October 30, 2024
We’ve been tasked with performing memory analysis of a compromised endpoint to determine what activities were carried out by the malware. We will be analyzing the execution chain, tactics, and the responsible user account.
As a digital forensics analyst at CyberResponse Inc., you are faced with a critical incident involving a sophisticated malware infiltration at a multinational corporation. The malware has covertly compromised critical systems and initiated unauthorized activities, posing a severe threat to the organization’s sensitive data and operational integrity.
Your task is to conduct a comprehensive analysis of a captured memory dump to trace the malware’s hidden activities. The goal is to meticulously decode the sequence of events, identify the malware’s functionalities, and understand its mechanisms of action. This analysis is pivotal in uncovering how the malware evaded detection and executed its malicious payload.
Identifying the parent process reveals the source and potential additional malicious activity. What is the name of the suspicious process that spawned two malicious PowerShell processes?
We’ll get started by taking a look at the process tree and looking for the PowerShell processes.
We can pipe the volatility output to less -S to prevent line-wrapping and make the output easier to read.
./vol.py -f ../../Artifacts/memory.dmp windows.pstree | less -S
Scrolling through the output, we can see the aforementioned powershell execution was spawned by PPID 4596.
Unfortunately, that process is not listed by our pstree output, so we’ll need to dig a little more to determine the name of the parent process.
Checking the command arguments passed to powershell, we can see that two executables were added to the Windows Defender exclusion path.
We’ll check PsScan to see if we can determine the name of process 4596.
To keep our output limited to relevant processes, we’ll grep for PID 4596.
./vol.py -f ../../Artifacts/memory.dmp windows.psscan | grep 4596
Comparing our findings from PsScan and PsTree, we can see this file appears to be one of the files that were excluded from Windows Defender’s scans.
And there we have it, the name of the initial malicious application that spawned the powershell activity.
By determining which executable is utilized by the malware to ensure its persistence, we can strategize for the eradication phase. Which executable is responsible for the malware’s persistence?
We can see in our PsScan output that the process was also responsible for spawning Task Scheduler.
This indicates the creation of a scheduled task to maintain persistence.
Understanding child processes reveals potential malicious behavior in incidents. Aside from the PowerShell processes, what other active suspicious process, originating from the same parent process, is identified?
Referring back to our PsTree and PsScan findings, we can see that the malicious process was also responsible for starting RegSvcs.
Per Microsoft’s documentation: “The .NET Services Installation tool performs the following actions: Loads and registers an assembly. Generates, registers, and installs a type library into a specified COM+ application. Configures services that you have added programmatically to your class."
This could be abused for a number of purposes, such as persistence, evasion, or even privilege escalation.
Analyzing malicious process parameters uncovers intentions like defense evasion for hidden, stealthy malware. What PowerShell cmdlet used by the malware for defense evasion?
We noted the powershell commands that were used and their purpose earlier.
However, for the sake of completeness, we’ll take a look at the command execution using the CmdLine plugin as well.
./vol.py -f ../../Artifacts/memory.dmp windows.cmdline
Here we can see the same command execution we discovered in the PsTree output.
Note: You can read more about the cmd-let used in this Micorosoft documentation - https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2022-ps
Recognizing detection-evasive executables is crucial for monitoring their harmful and malicious system activities. Which two applications were excluded by the malware from the previously altered application’s settings?
We discovered this in both our PsTree and CmdLine output.
Mapping each technique to MITRE provides clarity and aids effective response during incident analysis. What is the MITRE sub-technique ID the PowerShell commands aim to achieve?
Knowing that the goal of the PowerShell commands was to keep the malicious files from being found by Windows Defender, we can narrow our search to Mitre’s Defense Evasion tactic.
https://attack.mitre.org/tactics/TA0005/
Scrolling through the various techniques, the appropriate selection should be apparent.
SIDs uniquely identify accounts, reveal type, domain/local status, and correlate malicious activities. What’s the Security ID (SID) of the user account the malicious processes are running under?
We can start by listing the sessions found in the memory dump.
./vol.py -f ../../Artifacts/memory.dmp windows.sessions
Looking through the results we see that the Lee user was used to run the PowerShell and RegSvcs processes we found previously.
With that information, we can use the windows.getsids plugin to determine the user’s SID.
The plugin returns a lot of output, so we’ll grep for the Lee username to keep it a bit more manageable.
./vol.py -f ../../Artifacts/memory.dmp windows.getsids | grep Lee
Previous post
Next post