SOC140 - Phishing Mail Detected - Suspicious Task Scheduler

I began my investigation by opening a case for the alert and looking at the alert information. By looking at the rule name, I know this alert was triggered in response to a potential phishing email containing a suspicious task scheduler. I immediately noted that the target device had blocked the email. This would be an important piece of information when reporting on attack impact and mitigation.

Following our playbook, I first gathered basic information about the email. Looking at the email itself, there was nothing outrightly concerning about the sender's address or message content. I downloaded the attachment for further analysis.

Initial and repeated results from VirusTotal scans suggested that the attachment was safe, however this was only scanning the hash of the compressed folder, not the PDF file contained within the folder. I scanned the PDF, which had been identified by 25 different security vendors as a malicious Trojan downloader. Hybrid Analysis would support the file's maliciousness. It pays to be thorough!

I opened the file in an AnyRun sandbox, which before any interaction had initiated an abnormal amount of processes attached to the AcroRd32 executable. Further investigation would show that this is an inseparable and legitimate process used by Acrobat/Reader to handle components of network interaction and cloud services, integral to the normal function of the application. The number of processes attached to this executable was suspicious, however.

Clicking on the content boxes within the PDF generated a litany of malicious connections to a Dutch IP over port 4001, associated to an ASN "Artyom Danilenko," which was waiting to receive data. A VirusTotal scan corroborated that this IP was reported malicious. Several of these connections had downloaded a "SUPPLIES LIST.....exe" which, when executed, changes values in the Windows registry and writes to the start menu file.

We finished by analyzing the endpoint, which in this case, didn't have any security agents installed, so endpoint visibility was minimal. We knew, however, from the alert overview, that the email was blocked and concluded that no further action would be needed. This would finalize our investigation.