ID45 - SOC114
Malicious Attachment Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat Intel
SMTP IP 49.234.43[.]39 is flagged as malicious, associated with brute-force/SSH activity, domain tencent[.]com, originating from China.
Email Security
- Sender: accounting@cmail[.]carleton[.]ca
Attachment hash: c9ad9506bcccfaa987ff9fc11b91698d
Verdict: Malicious XLSX file (encrypted Office document), flagged as Trojan
C2: www.andaluciabeach[.]net
Log Management
- Jan 31, 2021 – 16:15
Host 172.16.17.45 connected to C2 andaluciabeach[.]net, executed by excel.exe → indicating the malicious attachment was opened.
Endpoint Security
- 2021-01-31 16:20 — Shortly after file execution, process tree shows:
EQNEDT32.exe (known for exploitation)
Followed by execution of JuicyPotato.exe — a privilege escalation Trojan
Playbook Execution
Are there attachments or URLs in the email?
yes
Analyze Url/Attachment
Malicious
Check If Mail Delivered to User?
yes
Check If Someone Opened the Malicios File/URL?
opened
Add Artifacts
Artifact
Description
Type
49.234.43[.]39
Malicious IP (SMTP source)
IP address
c9ad9506bcccfaa987ff9fc11b91698d
Malicious XLSX attachment
hash
accounting@cmail[.]carleton[.]ca
Phishing Sender
email address
0f56c703e9b7ddeb90646927bac05a5c6d95308c8e13b88e5d4f4b572423e036
JuicyPotato.exe Trojan
Hash
andaluciabeach[.]net
C2 domain
domain
Verdict
True Positive
Analyst Summary Report
Summary of findings
This alert corresponds to a successful phishing email delivery containing a malicious Excel attachment. The file, sent from accounting@cmail[.]carleton[.]ca, was opened by the user, resulting in outbound traffic to a known C2 domain(andaluciabeach[.]net) via excel.exe.
Subsequent endpoint telemetry revealed execution of EQNEDT32.exe, followed by JuicyPotato.exe, a well-known Windows privilege escalation exploit, confirming post-exploitation activity.
This is a confirmed malware infection consistent with initial access via phishing, followed by execution and privilege escalation. Both the email and the endpoint have been contained.
Remediation recommendations
- Re-image the affected host to ensure full malware removal.
Reset all credentials associated with the compromised user and endpoint.
Search for lateral movement indicators and scan nearby hosts for similar artifacts.
Block C2 domain and malicious IPs across proxy, firewall, and DNS layers.
Update detection rules for EQNEDT32.exe and JuicyPotato.exe to flag unauthorized use.
Conduct phishing awareness training for the user and reinforce attachment handling policy.
More Alerts!
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
- ID-092 | SOC145 – Ransomware Detected | Letsdefend Walkthrough
- ID-084 | SOC104 – Malware Detected | Letsdefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-208 | SOC246 – Forced Authentication Detected | Letsdefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.