T1566.001 Phishing Attachment Malicious document used as initial infection vector
T1204.002 User Execution Malicious File User opened the malicious document triggering infection
T1059.001 Command and Scripting Interpreter PowerShell PowerShell execution observed on endpoint
T1105 Ingress Tool Transfer Payload retrieval from external infrastructure
T1071.001 Application Layer Protocol Web Protocols Communication with Emotet command and control servers
The alert SOC109 Emotet Malware Detected triggered after execution of a malicious document MES 2020_12_31 S632974.doc on host Maxim. The document is confirmed malicious and associated with Emotet. Following execution, the endpoint connected to multiple known malicious URLs and command and control infrastructure. A PowerShell process was also observed running, indicating further payload execution.
Jan 01 2021 04:45 PM
Host Maxim (172.16.17.83) accessed http://decpak.com/cgi-bin/gU/ followed by connections to malicious IPs 190.247.139.101 and 152.170.79.100 associated with Emotet infrastructure
The alert was triggered due to detection of Emotet malware activity. Investigation confirms the user executed a malicious document which initiated outbound connections to known Emotet command and control servers. The presence of a PowerShell process indicates additional payload execution or staging. The endpoint was contained to prevent further compromise and lateral movement