventID: 45 — [SOC114 — Malicious Attachment Detected — Phishing Alert].
At first the case indicates a Phishing attack, let’s check then :)
Answering the following questions when starting the playbook:
- When was it sent? Event Time Value
- What is the email’s SMTP address? SMTP Address Field
- What is the sender address? Source Address
- What is the recipient address? Destination Address
- Is the mail content suspicious? No answer still
- Are there any attachment? Need analysis
Now validate if the email contains an attachment:
In the mailbox looking for emails related to accounting@cmail.carleton.ca.
URL mailbox: https://app.letsdefend.io/mailbox/list/
We found an attachment, so yes.
Extracting the zip file, we see an .xlsx, we send it for analysis:
Analysis on VirusTotal:
Searching for information about cve-2017–11882, we found that it exploits a Microsoft Office flaw that allows arbitrary code to be executed, probably being used in the .xlsx file found in the email attachment.
And on Hybrid-Analysis:
What indicate that is malicious by the results.
In the menu in the log search, look for the sender IP 49.234.43.39 found in the case details, and port 25 which indicates the SMTP protocol.
Indicator that the recipient received the email:
Moving on after confirming for next question:
Click on button “Delete” to continue.
IoC List found on Virustotal:
In the endpoint tab we check the host RichardPRD to fetch C&C communications on IoC above:
Here it indicates that a communication has occurred with one of the C2.
We check the “Request Containment” option:
Adding the artifacts found in the analysis:
Add you comments for this analysis to finish:
Congrats to finalise the analysis on the scenery with phishing attack.
Links to references:
https://www.virustotal.com/gui/file/44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11882