T1566.001 Phishing Attachment
T1204.002 Malicious File
T1071.001 Application Layer Protocol
T1105 Ingress Tool Transfer
Emotet malware was detected on endpoint 172.16.17.45 following access to a malicious attachment named 1word.doc. The file hash 349d13ca99ab03869548d75b99e5a1d0 was confirmed as malicious via VirusTotal.
SOC109 Emotet Malware Detected alert was triggered when the endpoint accessed and attempted to execute the malicious Word document attachment. Antivirus device action shows the file was cleaned. Sandbox analysis in ANY.RUN identified command and control IP addresses 85.214.109.143 and 81.169.145.160. EDR review showed no additional suspicious endpoint activity during the timeframe. Log analysis confirmed no outbound network communication to the identified C2 infrastructure.
Event Time Mar 22 2021 09:06 PM
Alert Closed Jan 22 2026 10:47 AM
Endpoint 172.16.17.45
Malicious File 1word.doc
MD5 349d13ca99ab03869548d75b99e5a1d0
C2 IP 85.214.109.143
C2 IP 81.169.145.160
Event ID 85
Rule SOC109 Emotet Malware Detected
The malicious Word document associated with Emotet was detected and cleaned by antivirus controls before successful execution or command and control communication occurred. No outbound traffic to known Emotet infrastructure was observed and no additional malicious processes were identified. The threat was successfully contained and the alert was assessed as a True Positive with no further impact.