Command Zero
Narration by Agent Zero
Highrun-d12d7a1f-a1bb-42d4-90b1-4150c073f036
Compromised
High confidence
  • malware
  • endpoint-compromise
  • process-hollowing
  • evasion-techniques
  • windows-11
  • sentinelone

Windows Endpoint Compromised by Sophisticated Malware Using Advanced Evasion Techniques

A Windows 11 laptop belonging to user_1 was compromised by sophisticated malware employing process hollowing, code injection, and memory manipulation. SentinelOne detected a multi-stage attack chain initiated by a malicious JavaScript file, with the threat marked as not mitigated and the agent pending uninstallation.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
4m 50s
INVESTIGATION TIME
Autonomous
47
QUESTIONS ASKED
IPDATA, MICROSOFT 365 DEFENDER, MICROSOFT ENTRA, SENTINELONE, VIRUSTOTAL
1.2K
RECORDS ANALYZED
Across all data sources
~4 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$362
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

SentinelOne detected a malicious JavaScript file `[CUSTOM_DIR_2].js` (SHA256: 971d9ee3bee06292fa255e169dfb10b4a4644819cd774562198f7e178eb79ad4) executing on Windows 11 laptop ws-001 belonging to user_1. The detection maps to MITRE technique T1547.001 (Registry Run Keys / Startup Folder), though the actual attack chain demonstrates broader evasion capabilities. The specific artifact that triggered investigation was a multi-stage execution chain: wscript.exe launched the JavaScript file, which spawned `[CUSTOM_DIR_2].com`, which then created and executed `RegAsm.exe` in non-standard locations within the user's AppData directory. What made this signal significant was not just the presence of these processes, but the behavioral indicators accompanying them—process hollowing, function unhooking, and remote memory allocation—all hallmarks of deliberate adversarial evasion rather than legitimate application behavior. SentinelOne's behavioral analysis identified 13 related threat events within the execution chain, revealing a coordinated attack designed to bypass endpoint detection. The investigation correlated data from SentinelOne, IPData, VirusTotal, and Microsoft Entra ID across 47 invocations, completing autonomous analysis in 4m 50s and establishing a clear timeline of compromise.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be an account compromise?

Ruled out
Supporting Evidence
Multiple SentinelOne alerts showing malware detection for [CUSTOM_DIR_2].js
Moderate
Supporting Evidence
Threat ID 2392389585177900527 showing multi-stage execution chain
Moderate
Supporting Evidence
Process hollowing and code injection techniques detected
Moderate
Dismissed:While there are clear indicators of malicious software execution, there is no evidence of successful unauthorized access to the account. The malware was detected on the system but there's no indication that the account itself was compromised by an external actor. The evidence points to malware execution rather than account takeover.·High confidence
H2

Could this be a false positive?

Ruled out
Supporting Evidence
SentinelOne agent showing 'isPendingUninstall: true'
Moderate
Supporting Evidence
No active threats reported on the device
Moderate
Supporting Evidence
All security features enabled and functioning
Moderate
Dismissed:While the SentinelOne agent is marked for uninstallation, this appears to be an administrative decision rather than a security incident. The agent was still functioning properly at the time of the reports, with all security features enabled. The pending uninstallation status alone does not indicate a false positive regarding the malware detection.·High confidence
H3

Could this be an account compromise attempt?

Ruled out
Supporting Evidence
No Microsoft Entra ID sign-in activity from the IP address
Moderate
Supporting Evidence
No failed login attempts reported
Moderate
Supporting Evidence
No conditional access policy violations
Moderate
Dismissed:While there is no evidence of account-specific compromise attempts through Microsoft Entra ID, the malware detected on the system shows clear signs of malicious intent and sophisticated evasion techniques. The absence of login attempts doesn't rule out other forms of malicious activity, and the SentinelOne alerts provide strong evidence of malware execution.·Medium confidence
H4

Could this be a policy violation?

Ruled out
Supporting Evidence
User 'user_1' is the legitimate owner of the device
Moderate
Supporting Evidence
All logins show successful authentication with proper credentials
Moderate
Supporting Evidence
No evidence of unauthorized access to the account
Moderate
Dismissed:While the user appears to be legitimately accessing their own device, the malware detected on the system indicates that the device has been compromised. The malicious software is using sophisticated evasion techniques and memory manipulation, which goes beyond normal user activity or policy violations.·High confidence

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

Malware Detection
SentinelOne detected a JavaScript file '[CUSTOM_DIR_2].js' (SHA256: 971d9ee3bee06292fa255e169dfb10b4a4644819cd774562198f7e178eb79ad4) as malicious on laptop ws-001 belonging to user 'user_1'
Methodology: SentinelOne detects threats through AI-driven behavioral analysis, monitoring process activity, file operations, and system interactions. Investigating threat events linked to a specific ThreatID provides comprehensive understanding of attack behavior, affected systems, and breach scope. This analysis enables organizations to assess compromise extent and implement targeted remediation.
SentinelOne Alert
Process Execution Chain
Multi-stage execution chain starting with wscript.exe running [CUSTOM_DIR_2].js, which launched [CUSTOM_DIR_2].com, which then created and executed RegAsm.exe in non-standard locations
Methodology: SentinelOne detects threats through AI-driven behavioral analysis, monitoring process activity, file operations, and system interactions. Investigating threat events linked to a specific ThreatID provides comprehensive understanding of attack behavior, affected systems, and breach scope. This analysis enables organizations to assess compromise extent and implement targeted remediation.
SentinelOne Threat ID 2392389585177900527
Evasion Techniques
Advanced evasion techniques detected including process hollowing, function unhooking, and code injection during target process initialization
Methodology: SentinelOne detects threats through AI-driven behavioral analysis, monitoring process activity, file operations, and system interactions. Investigating threat events linked to a specific ThreatID provides comprehensive understanding of attack behavior, affected systems, and breach scope. This analysis enables organizations to assess compromise extent and implement targeted remediation.
SentinelOne Behavioral Indicators
Memory Manipulation
Multiple instances of 'Remote Memory Allocation' and 'Remote Memory Protect' behaviors detected, indicating process injection techniques
Methodology: SentinelOne detects threats through AI-driven behavioral analysis, monitoring process activity, file operations, and system interactions. Investigating threat events linked to a specific ThreatID provides comprehensive understanding of attack behavior, affected systems, and breach scope. This analysis enables organizations to assess compromise extent and implement targeted remediation.
SentinelOne Behavioral Indicators
Suspicious File Activity
RegAsm.exe was copied to non-standard locations (C:\Users\user_1\AppData\Local\[CUSTOM_DIR_1]\) and executed, a common technique for living off the land
Methodology: SentinelOne detects threats through AI-driven behavioral analysis, monitoring process activity, file operations, and system interactions. Investigating threat events linked to a specific ThreatID provides comprehensive understanding of attack behavior, affected systems, and breach scope. This analysis enables organizations to assess compromise extent and implement targeted remediation.
SentinelOne File Operations
Network Attribution
All malicious activities originated from IP address [EXTERNAL_IP_1], which is a residential ISP connection in Montevideo, Uruguay
Methodology: IPData provides IP address intelligence including geolocation, hosting organization, and threat categorization. IP location analysis helps detect impossible travel, unusual access patterns, and distinguish between legitimate and suspicious network activity.
IPData Intelligence
System Information
The device is a Windows 11 Home laptop (ws-001) with SentinelOne agent marked for pending uninstallation
Methodology: SentinelOne detects threats through AI-driven behavioral analysis, monitoring process activity, file operations, and system interactions. Investigating threat events linked to a specific ThreatID provides comprehensive understanding of attack behavior, affected systems, and breach scope. This analysis enables organizations to assess compromise extent and implement targeted remediation.
SentinelOne Agent Properties

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified the malicious nature of the execution chain from wscript.exe to [CUSTOM_DIR_2].js to [CUSTOM_DIR_2].com to RegAsm.exe in non-standard locations
    Pass
  2. fp2
    Analyzed the behavioral indicators for legitimate explanations
    Pass
  3. fp3
    Evaluated whether the activity could be explained by legitimate software
    Pass
  4. fp4
    Checked for system maintenance or updates that could explain the behavior
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

JavaScript Execution via Script HostProcess HollowingSuspicious Registry OperationsLiving off the Land Binary Abuse
TechniqueTacticContext
T1059.007
JavaScript Execution
ExecutionFlag wscript.exe or cscript.exe executing JavaScript files from user-writable directories, particularly AppData or Temp folders. Alert on JavaScript files smaller than 500 bytes that spawn child processes or perform memory operations. Monitor for .js files with suspicious naming patterns that mimic legitimate applications or system utilities.
T1055.012
Process Hollowing
Defense EvasionDetect process creation followed immediately by remote memory allocation and memory protect operations targeting the same process. Alert on legitimate system binaries like RegAsm.exe being created in non-standard locations (outside C:\Windows and C:\Program Files) and subsequently executing with memory manipulation indicators. Monitor for sequences of VirtualAllocEx, WriteProcessMemory, and SetThreadContext API calls.
T1547.001
Registry Run Keys / Startup Folder
PersistenceMonitor for regedit.exe or reg.exe importing .reg files from non-standard directories or user-writable paths. Alert on bulk modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or similar persistence locations when initiated by processes running from AppData. Flag attempts to register DLLs as password filters or accessibility hooks through registry operations.
T1036.003
Masquerading: Rename System Utilities
Defense EvasionDetect copies of legitimate Windows utilities (RegAsm.exe, rundll32.exe, certutil.exe) being created in non-standard locations, especially user AppData directories. Alert on these utilities being executed from paths outside their original Windows System32 location. Monitor for process execution chains where legitimate binaries are spawned by suspicious parent processes or scripts.

Verdict Reasoning

The verdict of Compromised at high confidence rests on the following mutually corroborating signals:

1. SentinelOne detected a malicious JavaScript file with a specific SHA256 hash (971d9ee3bee06292fa255e169dfb10b4a4644819cd774562198f7e178eb79ad4) executing on the endpoint, confirmed through multiple threat event records showing the file's presence and execution context

2. A complete multi-stage execution chain was reconstructed from wscript.exe → JavaScript file → [CUSTOM_DIR_2].com → RegAsm.exe, with each stage documented in SentinelOne's process telemetry and threat event logs

3. Advanced evasion techniques including process hollowing, function unhooking, and remote memory allocation were detected as behavioral indicators, techniques that are rarely present in legitimate software and are characteristic of sophisticated malware

4. The malware copied legitimate Windows utilities (RegAsm.exe) to non-standard locations (C:\Users\user_1\AppData\Local\[CUSTOM_DIR_1]\), a living-off-the-land technique used to evade file-based detection

5. No contradictory evidence emerged from Microsoft Entra ID sign-in logs, VirusTotal reputation checks, or IPData geolocation analysis that would suggest a false positive or benign explanation. The confidence is High rather than Confirmed because the SentinelOne agent is marked as pending uninstallation, which could affect ongoing monitoring and remediation capabilities if not addressed immediately

Lessons

  1. 01
    Pending uninstallation status masks active compromise. In this investigation, the SentinelOne agent was marked for pending uninstallation while actively detecting and reporting malware. The agent remained functional and generated 13 threat events documenting the attack chain. However, if the uninstallation had proceeded before remediation, the endpoint would have lost all endpoint detection and response capabilities mid-incident. Always verify the status and timeline of agent uninstallations against active threat detections. Ensure remediation is complete before removing security tooling.
  2. 02
    Small file size does not indicate benign intent. The malicious JavaScript file [CUSTOM_DIR_2].js was only 180 bytes, yet it successfully initiated a multi-stage attack chain involving process hollowing and memory injection. Attackers often minimize file size to evade file-based detection and reduce storage footprint. Do not dismiss small scripts as harmless; correlate file size with execution context, parent process, and behavioral indicators like memory operations and process creation.
  3. 03
    Legitimate binary location is the strongest detection signal. RegAsm.exe executing from C:\Users\user_1\AppData\Local\[CUSTOM_DIR_1]\ was the clearest indicator of compromise in this chain. System utilities copied to user directories almost never occur in legitimate scenarios. Implement detection rules that flag execution of known Windows binaries from paths outside their standard System32 or Program Files locations, regardless of digital signature status.
  4. 04
    Behavioral indicators matter more than file reputation. The malware's file hash had no VirusTotal detections at the time of analysis, yet SentinelOne's behavioral detection identified process hollowing, function unhooking, and remote memory allocation—all malicious indicators. File reputation systems lag behind sophisticated malware. Prioritize behavioral analysis and process chain reconstruction over hash-based verdicts when investigating suspicious execution.
  5. 05
    Absence of cloud sign-in activity does not rule out compromise. Microsoft Entra ID logs showed no suspicious sign-in activity from the malware's originating IP address, which initially appeared to exonerate the endpoint. However, the endpoint itself was clearly compromised. Malware may not immediately attempt cloud credential theft or lateral movement. Investigate endpoint compromise independently of cloud authentication logs; they answer different questions about the scope of an incident.