Day 6
X-Pm-Content-Encryption: end-to-endX-Pm-Origin: internalSubject: Urgent: Blue section is down. Switch to the load share plan!From: Chief Elf <chief.elf@santaclaus.thm>Date: Tue, 6 Dec 2022 00:00:01 +0000Mime-Version: 1.0Content-Type: multipart/mixed;boundary=---------------------03edd9c682a0c8f60d54b9e4bb86659fTo: elves.all@santaclaus.thm <elves.all@santaclaus.thm>X-Attached: Division_of_labour-Load_share_plan.docMessage-Id: <QW9DMjAyMl9FbWFpbF9BbmFseXNpcw==>X-Pm-Spamscore: 3Received: from mail.santaclaus.thm by mail.santaclaus.thm; Tue, 6 Dec 2022 00:00:01 +0000X-Original-To: elves.all@santaclaus.thmReturn-Path: <murphy.evident@bandityeti.thm>Delivered-To: elves.all@santaclaus.thm
-----------------------03edd9c682a0c8f60d54b9e4bb86659fContent-Type: multipart/related;boundary=---------------------8f117c48beda7f1c1da0a5a894d5c4b5
-----------------------8f117c48beda7f1c1da0a5a894d5c4b5Content-Type: text/html;charset=utf-8Content-Transfer-Encoding: base64
PHNwYW4+RGVhciBFbHZlcyw8L3NwYW4+PGRpdj48YnI+PC9kaXY+PGRpdj48c3Bhbj5EdWUgdG8gdGVjaG5pY2FsIHByb2JsZW1zIGluIHRoZSBibHVlIHNlY3Rpb24gb2Ygb3VyIHRveSBmYWN0b3J5LCB3ZSBhcmUgaGF2aW5nIGRpZmZpY3VsdGllcyBwcmVwYXJpbmcgc29tZSB0b3lzLiA8L3NwYW4+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48c3Bhbj5UaGVyZQogYXJlIGEgZmV3IGRheXMgbGVmdCB0byBDaHJpc3RtYXMsIHNvIHdlIG5lZWQgdG8gdXNlIHRpbWUgZWZmaWNpZW50bHkgdG8KIHByZXBhcmUgZXZlcnkgd2lzaGxpc3Qgd2UgcmVjZWl2ZS4gRHVlIHRvIHRoYXQsIHRoZSBibHVlIHNlY3Rpb24ncyAKd29ya2xvYWQgaXMgc2hhcmVkIHdpdGggdGhlIHJlc3QgdG8gYXZvaWQgYW55IHRveSBwcm9kdWN0aW9uIGRlbGF5Ljwvc3Bhbj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PjxzcGFuPlRoZSBkZXRhaWxlZCBkaXZpc2lvbiBvZiBsYWJvdXIgaXMgaW5jbHVkZWQgaW4gdGhlIGF0dGFjaGVkIGRvY3VtZW50Ljwvc3Bhbj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PjxzcGFuPkdvb2QgbHVjayB0byB5b3UgYWxsLjwvc3Bhbj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PjxiPjxzcGFuPkNoaWVmIEVsZjwvc3Bhbj48L2I+PC9kaXY+PGRpdj48YnI+PC9kaXY+-----------------------8f117c48beda7f1c1da0a5a894d5c4b5-------------------------03edd9c682a0c8f60d54b9e4bb86659fContent-Type: application/msword; filename="Division_of_labour-Load_share_plan.doc"; name="Division_of_labour-Load_share_plan.doc"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="Division_of_labour-Load_share_plan.doc"; name="Division_of_labour-Load_share_plan.doc"What is the email address of the sender?
Section titled “What is the email address of the sender?”What is the return address?
Section titled “What is the return address?”On whose behalf was the email sent?
Section titled “On whose behalf was the email sent?”What is the X-spam score?
Section titled “What is the X-spam score?”What is hidden in the value of the Message-ID field?
Section titled “What is hidden in the value of the Message-ID field?”echo -n "QW9DMjAyMl9FbWFpbF9BbmFseXNpcw==" |base64 -dVisit the email reputation check website provided in the task.
Section titled “Visit the email reputation check website provided in the task. ”What is the reputation result of the sender’s email address?
Section titled “What is the reputation result of the sender’s email address?”
Check the attachments.
Section titled “Check the attachments.”What is the filename of the attachment?
Section titled “What is the filename of the attachment?”What is the hash value of the attachment?
Section titled “What is the hash value of the attachment?”emlAnalyzer -i Urgent\:.eml --header --html -u --text --extract-all============== || Header || ==============X-Pm-Content-Encryption.....end-to-endX-Pm-Origin.................internalSubject.....................Urgent: Blue section is down. Switch to the load share plan!From........................Chief Elf <chief.elf@santaclaus.thm>Date........................Tue, 6 Dec 2022 00:00:01 +0000Mime-Version................1.0Content-Type................multipart/mixed;boundary=---------------------03edd9c682a0c8f60d54b9e4bb86659fTo..........................elves.all@santaclaus.thm <elves.all@santaclaus.thm>X-Attached..................Division_of_labour-Load_share_plan.docMessage-Id..................<QW9DMjAyMl9FbWFpbF9BbmFseXNpcw==>X-Pm-Spamscore..............3Received....................from mail.santaclaus.thm by mail.santaclaus.thm; Tue, 6 Dec 2022 00:00:01 +0000X-Original-To...............elves.all@santaclaus.thmReturn-Path.................<murphy.evident@bandityeti.thm>Delivered-To................elves.all@santaclaus.thm
========================= || URLs in HTML part || =========================[+] No URLs found in the html
================= || Plaintext || =================[+] Email contains no plaintext
============ || HTML || ============<span>Dear Elves,</span><div><br></div><div><span>Due to technical problems in the blue section of our toy factory, we are having difficulties preparing some toys. </span></div><div><br></div><div><span>There are a few days left to Christmas, so we need to use time efficiently to prepare every wishlist we receive. Due to that, the blue section'sworkload is shared with the rest to avoid any toy production delay.</span></div><div><br></div><div><span>The detailed division of labour is included in the attached document.</span></div><div><br></div><div><span>Good luck to you all.</span></div><div><br></div><div><b><span>Chief Elf</span></b></div><div><br></div>
============================= || Attachment Extracting || =============================[+] Attachment [1] "Division_of_labour-Load_share_plan.doc" extracted to eml_attachments/Division_of_labour-Load_share_plan.docsha256sum Division_of_labour-Load_share_plan.docVisit the Virus Total website and use the hash value to search.
Section titled “Visit the Virus Total website and use the hash value to search. ”
Navigate to the behaviour section.
Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?
Section titled “Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?”
Visit the InQuest website and use the hash value to search.
Section titled “Visit the InQuest website and use the hash value to search. ”
InQuest Labs DFI SHA-256 Lookup
What is the subcategory of the file?
Section titled “What is the subcategory of the file?”