T1566.001 Phishing Attachment Malicious document used as initial infection vector
T1204.002 User Execution Malicious File User opened the malicious document triggering execution
T1059.001 Command and Scripting Interpreter PowerShell Document likely executed script-based payload
T1105 Ingress Tool Transfer Payload retrieved from external infrastructure
T1071.001 Application Layer Protocol Web Protocols Communication with command and control servers
The alert SOC104 Malware Detected triggered after execution of the file 5919600.doc on host GeorgProd. The file hash is confirmed malicious via VirusTotal. Sandbox analysis identified command and control URLs including www.drleenasreedhar.com and 75.188.96.231 associated with the malware.
Oct 20 2020 09:36 PM
Host GeorgProd (172.16.17.41) accessed external C2 infrastructure at www.drleenasreedhar.com and 75.188.96.231
The alert was triggered due to detection of a malicious document. Investigation confirms the file is malware and that the endpoint established connections to known command and control infrastructure, indicating active compromise. The host was contained to prevent further malicious activity and lateral movement