“ SOC140 — Phishing Mail Detected — Suspicious Task Scheduler “ investigation

Hello, today I will write about investigation of “SOC140 — Phishing Mail Detected — Suspicious Task Scheduler” alarm from letdefend.io.

The alert is appears in our investigation channel. After that, we proceed to build the case.

Let’s start the playbook.

The first step is to ‘Parse Email’ and gather information about the incoming email. The alert itself contains the majority of the information:

§ The alarm was triggered as medium severity at 12.36 p.m. on 21 March 2021.

§ The SMTP IP address of the user who sent the mail is seen as “189.162.189.159”.

§ The e-mail that caused the alarm was sent from “aaronluo@cmail.carleton.ca” to “mark@letsdefend.io” with “COVID19 Vaccine” subject information.

§ As the device action shows as “Allowed”, we can understand that the mail has reached the user.

As far as we understand from the content of the alarm, we understand that an e-mail with a malicious file attachment hasn’t reached the inside user. Device action was blocked.

First, i’m querying the “@cmail.carleton.ca” domain to check if the sender is spoofing.

We will also search for SMTP Address(189.162.189.159) from alert in Virustotal:

I see that the SMTP IP address is different from the SMTP IP address of the sender and I understand that spoofing is applied. So I will not block the sender address and domain.

Then, from the Mailbox area, we find the relevant e-mail and download the attachment to see.

There is one zipped file, in the attachment.

I’ve download attached zip file and perform online analysis using AnyRun and VirusTotal.

AnyRun results:

We send the attachment found as .zip to anyrun.

We can see that .zip file contains an .pdf file. The file password is “infected”.

AcroRd32.exe, a required executable to operate Adobe Acrobat, generates a large number of child processes when we access the “Material.PDF” in the sandbox environment.

It runs a number of suspicious RdrCEF.exe executables, which Adobe Acrobat also requires.

The fact that a Material.pdf located in Temp/ directory, worried me quite a bit.

In addition, we can see all the connection addresses from the IOC section.

VirusTotal results:

After completing our review, we need to create a case on letsdefend.io and progress the relevant playbook.

First, an information page comes up explaining what we need to examine, and when we pass it, we are greeted by a step asking whether there is a file and url in the e-mail we examined.

Then, when the relevant URL/FILE is examined with 3.rd party sandbox software, it asks if it is harmful. When we examined the excel file in the mail, we saw that it was harmful and I continue with the Malicious option.

In the next step, it asks whether the relevant e-mail has reached the user. I am progressing as Delivired because of the “Device Action:Allowed” section in the alarm title.

Next, before completing the case, we continue by adding the findings we found during the review phase to close it.

Summary: