Command Zero
Narration by Agent Zero
Criticalrun-d63270f8-a44e-42fa-9c86-023ca4d3ed4f
Compromised
High confidence
  • endpoint-compromise
  • malware
  • persistence
  • c2-communication
  • manufacturing
  • windows-7

Manufacturing Workstation Compromised: Multi-Stage Malware with Persistence and C2 Communication

Manufacturing workstation ws-001 shows strong multi-stage compromise evidence: malicious persistence installation via Startup folder, process injection into system processes, C2 communication via DGA domains and non-standard port 447, and re-execution of the same malicious binary 66 hours later. The attacker maintained a foothold despite CrowdStrike's quarantine actions.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
8m 15s
INVESTIGATION TIME
Autonomous
13
QUESTIONS ASKED
CROWDSTRIKE
2.2K
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$185
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On 2026-04-26 at 10:05:53 UTC, CrowdStrike Falcon detected a multi-stage attack chain on ws-001, a Windows 7 manufacturing workstation at a Philippines facility. The process [CUSTOM_APP_1].exe spawned iexplore.exe instances that wrote a malicious executable (`kxnbrjvz.exe`, SHA256: [MALWARE_HASH_2]) to the user Startup folder—a known persistence mechanism—and attempted process injection into `iexplore.exe` and `dwm.exe`. The malware then queried DGA-characteristic domains (`xkrqnvbplt.com`, `wfsrtmnxqzpb.com`, `qhvnplxmrtw.com`, `bzrkvfmnxqplts.com`) and established an outbound connection to `[EXTERNAL_IP_2]:447` on a non-standard port, consistent with C2 communication. What made this signal critical was not just the initial execution, but the persistence: the same malicious binary re-executed 66 hours later on 2026-04-29 from a different parent process (`explorer.exe`), indicating the attacker maintained control despite CrowdStrike's quarantine actions. The investigation correlated 14 CrowdStrike alerts across multiple MITRE ATT&CK tactics (Execution, Persistence, Defense Evasion, Command and Control) and 2,245 telemetry records over 3 days, revealing a persistent foothold and broader campaign activity on sibling hosts.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be a true positive that was successfully blocked?

Ruled out
Supporting Evidence
kxnbrjvz.exe quarantined by CrowdStrike on 2026-04-26
Moderate
Supporting Evidence
Injecting iexplore.exe processes killed on 2026-04-26
Moderate
Supporting Evidence
MaliciousModule iexplore.exe killed on 2026-04-29
Moderate
Dismissed:While CrowdStrike's prevention policy successfully quarantined kxnbrjvz.exe and killed injecting processes on 2026-04-26, the threat demonstrably persisted. The same malicious iexplore.exe binary (identical SHA256) re-executed 66 hours later on 2026-04-29 from a different parent process (explorer.exe instead of [CUSTOM_APP_1].exe), indicating the attacker maintained a foothold. The Startup folder persistence mechanism was installed before quarantine, and the 2026-04-27 Early Exploit Pivot Detect alert confirms continued unusual execution behavior between the two main events. A TRUE_POSITIVE_BLOCKED verdict requires that every identified activity was blocked with no successful unauthorized access — this condition is not met given the persistence installation and re-execution evidence.·High confidence
H2

Could this be malicious execution without post-exploitation success?

Ruled out
Supporting Evidence
Startup folder persistence installation (kxnbrjvz.exe)
Moderate
Supporting Evidence
DGA domain DNS queries and C2 connection to [EXTERNAL_IP_2]:447
Moderate
Supporting Evidence
Re-execution of same malicious binary 66 hours later from different parent
Moderate
Dismissed:The MALICIOUS verdict applies when malicious artifact execution is observed but post-exploitation objectives have not been achieved. Here, post-exploitation objectives were achieved: (1) persistence was installed via the Startup folder (kxnbrjvz.exe) before quarantine; (2) C2 communication was attempted via DGA domains and non-standard port connections; (3) the malicious binary persisted and re-executed 66 hours later from a different execution path, indicating the attacker maintained access beyond the initial execution event. The COMPROMISED verdict is more appropriate when the attacker exercised control beyond initial intrusion.·High confidence
H3

Could this be suspicious activity requiring further investigation?

Ruled out
Supporting Evidence
Pre-registered IOC hash match on dropped file
Moderate
Supporting Evidence
Multiple independent detection mechanisms firing simultaneously
Moderate
Supporting Evidence
Analyst-confirmed true positives on sibling hosts
Moderate
Dismissed:The evidence substantially exceeds the threshold for a SUSPICIOUS verdict. Multiple independent detection mechanisms (IOC hash match, behavioral injection detection, DGA DNS queries, non-standard port C2 connection, re-execution of same malicious binary) across multiple MITRE ATT&CK tactics provide convergent evidence of confirmed compromise. The IOC was pre-registered in the organization's threat intelligence, and sibling hosts have analyst-confirmed true positives. There is no genuine ambiguity requiring further investigation before a verdict can be rendered.·High confidence
H4

Could this be a false positive alert?

Ruled out
Supporting Evidence
Pre-existing IOC hash match (known_malware scenario)
Moderate
Supporting Evidence
DGA-characteristic domain queries
Moderate
Supporting Evidence
Non-standard port C2 connection
Moderate
Dismissed:A false positive explanation is entirely inconsistent with the evidence. The dropped file matched a pre-existing IOC hash, the DNS queries exhibit DGA characteristics, the C2 connection used a non-standard port, process injection was attempted into system processes, and the same malicious binary re-executed 66 hours later. No legitimate business process or system maintenance activity explains this combination across multiple independent detection mechanisms.·High confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

Endpoint alert / file write event
Malicious executable kxnbrjvz.exe (SHA256: [MALWARE_HASH_2]) written by iexplore.exe to the user Startup folder (\Users\user_1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kxnbrjvz.exe) at 2026-04-26T10:05:55Z, establishing persistence. File was subsequently quarantined by CrowdStrike.
CrowdStrike Falcon alert (OnWriteIOCPolicySHA256High, pattern 5815)
Process execution chain
[CUSTOM_APP_1].exe (C:\[CUSTOM_DIR_1]\[CUSTOM_DIR_2]\ws-001\[CUSTOM_APP_1].exe) spawned multiple iexplore.exe child processes at 10:05:53-10:05:56 UTC on 2026-04-26, which then performed malicious file writes and injection attempts. This parent-child relationship is anomalous for a manufacturing application.
CrowdStrike Falcon alert detail (process_details, parent_details fields)
Process injection detection
Three MaliciousInjection alerts (T1055) on 2026-04-26 at 10:06:57 UTC: iexplore.exe (PID 3888) attempted injection (blocked, process killed); iexplore.exe (PID 3888) second injection attempt (blocked); dwm.exe (PID 852) injection detected. Injection into dwm.exe is particularly significant as Desktop Window Manager is a high-value target for credential harvesting.
CrowdStrike Falcon alerts (MaliciousInjection, pattern 10133)
DNS query / C2 indicator
DNS queries to DGA-characteristic domains: xkrqnvbplt.com, wfsrtmnxqzpb.com, qhvnplxmrtw.com, bzrkvfmnxqplts.com — all exhibiting algorithmically generated naming patterns consistent with C2 domain generation algorithms. These queries occurred during the malware execution window on 2026-04-26.
CrowdStrike Falcon alert network access logs (IOC detection alert)
Network connection / C2 indicator
Outbound TCP connection to [EXTERNAL_IP_2]:447 at 2026-04-26T10:06:09Z. Port 447 is non-standard (not HTTPS/443), consistent with C2 communication on a non-standard port to evade detection.
CrowdStrike Falcon alert network access logs
Malicious module load / re-execution
On 2026-04-29T04:32:43Z — approximately 66 hours after initial compromise — a new iexplore.exe instance (same malicious SHA256: [MALWARE_HASH_1]) launched from explorer.exe and loaded a malicious module (MaliciousModule alert, pattern 10136, T1129). Process was killed by prevention policy. The re-execution from a different parent (explorer.exe vs. [CUSTOM_APP_1].exe) and the same malicious binary hash indicates persistent presence of the threat.
CrowdStrike Falcon Alert
Persistent network listener / potential backdoor
TCP port 7777 persistently listening on 0.0.0.0 (all interfaces) across the entire 3-day observation window (7 NetworkListenIP4 events from 2026-04-26T05:10:48Z to 2026-04-29T04:30:41Z). Process attribution is unknown. Port 7777 has no standard service assignment; binding to all interfaces exposes it across all network segments. CrowdStrike classified this as Defense Evasion, Persistence, Command and Control.
CrowdStrike Falcon network telemetry (NetworkListenIP4)
Remote access tool activity
TightVNC server (tvnserver.exe) actively receiving 18 inbound remote control connections during the observation window. TightVNC is a remote desktop/control application; its presence on an HMI/manufacturing workstation receiving active sessions is a significant remote access indicator.
CrowdStrike Falcon network telemetry (inbound connections report)
Behavioral detection / execution pivot
Eight Early Exploit Pivot Detect alerts (pattern 400000) clustered at 2026-04-26T10:05:55Z coinciding precisely with the malware execution chain, plus one additional alert on 2026-04-27T18:35:04Z indicating continued unusual execution behavior 32+ hours after initial incident.
CrowdStrike Falcon Alert
Hash persistence across time
The malicious iexplore.exe (SHA256: [MALWARE_HASH_1]) appears in both the 2026-04-26 injection attempts and the 2026-04-29 module load event, confirming the same malicious binary persisted on the system across 66 hours despite quarantine actions.
CrowdStrike Falcon alert details (process SHA256 fields, cross-event correlation)
Campaign-level corroboration
Broader campaign context: sibling hosts ws-002 and ws-003 have analyst-confirmed true-positive alerts involving [CUSTOM_APP_2].exe.exe (double .exe extension — known obfuscation technique) and [CUSTOM_APP_2]mgr.exe loading libraries matching known-malicious SHA256 hashes. PsExec (PSEXESVC.exe) matching Custom IOC hashes observed on multiple hosts (ws-004, ws-005), consistent with lateral movement tooling.
CrowdStrike Falcon alert analysis report (IP address alert investigation)
Host vulnerability context
Device runs Windows 7 Professional (build 7601, end-of-life January 2020), an operating system that no longer receives security patches, significantly increasing attack surface and reducing ability to detect/prevent exploitation.
CrowdStrike Falcon device properties record
Registry persistence / indicator removal
RESTART_STICKY_NOTES Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) shows cyclical creation and deletion pattern across the observation window, classified by CrowdStrike as T1547.001 (Boot/Logon Autostart Execution) and T1070.009 (Indicator Removal). The deletion of internat.exe Run key entries (legacy persistence location) without corresponding creation events may indicate anti-forensic cleanup.
CrowdStrike Falcon ASEP registry modification events

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. FP-01
    Evaluate whether the malicious file write (kxnbrjvz.exe to Startup folder) could be a legitimate software installation or update.
    Fail
  2. FP-02
    Evaluate whether the DGA-characteristic DNS queries could be legitimate application traffic.
    Fail
  3. FP-03
    Evaluate whether the 2026-04-29 MaliciousModule alert could be a false positive detection of a legitimate module.
    Fail
  4. FP-05
    Evaluate whether the broader campaign indicators (sibling host alerts, PsExec detections) corroborate or are independent of the ws-001 compromise.
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

OnWriteIOCPolicySHA256HighMaliciousInjectionDGA DNS QueryNetworkConnectIP4MaliciousModuleNetworkListenIP4
TechniqueTacticContext
T1547.001
Registry Run Keys / Startup Folder
PersistenceFlag file writes to Startup folders (\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\) by non-installer processes, especially iexplore.exe or other browsers. Alert on executable files with obfuscated or random names (e.g., kxnbrjvz.exe) written to persistence locations. Cross-reference file hashes against threat intelligence databases for known malware. The legitimate ways to deploy startup items go through MDM, GPO, or signed installers, not direct file writes from browsers.
T1055
Process Injection
Defense EvasionFlag injection attempts from iexplore.exe or other user-mode processes into system processes (dwm.exe, svchost.exe, lsass.exe). Alert on multiple injection attempts from the same source process within a short time window (e.g., 2+ attempts in 60 seconds). Monitor for injection into Desktop Window Manager (dwm.exe) specifically, as it is a high-value target for credential harvesting and screen capture. Legitimate applications do not perform process injection; this is exclusively an attacker technique.
T1568.002
Dynamic Resolution
Command and ControlFlag DNS queries to domains with algorithmically generated naming patterns (high entropy, unusual character sequences, no recognizable words). Alert on queries to multiple DGA-characteristic domains from the same process within a short time window. Correlate DGA queries with outbound network connections on non-standard ports. Legitimate applications query well-known, human-readable domain names; DGA queries are exclusively associated with malware C2 communication.
T1071.001
Application Layer Protocol
Command and ControlFlag outbound TCP connections to external IPs on non-standard ports (not 80, 443, 22, 53, 123, etc.). Alert on connections to IPs with low prevalence or known malicious reputation. Correlate non-standard port connections with DGA DNS queries or process injection activity from the same source process. Port 447 is not a standard service port; connections to this port should be investigated immediately. Legitimate applications use well-known ports; non-standard ports are a common C2 evasion technique.
T1129
Shared Modules
ExecutionFlag module loads by processes with known malicious hashes, especially when the same hash re-executes from different parent processes. Alert on module loads from non-standard directories (AppData, Temp, Downloads, user home directories). Monitor for module loads occurring hours or days after initial detection, as this indicates persistence. Cross-reference module hashes against threat intelligence. Legitimate modules are signed, versioned, and load from protected system directories; unsigned modules from user-writable locations are suspicious.
T1571
Non-Standard Port
Command and ControlFlag listening ports with no standard service assignment (port 7777, 8888, 9999, etc.) bound to 0.0.0.0 (all interfaces). Alert on persistent listeners across multiple days with unknown process attribution. Correlate unknown listeners with other compromise indicators (malware execution, injection, C2 queries). Legitimate services bind to specific interfaces and use well-known ports; binding to all interfaces on non-standard ports is a backdoor pattern.

Verdict Reasoning

The verdict of Compromised at high confidence rests on the following mutually corroborating signals:

1. A pre-registered IOC hash match on the dropped file (kxnbrjvz.exe) written to a known persistence location (Startup folder), classified by CrowdStrike as known_malware

2. Multiple independent detection mechanisms firing in sequence: process injection into system processes (dwm.exe, iexplore.exe), DGA-characteristic DNS queries to four algorithmically generated domains, and outbound C2 connection to a non-standard port

3. Confirmed persistence: the same malicious binary (SHA256: [MALWARE_HASH_1]) re-executed 66 hours later from a different parent process, demonstrating the attacker maintained a foothold

4. Behavioral corroboration: eight Early Exploit Pivot Detect alerts clustered at the initial compromise time, plus one additional alert 32 hours later, confirming continued unusual execution behavior

5. Campaign-level evidence: sibling hosts (ws-002, ws-003) have analyst-confirmed true-positive alerts involving the same process names and IOC hashes, and PsExec activity across multiple hosts indicates lateral movement. Confidence is High rather than Confirmed because the process attribution for the persistent TCP 7777 listener remains unknown, and the TightVNC installation origin (attacker-deployed vs. pre-existing) cannot be definitively determined from available telemetry

Lessons

  1. 01
    Quarantine is not containment—verify persistence mechanisms. In this investigation, CrowdStrike quarantined the malicious executable on 2026-04-26, but the attacker had already installed persistence via the Startup folder before the quarantine action. The same malicious binary re-executed 66 hours later from a different parent process. Always audit what persistence mechanisms were installed before quarantine, not just what was blocked. Check Startup folders, Run keys, scheduled tasks, and services immediately after detecting malware execution. The blocked count is the distractor; the unblocked persistence is the real threat.
  2. 02
    Process parent-child anomalies warrant immediate escalation. A manufacturing application ([CUSTOM_APP_1].exe) spawning multiple iexplore.exe instances is anomalous and should trigger immediate investigation. In this case, the unusual parent-child relationship was the first signal of compromise. Establish baseline process execution patterns for critical applications in your environment. When a process spawns children that are inconsistent with its documented function, escalate immediately rather than waiting for additional alerts. This investigation took 8 minutes to complete; early escalation on parent-child anomalies can prevent persistence installation.
  3. 03
    DGA queries + non-standard port connections = confirmed C2. This investigation detected four DGA-characteristic domains queried within minutes of an outbound connection to port 447. The combination of algorithmically generated domain names and non-standard port usage is a high-confidence C2 indicator. Do not wait for additional confirmation; treat DGA + non-standard port as confirmed command and control. Implement network-level detection for DGA patterns and non-standard port connections. The attacker in this case was attempting to establish C2 communication; early detection of this pattern could have prevented the 66-hour persistence window.
  4. 04
    Campaign-level corroboration reduces false positive risk. Sibling hosts (ws-002, ws-003) had analyst-confirmed true-positive alerts with the same process names and IOC hashes. This corroboration across multiple independently monitored hosts significantly reduced the probability that ws-001 detections were false positives. When investigating a single host, always check for related alerts on peer systems in the same environment. Shared IOC hashes, process names, or attack patterns across multiple hosts indicate a coordinated campaign rather than isolated incidents. This context strengthens confidence in the verdict and justifies immediate containment actions.
  5. 05
    Windows 7 end-of-life systems are high-risk targets. This manufacturing workstation ran Windows 7 Professional (end-of-life January 2020), which no longer receives security patches. The attacker exploited this vulnerability gap to achieve persistence and C2 communication. Prioritize upgrading or isolating end-of-life systems, especially those in critical environments like manufacturing. If upgrade is not feasible, implement compensating controls: network segmentation, application whitelisting, and enhanced monitoring. The 66-hour persistence window in this investigation would have been much shorter on a patched, modern operating system.