Volatility Traces Lab
Last updated
Last updated
Q1) Identifying the parent process reveals the source and potential additional malicious activity. What is the name of the suspicious process that spawned two malicious PowerShell processes?
First, let's use the pslist
plugin to enumerate active processes in the memory dump.
The parent process ID of the process that started the PowerShell has been identified as 4596.
Here, we only have the first 16 characters of the name. To retrieve the full name, we can use either the cmdline
or pstree
plugin.
Answer: InvoiceCheckList.exe
Q2) By determining which executable is utilized by the malware to ensure its persistence, we can strategize for the eradication phase. Which executable is responsible for the malware's persistence?
Answer: schtasks.exe
Q3) Understanding child processes reveals potential malicious behavior in incidents. Aside from the PowerShell processes, what other active suspicious process, originating from the same parent process, is identified?
Answer: RegSvcs.exe
Q4) Analyzing malicious process parameters uncovers intentions like defense evasion for hidden, stealthy malware. What PowerShell cmdlet used by the malware for defense evasion?
This command is used to add a specified path to Microsoft Defender's exclusion list. This effectively tells Microsoft Defender to exclude the file or directory specified (InvoiceCheckList.exe
and HcdmIYYf.exe
in this case) from being scanned or monitored for malicious activity.
Answer: Add-MpPreference
Q5) Recognizing detection-evasive executables is crucial for monitoring their harmful and malicious system activities. Which two applications were excluded by the malware from the previously altered application's settings?
Answer: InvoiceCheckList.exe:HcdmIYYf.exe
Q6) Mapping each technique to MITRE provides clarity and aids effective response during incident analysis. What is the MITRE sub-technique ID the PowerShell commands aim to achieve?
Search on Google by: Add-MpPreference MITRE ATT&CK
Answer: T1562.001
Q7) SIDs uniquely identify accounts, reveal type, domain/local status, and correlate malicious activities. What's the Security ID (SID) of the user account the malicious processes are running under?
Answer: S-1-5-21-1649652813-3480061347-1948202237-1001