T1204.002 User Execution Malicious File Execution of malicious executable likely delivered via phishing or download
T1105 Ingress Tool Transfer Malware introduced to the system via external download
T1071.001 Application Layer Protocol Web Protocols Outbound communication to command and control infrastructure
T1041 Exfiltration Over C2 Channel Potential data exfiltration over established C2 channel
The alert SOC104 Malware Detected triggered after execution of the file Purchase-Order_NO.231101.exe on host JohnComputer. The file hash is confirmed malicious and associated with known malware. Network logs show outbound communication to 208.91.199.223 on port 587, which is identified as a malicious command and control server.
Oct 29 2020 07:55 PM
Host JohnComputer (172.16.17.82) executed Purchase-Order_NO.231101.exe and connected to 208.91.199.223:587
The alert was triggered due to detection of a known malicious executable. Investigation confirms the file is malware and initiated communication with a known command and control server. This indicates active compromise of the endpoint. The host was contained to prevent further malicious activity and lateral movement