Volatility Traces Lab

Q1) Identifying the parent process reveals the source and potential additional malicious activity. What is the name of the suspicious process that spawned two malicious PowerShell processes?

First, let's use the pslist plugin to enumerate active processes in the memory dump.

python3 vol.py -f memory.dmp windows.pslist

The parent process ID of the process that started the PowerShell has been identified as 4596.

python3 vol.py -f memory.dmp windows.psscan | grep "4596"

Here, we only have the first 16 characters of the name. To retrieve the full name, we can use either the cmdline or pstree plugin.

python3 vol.py -f memory.dmp windows.pstree | grep "4596"

Answer: InvoiceCheckList.exe

Q2) By determining which executable is utilized by the malware to ensure its persistence, we can strategize for the eradication phase. Which executable is responsible for the malware's persistence?

python3 vol.py -f memory.dmp windows.psscan | grep "4596"

Answer: schtasks.exe

Q3) Understanding child processes reveals potential malicious behavior in incidents. Aside from the PowerShell processes, what other active suspicious process, originating from the same parent process, is identified?

python3 vol.py -f memory.dmp windows.psscan | grep "4596"

Answer: RegSvcs.exe

Q4) Analyzing malicious process parameters uncovers intentions like defense evasion for hidden, stealthy malware. What PowerShell cmdlet used by the malware for defense evasion?

python3 vol.py -f memory.dmp windows.cmdline | grep "powershell.exe"
#OR
python3 vol.py -f memory.dmp windows.cmdline | grep "7656"
python3 vol.py -f memory.dmp windows.cmdline | grep "6980"

This command is used to add a specified path to Microsoft Defender's exclusion list. This effectively tells Microsoft Defender to exclude the file or directory specified (InvoiceCheckList.exe and HcdmIYYf.exe in this case) from being scanned or monitored for malicious activity.

Answer: Add-MpPreference

Q5) Recognizing detection-evasive executables is crucial for monitoring their harmful and malicious system activities. Which two applications were excluded by the malware from the previously altered application's settings?

Answer: InvoiceCheckList.exe:HcdmIYYf.exe

Q6) Mapping each technique to MITRE provides clarity and aids effective response during incident analysis. What is the MITRE sub-technique ID the PowerShell commands aim to achieve?

Search on Google by: Add-MpPreference MITRE ATT&CK

Answer: T1562.001

Q7) SIDs uniquely identify accounts, reveal type, domain/local status, and correlate malicious activities. What's the Security ID (SID) of the user account the malicious processes are running under?

python3 vol.py -f memory.dmp windows.getsids | grep "powershell"

Answer: S-1-5-21-1649652813-3480061347-1948202237-1001