ID257 - SOC282
Phishing Alert

LetsDefend alert triage practice

Alert Overview

Investigation

Initial Triage: Email analysis

We start by locating the flagged email in the Email Security module. The message originated from a suspicious domain (coffeeshooop.com) and targets an internal user (Felix).

Cross-referencing with Log Management, we confirm the IP flow:
– Source IP: 103.80.134[.]63
– Destination IP: 172.16.20[.]3

Threat Intelligence

The source IP is confirmed malicious on:

  • virustotal
  • Letsdefend Threat intel

At this point, the email is highly suspicious — likely phishing with a malicious attachment.

SandBox Analysis

We isolate and analyze the attachment using a Windows sandbox.

Steps:
1. Click Connect Issue to obtain access credentials.
2. RDP into the sandbox.
3. Download the zip attachment:
59cbd215-76ea-434d-93ca-4d6aec3bac98-free-coffee.zip
4. Extracted PE: coffee.exe

 

Static/dynamic analysis reveals:
– Malware: Backdoor.Marte.VenomRAT

Host-Based Investigation

We pivot back to Log Management to track internal activity:

– File download confirmed to Felix’s host(172.16.17.151) from (3.5.129.143)

Endpoint Security - Felix

Browser history shows direct access to the infected file (12:59 PM)

Network connections include several C2 endpoints flagged as malicious, IP 37.120.233[.]226

Process tree reveals:

explorer.exe → coffee.exe → cmd.exe → multiple child processes

Terminal history displays typical RAT behaviour with system enumeration

The rat is mapping out the system to decide what to do next

short breakdown of the reconaissance commands:

systeminfo and hostname

  • T1082 – System information Discovery
  • Get Os version, patch level, hostname

Wmic logical disk get…

  • T1083 – file and directory discovery
  • enumerate drives and file system

net user

  • T1087.001 – account discovery: local account
  • list user accounts

tasklist /svc

  • T1057 – process discovery
  • view running processes and associated services

ipconfig /all

  • T1016 – System Network Configuration Discovery
  • Get detailed network configuration

route print

  • T1016 or T1049 – System network connection discovery
  • view routing table, default gateways

Playbook Execution

Incident Name

EventID: 257 – [SOC282 – Phishing Alert – Deceptive Mail Detected]

Description

EventID: 257

Incident type

Exchange

Verdict

True Positive

Analyst Summary Report

Summary of findings

On May 13, 2024, at 09:22 AM, the alert “SOC282 – Phishing Alert: Deceptive Mail Detected” was triggered.

A phishing email was sent from:

  • free@coffeeshooop[.]com (SMTP: 103[.]80[.]134[.]63)
  • To: Felix@letsdefend.io

The message included:

  • Attachment: 59cbd215-76ea-434d-93ca-4d6aec3bac98-free-coffee.zip
  • Payload: coffee.exe — identified as Backdoor.Marte.VenomRAT

At 12:59 PM, user Felix downloaded and executed the file on host 172.16.17.151.

At 13:00, terminal history showed classic post-compromise activity:

  • systeminfo, hostname: System Information Discovery (T1082)
  • wmic logicaldisk get…: File and Directory Discovery (T1083)
  • net user: Account Discovery – Local Account (T1087.001)
  • tasklist /svc: Process Discovery (T1057)
  • ipconfig /all, route print: Network Configuration & Connection Discovery (T1016 / T1049)
Action taken
  • Malicious email deleted
  • Infected host isolated from the network
Remediation recommendations
  • Train user on phishing recognition and response procedures
  • Strengthen email filtering and attachment scanning
  • Reset user credentials associated with the compromised account
  • Monitor for additional indicators of compromise in the environment

SYN / ACK

Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.