SOC143 – Password Stealer Detected Writeup

You can find this challenge on Let’s Defend, a platform for Cyber Defenders.

Let’s take this one and you can see the given details as following.

Attack Overview

As soon as you create the case, you are asked to gather the details of received email.

Asked Questions

So, I went to mailbox and started looking for incoming email from [email protected]icrosoft.com which is already provided as source address.

Searching Mailbox

And you will see the conversation as follow.

Possible Phishing Email from [email protected]

According to the email conversation, the answers are as follows.

Q: When was it sent?
A: April 26, 2021, 11:03 p.m.

Q: What is the email’s SMTP address?
A: 180.76.101.229

Q: What is the sender address?
A: [email protected]

Q: What is the recipient address?
A: [email protected]

Q: Is the mail content suspicious?
A: Yes

Q: Are there any attachment?
A: Yes (ZIP File)

Next Question – Are there attachments or URLS in the email? Yesssssssss.

Question

Analyze the attachment to know it’s malicious or not.

Question

So, I downloaded the attachment and unzip it. Then, upload the unzipped file to Virus Total to see if it’s marked as malicious. As you can see here, it is malicious.

Virus Total Result

Next question asks if the email delivered to the user or not. As you can see Device Action is allowed in the first picture, the email is delivered to the user.

Question

You are now instructed to delete the email. Click the “Delete” button.

Delete the email

Check if someone opened the malicious file.

Question

Let’s go to online malware sandbox called “any.run” first. This is intended to find the C2 server or domain and we will check it in the log.

any.run result

As you can see above, the malicious document tried to connect to its C2 domain which is “tecyardit.com”.

Now, let’s go “Log Management” section and find the log with C2 Domain. You can see there is no connection. So the malicious file is not opened by the user.

No logs connection to C2 domain

Next question asks you to add artifacts about the incident. You can see my answer below.

Artifacts

After that, click “Finish the playbook” and you are asked to identify if it is True Positive or False Positive. It definitely is “True Positive”.

Close Alert

All my answers are correct as you can find below.

Final Result

Thanks for reading my very first writeup. Stay safe.

Pyae Heinn Kyaw