LetsDefend.io SOC114 — Malicious Attachment Detected — Walkthrough

How to first case for resolution in LetsDefend, I selected the case EventID: 45 — [SOC114 — Malicious Attachment Detected — Phishing Alert].

LetsDefend Logo Image.

At first the case indicates a Phishing attack, let’s check then :)

Answering the following questions when starting the playbook:

Questions about the email received

• When was it sent? Event Time Value
• What is the email’s SMTP address? SMTP Address Field
• What is the sender address? Source Address
• What is the recipient address? Destination Address
• Is the mail content suspicious? No answer still
• Are there any attachment? Need analysis

Case SOC 114 Details.

Now validate if the email contains an attachment:

Question 1.

In the mailbox looking for emails related to accounting@cmail.carleton.ca.

URL mailbox: https://app.letsdefend.io/mailbox/list/

A attachment on e-mail.

We found an attachment, so yes.

Question 2.

Extracting the zip file, we see an .xlsx, we send it for analysis:

Analysis on VirusTotal:

Link: https://www.virustotal.com/gui/file/44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795

Searching for information about cve-2017–11882, we found that it exploits a Microsoft Office flaw that allows arbitrary code to be executed, probably being used in the .xlsx file found in the email attachment.

And on Hybrid-Analysis:

Link: https://www.hybrid-analysis.com/sample/44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795

What indicate that is malicious by the results.

Question 3.

In the menu in the log search, look for the sender IP 49.234.43.39 found in the case details, and port 25 which indicates the SMTP protocol.

Log Search Menu.

Indicator that the recipient received the email:

Email log confirm.

Moving on after confirming for next question:

Question 4.

Click on button “Delete” to continue.

Question 5.

IoC List found on Virustotal:

Link: https://www.virustotal.com/gui/file/44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795/relations

In the endpoint tab we check the host RichardPRD to fetch C&C communications on IoC above:

Link: https://app.letsdefend.io/endpoint/

Here it indicates that a communication has occurred with one of the C2.

Question 6.

We check the “Request Containment” option:

Mark the box.

Adding the artifacts found in the analysis:

Artifacts found.

Add you comments for this analysis to finish:

You notes for verification this case

Congrats to finalise the analysis on the scenery with phishing attack.

Case completed.

Links to references:

https://www.virustotal.com/gui/file/44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795

https://www.hybrid-analysis.com/sample/44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795

https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11882

https://attack.mitre.org/techniques/T1203/