T1071 Application Layer Protocol T1105 Ingress Tool Transfer T1204 User Execution
Malicious activity was detected on host RichardPRD (IP address 172.16.17.45) involving user Richard. The activity originated from user interaction with a malicious email attachment.
The alert SOC111 Traffic to Malware Domain triggered after the endpoint made a request to a known malicious domain andaluciabeach.net. Investigation shows the user opened a malicious Excel document (hash 44e65a641fb970031c5efed324676b5018803e0a768608d3e186152102615795.xlsx), which caused the system to connect to http://andaluciabeach.net/image/network.exe and download a secondary payload. The destination IP 5.135.143.133 and domain are confirmed malicious and associated with command and control infrastructure. This activity is linked to a previously observed privilege escalation incident involving JuicyPotato.exe on the same host.
Jan 31 2021 04:15 PM
Source Hostname: RichardPRD Source IP Address: 172.16.17.45 Destination Hostname: andaluciabeach.net Destination IP Address: 5.135.143.133 Malicious URL: http://andaluciabeach.net/image/network.exe
The alert was triggered due to outbound communication to a known malware domain. Investigation confirmed the activity resulted from a phishing-based infection chain where a malicious Excel document initiated the download of a payload from a command and control server. This activity represents confirmed malware infection and lateral progression leading to privilege escalation. The affected machine was isolated to contain the incident and prevent further compromise.