you@chainsawcannon:/Blog/LetsDefend-Alert-SOC146/Information$
This was posted on July 11th, 2026 at 12:15AM EST
you@chainsawcannon:/Blog/LetsDefend-Alert-SOC146$
LetsDefend: SIEM Simulator Alert SOC146
hello! I decided to try out LetsDefend and I currently adore the SIEM simulation stuff right now, In this blog entry I'm doing a writeup of my findings for a security alert on the simulator. Enjoy! :3
Introduction
Alert: SOC146 Phishing Mail Detected - Excel 4.0 Macros
Severity: High
Analysis
With given information from the alert generated the following information regarding this alleged phishing attack is the following:
- Email was sent by trenton@tritowncomputers.com
- Email was sent to lars@letsdefend.io
- The emails subject was RE: Meeting Notes
Using the referenced information from the report the email was found with a password-protected zip file from the sender with the password "infected". When downloading the file and unzipping the files there are the the following:
- iroto.dll (MD5: 055b9e9af987aec9ba7adb0eef947f39b516a213d663cc52a71c7f0af146a946)
- iroto1.dll (MD5:e05c717b43f7e204f315eb8c298f9715791385516335acd8f20ec9e26c3e9b0b)
- Excel File (MD5:1df68d55968bb9d2db4d0d18155188a03a442850ff543c8595166ac6987df820)
Running iroto1.dll and iroto.dll in a sandboxed environment (in this case, VirusTotal was used) both DLL files exhibited certain behaviors such as execution flow hijacking, access token manipulation through parent PID spoofing, file obfuscation, virtualization detection, DLL sideloading, input capture, and detection of security software running on a victim machine iroto and iroto1 were detected by 22 security vendors on the platform. Using the tool oledump by Didier Stevens detected a macro was added to the given excel file. Scanning the file on virustotal gave 38 detections from security vendors and will inject a process (likely to be the malicious dlls) into the victim machine. To check if the files were activated by the email recipent more information regarding the excel file, getting an IP that the dll will send information to (151.139.128.14, 188.209.214.83, 188.213.19.81, etc.). Checking event logs filtering the destination IP to the given IP from the dll file shows IP 172.16.17.57 visited the IP according to the firewall. This IP was linked to a machine under the name LarsPRD, those IPs were contacted, with the command logs history showing the regsvr32.exe command linking to the malicious dll files given in the zip directory which indicates the macro was activated, this means that the LarsPRD machine needs to be contained until further notice.
In conclusion, this alert was a true positive that resulted in a compromised machine that gave access to an attacker through an excel 4.0 macro
