T1047 Windows Management Instrumentation T1204 User Execution T1486 Data Destruction or Impact T1059 Command Shell
Source host Exchange Server 172.16.20.3 detected suspicious file lunch.exe with hash f2b7074e1543720a9a98fda660e02688
Malicious executable lunch.exe executed secondary files including windl.bat and rniw.exe. Behavior caused forced shutdown and created numerous malicious text files and desktop artifacts
Mar 15 2021 10:57 PM
File activity observed under C Users admin AppData Local Temp and Desktop paths. No external C2 communication identified
Malware designed to execute destructive payload causing system shutdown and desktop file spam. Likely impact or scareware style attack rather than data exfiltration
Sandbox analysis confirmed batch file execution and system shutdown behavior. Multiple temporary files and executables dropped. No outbound connections observed. Endpoint logs show no user execution evidence. Exchange cleaned attachment before impact. True Positive detection with no confirmed compromise
Action Attachment cleaned by Exchange. No further remediation required. Monitoring continued for related hashes and indicators