Overview

For this investigation, we will be analyzing a memory dump from a compromised device. We will primarily investigate the process tree and command line artifacts to determine the source of the malicious activity.

Scenario

As a forensic investigator at a leading financial institution, your SIEM has flagged unusual activity on an internal workstation with access to sensitive financial data, indicating a potential breach. With a memory dump from the compromised machine, your task is to analyze for indicators of compromise, trace the anomaly’s origin, and contain the incident while assessing its scope.

Q1

Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

We’ll start off our investigation by analyzing the process tree with the pstree plugin.

Looking through the output, there isn’t much that jumps out as suspicious.

The last few lines, however, provide a good starting point for our investigation.

We can see that Wordpad and PowerShell processes began at the same time.

Furthermore, the powershell process executed net.exe.

With this information, we’ll use the cmdline plugin to check for suspicious command execution.

Our results give us some immediate red flags.

We can see that powershell was used with the -windowstyle hidden switch, net was used to attach a network share, and rundll32 was used to execute a dll located on the newly attached share.

Given this evidence, we can conclude that powershell was responsible for the initial malicious execution.

Q2

Knowing the parent process ID (PPID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

We can refer back to our pstree output to determine the PPID responsible for spawning the malicious powershell process.

Q3

Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload?

We identified the malicious DLL used in the powershell command.

Given the chain of execution we have discovered, this appears to be the second-stage payload.

Q4

Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

Our cmdline results included two entries that showed a network share being attached.

Q5

What is the MITRE sub-technique ID used by the malware to execute the second-stage payload?

Our investigation has shown that the attacker utilized network shares and rundll32 to execute their payload.

A little googling for MITRE ATT&CK and these keywords will give us a match and a detailed analysis of this tactic.

Q6

Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

We’ll use the sessions plugin to determine which user account was responsible for the malicious execution.

In the output, we can see the hostname and username associated with the powershell and net.exe activity.

Note: It is important to check the PID and timestamps of these events, just just the process name.

Q7

Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?

Our analysis of the command line execution revealed an IP address that we should investigate.

A quick trip to VirusTotal, and a search for the IP, reveals the nature of the attack.