Volatility Traces
Scenario
Lab Link: Volatility Traces
On May 2, 2024, a multinational corporation identified suspicious PowerShell processes on critical systems, indicating a potential malware infiltration. This activity poses a threat to sensitive data and operational integrity.
You have been provided with a memory dump (memory.dmp) from the affected system. Your task is to analyze the dump to trace the malware's actions, uncover its evasion techniques, and understand its persistence mechanisms.
Q1
Identifying the parent process reveals the source and potential additional malicious activity. What is the name of the suspicious process that spawned two malicious PowerShell processes?
Answer Format: ****************.***Commands
python3 Tools/volatility3-develop/vol.py -f Artifacts/memory.dmp windows.pstreeAnswer:
InvoiceCheckList.exeQ2
By determining which executable is utilized by the malware to ensure its persistence, we can strategize for the eradication phase. Which executable is responsible for the malware's persistence?
Answer Format: ********.***Commands
python3 Tools/volatility3-develop/vol.py -f Artifacts/memory.dmp windows.cmdline | grep -i schtasksAnswer:
schtasks.exeQ3
Understanding child processes reveals potential malicious behavior in incidents. Aside from the PowerShell processes, what other active suspicious process, originating from the same parent process, is identified?
Answer Format: *******.***Commands
python3 Tools/volatility3-develop/vol.py -f Artifacts/memory.dmp windows.pstree | grep -A 5 "4596"Answer:
RegSvcs.exeQ4
Analyzing malicious process parameters uncovers intentions like defense evasion for hidden, stealthy malware. What PowerShell cmdlet used by the malware for defense evasion?
Answer Format: ***-************Commands
python3 Tools/volatility3-develop/vol.py -f Artifacts/memory.dmp windows.cmdline | grep -i powershellAnswer:
Add-MpPreferenceQ5
Recognizing detection-evasive executables is crucial for monitoring their harmful and malicious system activities. Which two applications were excluded by the malware from the previously altered application's settings?
Answer Format: ****************.***,********.***Commands:
python3 Tools/volatility3-develop/vol.py -f Artifacts/memory.dmp windows.cmdline | grep -i "Add-MpPreference"Answer:
InvoiceCheckList.exe,HcdmIYYf.exeQ6
What is the specific MITRE sub-technique ID associated with PowerShell commands that aim to disable or modify antivirus settings to evade detection during incident analysis?
Answer Format: *****.***Analysis: - Technique: Impair Defenses - Sub-technique: Disable or Modify Tools
Answer:
T1562.001Q7
Determining the user account offers valuable information about its privileges, whether it is domain-based or local, and its potential involvement in malicious activities. Which user account is linked to the malicious processes?
Answer Format: ***python3 Tools/volatility3-develop/vol.py -f Artifacts/memory.dmp windows.cmdline | grep -i powershellAnswer:
LeeAll Content
Spooler APT28
The SOC team was notified by the IT department regarding a potentially compromised workstation recently reassigned to a new government employee named Keela.
The Crime
We're currently in the midst of a murder investigation, and we've obtained the victim's phone as a key piece of evidence.
YARA Trap
Wowza Enterprise recently deployed a secure malware analysis portal on an isolated workstation, accessible only to internal threat analysts.