← Customer 13160449

#36878 [Huntress Detection] CRITICAL - ISOLATED - Incident on WLF-B3M9CY3 (Williams Law Firm, PC)

New 2 Normal Created Jan 7, 2026, 1:37 AM
Huntress (internal) Jan 7, 2026, 1:37 AM 
*** The Huntress Agent has been tasked to isolate this host from the rest of the network in order to prevent the incident from spreading to other hosts. ***

If you have an urgent request for support, please go to the link below to place a request a callback from SOC Support.
https://artichoke.huntress.io/org/53144/infection_reports/1870855/soc_callback_requests/new

Host: WLF-B3M9CY3 - https://artichoke.huntress.io/org/53144/agents/7199411
Organization: Williams Law Firm, PC
Tags: None
Security Products: Windows Defender

Incident Report: https://artichoke.huntress.io/org/53144/infection_reports/1870855
Severity: Critical

Investigative Summary:
----------------------
At 2026-01-07 01:04:07 UTC, Huntress detected a phishing-driven compromise on host "WLF-B3M9CY3". The detection originated from process telemetry showing the execution of a renamed SimpleHelp RMM tool. User account "WLF\susan (SID: S-1-12-1-3642475374-1157722717-1841779635-2781711575)" interacted with a malicious link via "msedge.exe", which triggered the download and execution of a file masquerading as a Social Security statement. This file is a remote access tool used by attackers to gain full interactive control of the system.

User Account: "WLF\susan"
 SID: "S-1-12-1-3642475374-1157722717-1841779635-2781711575"

Domain: "dhnbc-zngp[.]maillist-manage[.]com"

File Path: "C:\Users\susan\Downloads\Social_Security_eStatement_Ref_51489481058.exe"
SHA256: "1dc76cd2c0c2d125b65e20a7d579e9f6098f4622588a53849251f0a36651ef8a"

File Path: "C:\Windows\Temp\elev_win.exe"

File Path: "C:\Windows\Temp\session_win.exe"

The investigation identified a successful social engineering attack. Following the execution of the initial payload, the system triggered UAC prompts to grant the attacker elevated privileges. Telemetry shows active remote control sessions, evidenced by the "elev_win.exe" utility performing mouse location queries. This suggests a threat actor was actively navigating the system's interface in real-time.

2026-01-07 01:04:07 UTC - Malicious executable "Social_Security_eStatement_Ref_51489481058.exe" executed via Edge.
2026-01-07 01:04:07 UTC - UAC elevation request triggered (PID: 17680).
2026-01-07 19:51:56 UTC - Active remote session observed via "elev_win.exe" with "--mouselocation".
2026-01-07 20:14:31 UTC - "session_win.exe" observed managing persistent remote connection.

Please carry out assisted remediation to remove the malicious files and associated RMM components. If the host is unisolated while the malicious files or persistence mechanisms are still present, the threat actor will maintain control over this system. Failure to fully remediate could result in lateral movement or data exfiltration.

Threat Descriptions:
--------------------
Malicious Remote Management Tool: A legitimate remote management tool has been misused by a threat actor to gain unauthorized access and control of the reported endpoint. Threat actors do this to hide their presence, maintain persistence and further exploit the network.

Rogue Simplehelp: Huntress has been tracking a number of malicious threat actors convincing users via email into running malicious Simplehelp installers that give the threat actor remote access to the host.

Remediations:
-------------
Assisted Remediations provided by the Huntress SOC to remediate the incident. These can be executed automatically in the Huntress Platform:
- Delete File - path: C:\Users\susan\Downloads\Social_Security_eStatement_Ref_51489481058.exe + sha256: 1dc76cd2c0c2d125b65e20a7d579e9f6098f4622588a53849251f0a36651ef8a
- Reboot the Host - remediation: A reboot is required to complete the remediation plan

Manual Remediations provided by the Huntress SOC are highly recommended remediation actions to be conducted by your team before resolving the incident in the Huntress Platform:
- Enroll the user in a security awareness training session to reinforce safe practices in the corporate environment.
- Audit affected directories/files for additional suspicious files and remove those found. 

All remediations provided can be found in the Huntress Platform: Incident Report: https://artichoke.huntress.io/org/53144/infection_reports/1870855#remediations-tab

Lead Signal Information:
------------------------
Signal Name: Web Browser Process Spawning Renamed Rmm
Detected At: 2026-01-07 01:09:48 UTC
Start Time: 2026-01-07 01:04:05 UTC
Command: "C:\Users\susan\Downloads\Social_Security_eStatement_Ref_51489481058.exe"
Executable: C:\Users\susan\Downloads\Social_Security_eStatement_Ref_51489481058.exe
Process ID: 1e59ad2b-eb4b-11f0-9a74-b0dcef1c5af1
Parent Process: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
User: susan

All investigated signals can be found in the Huntress Platform: https://artichoke.huntress.io/org/53144/infection_reports/1870855#signals-investigated-tab

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.
Artichoke Support - Peet (internal) Jan 7, 2026, 1:42 AM 
The following remediation plan was approved by [email protected]:

Assisted Remediations:
Reboot the Host: ["Remediation: A reboot is required to complete the remediation plan"]
Delete File: ["Path: C:\\Users\\susan\\Downloads\\Social_Security_eStatement_Ref_51489481058.exe", "Sha256: 1dc76cd2c0c2d125b65e20a7d579e9f6098f4622588a53849251f0a36651ef8a"]

Manual Remediations:
Enroll the user in a security awareness training session to reinforce safe practices in the corporate environment.
Audit affected directories/files for additional suspicious files and remove those found.