Skip to main content

Incident Report

📅 Published: 2026-05-18 13:40 | 🔄 Last Updated: 2026-05-21 23:41


Case Study: Sandcat Agent Leads to Rapid Ransomware Deployment and Defacement

Case Summary​

On May 19 2026, a threat actor gained initial access to a workstation (WS01) via a malicious PowerShell script disguised as a financial report. The script deployed a Caldera Sandcat agent, establishing a Command and Control (C2) channel. Within five minutes of initial access, the adversary successfully bypassed User Account Control (UAC) via fodhelper.exe to achieve elevated privileges, and utilized comsvcs.dll to dump LSASS memory for credential harvesting.

Leveraging the stolen Administrator credentials, the threat actor utilized PsExec to move laterally to the Domain Controller (DC01). Once on the DC, the adversary established WMI persistence, impaired system defenses by disabling Sysmon, and exfiltrated sensitive executive documents. The intrusion culminated in the deletion of Volume Shadow Copies, encryption of target files, appending a .ransom extension, and the deployment of a ransom note as the desktop wallpaper. The entire attack chain, from initial access to ransomware deployment, took approximately 30 minutes.

Analysis​

Initial Access & Execution​

The intrusion began on WS01 when a user named jim downloaded and executed a file named Annual_Report_2026.ps1. The presence of a Zone.Identifier (Mark-of-the-Web) confirmed the payload was acquired externally. The user initially opened the file via Notepad before executing it using PowerShell 7 (pwsh.exe).

This script acted as a dropper, contacting the threat actor's infrastructure at http://192.168.253.128:80 to download a Caldera Sandcat agent named sandcat.go, which was subsequently written to disk and executed from C:\Users\jim\AppData\Local\Temp\winupdate.exe.

Command & Control​

Over the course of the intrusion the threat actor relied on http://192.168.253.128:80 to remotely execute commands.

Privilege Escalation​

To elevate privileges from a Medium to High integrity level, the adversary abused fodhelper.exe, a legitimate Windows binary that auto-elevates without prompting the user. The threat actor modified the HKCU\Software\Classes\ms-settings\Shell\open\command registry key, inserting a DelegateExecute value pointing to the Sandcat payload. After gaining elevated privileges, the registry modifications were immediately deleted.

Disk forensics confirmed this activity by parsing the user's UsrClass.dat hive, which successfully recovered the deleted DelegateExecute key and its malicious payload.

Discovery​

Initially, the adversary engaged in heavy discovery using native living-off-the-land binaries (LOLBins) including whoami, systeminfo, net localgroup, and netstat. The output of these commands was concatenated into a single string for rapid exfiltration.

With elevated privileges, , the attacker then executed PowerView.ps1 filelessly in memory to map the Active Directory environment.

Credential Access​

Following discovery, the adversary accessed the lsass.exe process using the comsvcs.dll MiniDump function via rundll32.exe. The resulting memory dump was temporarily stored at C:\Users\jim\AppData\Local\Temp\lsass.dmp

Exfiltration​

Threat actor then exfiltrated the dump to the C2 server via HTTPs using curl.exe and remove the lsass.dmp on WS01.

Lateral Movement​

Using the credentials harvested from WS01, the attacker moved laterally to DC01 utilizing PsExec (PSEXESVC.exe) over SMB (port 445). A new service (PSEXESVC) was installed

And the Sandcat agent (winupdate.exe) was successfully dropped and executed with NT AUTHORITY\SYSTEM privileges.

Persistence​

The adversary established persistence mechanisms on both hosts:

  • WS01: A registry Run key named WindowsUpdateManager was created, executing the payload upon logon. This was verified via NTUSER.DAT analysis.

  • DC01: A sophisticated WMI Event Subscription was created. An event filter named updater monitored system uptime, binding to a CommandLineEventConsumer configured to launch winupdate.exe.

  • Parsing the OBJECTS.DATA WMI repository during disk forensics confirmed this fileless persistence mechanism.

Defense Impairment​

Prior to final impact operations on DC01, the adversary unloaded the Sysmon filter driver (fltmc.exe unload SysmonDrv) to blind telemetry.

Amcache and Prefetch analysis were required to reconstruct subsequent executions.

Stealth​

To further hinder investigation, the adversary utilized PowerShell to timestomp the encrypted files, changing their $STANDARD_INFORMATION timestamps to 01/01/2010. Disk forensics via MFT analysis bypassed this evasion tactic by observing the immutable $FILE_NAME timestamps.

Impact​

The attacker compressed sensitive PDF files in C:\c-suite-docs\ into a zip archive (loot.zip) and exfiltrated them via a PowerShell web request. To inhibit system recovery, Volume Shadow Copies were deleted using vssadmin.exe.

A PowerShell script appended a .ransom extension to the target documents.

An inspection of the UsnJrnl logs also indicates that a .ransom extension was appended to the PDF files.

Finally, the adversary downloaded ransom.jpg and executed C# code to change the desktop wallpaper, concluding the attack with internal defacement.

Indicators of Compromise (IOCs)​

Network​

  • 192.168.253[.]128:80 - Command and Control (Sandcat HTTP Beacon)
  • 192.168.253[.]128:443 - Exfiltration Destination (LSASS dump, Stolen Data, Ransom Note Download)

Host Artifacts​

  • File: C:\Users\jim\Downloads\Annual_Report_2026.ps1 (Initial Payload)
    • SHA256: 8F3D61584F3E73FAC46A3E126860B9E4025C4C829477FB57626C2791317677D9
  • File: C:\Users\jim\AppData\Local\Temp\winupdate.exe (Sandcat Agent WS01)
    • SHA256: BBE9707328838688DD88F50C147619D429582E742040056ACADA0F00E78DB351
  • File: C:\Windows\Temp\winupdate.exe (Sandcat Agent DC01)
    • SHA256: 297483A434E51A85CF592A4F6ABB2A504D6C6EBD8FCA6E7D891D4E8DB27D5EAE
  • File: C:\Users\jim\AppData\Local\Temp\lsass.dmp (Credential Dump)
  • File: C:\Users\Public\ransom.jpg (Defacement Wallpaper)
    • SHA256: F54BAE9B17E56E46224E1F448A2ED3296ACA217F7F2565EF999E91C9140315FB
  • Memory Mutex: \Sessions\1\BaseNamedObjects\SMO pid:12012 WilStaging_02

Registry & WMI​

  • Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateManager
  • Registry Key: HKCU\Software\Classes\ms-settings\Shell\open\command\DelegateExecute
  • WMI Filter: updater (Query: SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325)

Timeline (UTC+7:00)​

  1. 18:30:01 - Initial Access: User executes Annual_Report_2026.ps1 on WS01.
  2. 18:31:03 - Execution: winupdate.exe executes and initiates C2 beaconing.
  3. 18:33:32 - Persistence: Run Key WindowsUpdateManager created on WS01.
  4. 18:34:25 - Discovery: Automated system enumeration scripts executed on WS01.
  5. 18:35:25 - Privilege Escalation: UAC bypassed using fodhelper.exe.
  6. 18:36:26 - Discovery: PowerView utilized for Active Directory enumeration.
  7. 18:37:58 - Credential Access: LSASS dumped via comsvcs.dll (lsass.dmp).
  8. 18:38:37 - Exfiltration: lsass.dmp exfiltrated via curl.exe.
  9. 18:40:05 - Lateral Movement: Lateral movement to DC01 via PsExec.
  10. 18:41:59 - Discovery: File and folder discovery using cmd on DC01.
  11. 18:44:40 - Exfiltration: PDF documents staged into loot.zip and exfiltrated from DC01.
  12. 18:44:41 - Persistence: WMI Event Subscription created on DC01.
  13. 18:52:04 - Defense Impairment: Sysmon driver unloaded on DC01.
  14. 18:54:44 - Impact: Shadow Copies deleted and PDF files encrypted.
  15. 18:54:44 - Impact: Encrypted all PDFs into the .ransom extension.
  16. 19:00:13 - Stealth: Altered the Standard Information timestamps of PDF files.
  17. 19:00:13 - Impact: Internal wallpaper defacement.

MITRE ATT&CK​

NoTactic (Lifecycle Phase)Technique/Sub-techniqueMITRE ID
1Initial AccessPhishing: Spearphishing LinkT1566.002
2ExecutionUser Execution: Malicious FileT1204.002
3PersistenceBoot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.001
4Event Triggered Execution: WMI Event SubscriptionT1546.003
5Privilege EscalationAbuse Elevation Control Mechanism: Bypass User Account ControlT1548.002
6Defense ImpairmentDisable or Modify ToolsT1685
7StealthIndicator Removal on Host: TimestompT1070.006
8Credential AccessOS Credential Dumping: LSASS MemoryT1003.001
9DiscoverySystem Information DiscoveryT1082
10Account Discovery: Domain AccountT1087.002
11File and Directory DiscoveryT1083
12Lateral MovementLateral Tool TransferT1570
13Command & ControlApplication Layer Protocol: Web ProtocolsT1071.001
14ExfiltrationExfiltration Over C2 ChannelT1041
15ImpactInhibit System RecoveryT1490
16Data Encrypted for ImpactT1486
17Defacement: Internal DefacementT1491.001

Remediation and Recommendations​

Containment & Eradication​

  • Host Isolation: Immediately isolate WS01 and DC01 from the production network to sever the active Sandcat C2 connection over port 80.
  • Credential Revocation: Force a global password reset for all compromised accounts, specifically the Domain Admin credentials harvested from WS01. Purge all active Kerberos tickets (Golden/Silver ticket prevention).
  • Eradicate Persistence Mechanisms:
    • Delete the WindowsUpdateManager Run key on WS01.
    • Remove the malicious WMI Event Subscription (updater) and its associated CommandLineEventConsumer on DC01.
  • System Rebuild: Due to the deployment of ransomware and intentional defense impairment , both WS01 and DC01 should be wiped and rebuilt from known-good, immutable backups prior to the May 19, 2026 intrusion date.

System Hardening & Prevention​

To prevent recurrence of the tactics, techniques, and procedures (TTPs) utilized by this threat actor, the following architectural and policy controls are recommended:

  • Mitigate Privilege Escalation (UAC Bypass): The adversary abused fodhelper.exe via registry modifications to elevate privileges.
    • Recommendation: Enforce the "Always Notify" UAC setting. Standardize Least Privilege User Accounts (LUA) so standard users (like jim) lack the permissions required to modify sensitive HKCU registry keys.
  • Prevent Credential Dumping: The attacker used comsvcs.dll via rundll32.exe to dump LSASS memory.
    • Recommendation: Enable Microsoft Defender Credential Guard and configure LSA Protection (RunAsPPL) to block unauthorized processes from reading lsass.exe memory.
  • Restrict Lateral Movement: The threat actor utilized stolen Administrator credentials and PsExec over SMB to move laterally to the Domain Controller.
    • Recommendation: Implement Windows Local Administrator Password Solution (LAPS) to randomize local admin passwords and prevent lateral movement. Network segmentation should also be enforced to strictly limit workstation-to-workstation SMB (port 445) communication.
  • PowerShell Execution Controls: The attack relied heavily on PowerShell for initial payload execution, C2 staging, and timestomping.
    • Recommendation: Enforce PowerShell Constrained Language Mode (CLM) and implement stricter Execution Policies across the domain to block unsigned, external scripts.
  • Defense Impairment Protections: The adversary successfully unloaded the Sysmon filter driver (fltmc.exe unload SysmonDrv) to blind telemetry.
    • Recommendation: Enable Tamper Protection on all endpoint detection and response (EDR) and logging agents to prevent administrative disabling or driver unloading.