Details

EventID: 29
Event Time: Oct. 29, 2020, 7:43 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 191.233.193.73
Source Address icianb@hotmail.com
Destination Address sofia@letsdefend.io
E-mail Subject Invoice
Device Action Blocked

playbook

Are there attachments or URLs in the email?

Mail

Invoice

From: icianb@hotmail.com Oct. 29, 2020, 7:43 p.m.
To: sofia@letsdefend.io Oct. 29, 2020, 7:43 p.m.

Hello,

Attached copy of your unpaid invoice & Statement Our Statement shows 2 invoices are paid. Our AP did confirmed payment was paid on the 13th of October into your Bank account.

Thank you.

Attachments:
4abd5dd8377e5810116f3665bd8d92f0.zip

Answer:Yes

Analyze Url/Attachment

メール元はhotmailなので何とも言えず。今回問題はAttachmentsにありそうだ。

$ sha256sum 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe 
43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa  43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe

VirusTotal 35/68: https://www.virustotal.com/gui/file/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/detection
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/5f9d102805f963128371eff5
とりあえずのところMaliciousで問題は無い。network device lookupを行っているのも怪しいと。VTにはAPT Scannerであるというレポートがある。

Answer:Malicious