Brandon Love

Presentation As a Malware (LetsDefend)

November 01, 2025 · Brandon Love · Tags: lets-defend, blue-team, letsdefendio, cybersecurity

Originally published on Medium: https://medium.com/@brandonlove2150/presentation-as-a-malware-letsdefend-6d3719cadefc?source=rss-024d132ba4b7——2

defend.io/challenge/Presentation-As-a-Malware)? File link: /root/Desktop/ChallengeFiles/PO00187.zip Password: infected ### Walkthrough This challenge is done on a Linux Host when you connect to the VM.

Can ppt file be malware?

File link: /root/Desktop/ChallengeFiles/PO00187.zip
Password: infected

Walkthrough

This challenge is done on a Linux Host when you connect to the VM. We need to unzip the file and switch to the ChallengeFiles directory to get the MD5 Hash of the file to check it in VirusTotal. This will allow us to examine the file to determine whether it’s malicious and to analyze the information we need for this challenge.

Question 1: What was the general name / category of the malicious file in the analyzed ppt file?

To determine the category of the malicious file, we need to check the vendors’ analyses for more information on all the malicious files they analyze. Looking at some of the vendors, VB:Trojan is one of the leading names for this file.

Vendors’ Analysis

Question 2: Which of the url addresses it communicates with has been detected as harmful by sandboxes?

When we navigate to the Behavior tab in VirusTotal, we can see that this file attempts to communicate with 15 URLs. The most suspicious one is the URL that has 13 detections.

Relations

Question 3: What is the name of the htm file that drops to disk?

In the Behavior tab, navigate to the Files dropped section; the .htm file is located here.

Files Dropped

Question 4: Which process is running to persistent under mshta.exe after the relevant malware runs?

We need to search the Processes Created section in the Behavior tab. We can see that it created several processes, but only one method is linked to make a program run persistently.

Processses Created

Question 5: If there was a snort IDS in the environment at the time of the incident, which rules would it match?

On VirusTotal, there is a section for Crowdsourced IDS rules that will provide the answer to this question.

IDS Rules

This was a short, simple challenge. I look forward to the next one.

If you enjoy these write-ups or want to see me attempt something harder, let me know.

LinkedIn: www.linkedin.com/in/brandon-love-85b247261

email: brandonlove2150@icloud.com

Originally published on Medium: https://medium.com/@brandonlove2150/presentation-as-a-malware-letsdefend-6d3719cadefc?source=rss-024d132ba4b7------2

lets-defendblue-teamletsdefendiocybersecurity
SOC246 — Forced Authentication Detected (LetsDefend)
SOC250 — APT35 HyperScrape Data Exfiltration Tool Detected (LetsDefend)