Scenario

On April 30, 2025, a Finance department user received a phishing email with a RAR file. Trusting the sender, the user extracted and opened it. GOAT Capital’s SOC detected suspicious PowerShell activity from the user’s workstation. Soon after, mass file deletions and changes occurred, followed by ransom notes demanding Monero. Your task: investigate the true attack vector, identify attacker techniques, and assess the scope of the compromise.

Questions

Initial Access

Q1. To trace the origin of the attack, it’s essential to identify where the malicious file was obtained. What is the complete URL from which the user downloaded the malicious RAR file?

Analyzing EDGE’s history table for the Administrator, we find:

https://limewire.com/d/lihUt#NrUgowrb29

Q2. Establishing an exact timeline helps reconstruct the attack sequence accurately. What is the exact timestamp when the user downloaded the RAR file to the system? (in 24H format)

Searching on .rar in the event logs, we find when the file was downloaded:

2025-04-30 20:28

Q3. Understanding how the payload was executed reveals the user action that led to compromise. Which file extracted from the archive was launched by the user, triggering the attack?

Filtering on Sysmon Event ID 11 (File Create), we find:

pay rate.pdf.lnk

Execution

Q4. Identifying the initial script clarifies the method used to deliver and execute malicious payloads. What is the name of the PowerShell script that executed the payloads?

Analyzing the logs, we find the user downloaded:

troubleshooting.ps1

Q5. Pinpointing when ransomware activity began is crucial for defining the start of encryption. When did the ransomware first execute on the victim machine?

We see the execution of the using PowerShell at:

2025-04-30 20:32

Q6. Hash values allow correlation of the malware across systems and threat intelligence sources. What is the SHA256 hash of the ransomware executable used in this attack?

After the second stage, we find Adobe Acrobat.exe executed in a hidden state:

113a06c8ba6069d345f3c3db89051553d8aff7d27408945b50aa94256277dcb3

Persistence & Privilege Escalation

Q7. Knowing how persistence was maintained helps ensure thorough malware removal. What MITRE ATT&CK sub-technique ID did the attacker use to gain persistence post-reboot?

He achieves persistence using Registry Run Keys / Startup Folder (I researched online since we have the hash)

T1547.001

Q8. Exploited drivers often reveal the attacker’s method for gaining elevated privileges. What is the name of the vulnerable driver the attacker used for privilege escalation?

Filtering on Sysmon Event ID 11 (File Create) we find the vulnerable driver:

iqvw64e.sys

Q9. Mapping kernel-level techniques helps identify sophisticated system access methods. What technique did the attacker use to gain kernel-level access?

Since the attacker escalated privileges using an unknown vulnerable driver, the attacker hence used:

Bring Your Own Vulnerable Driver

Collection

Q10. Tracking files written by malware provides insight into its actions and scope. What is the name of the log file created by the ransomware to record its operations?

Researching about Fog Ransomware reveals the log file (unintended way to answer the question):

dbglog.sys

Command and Control & Impact

Q11. Command-and-control contact details help trace external infrastructure used in the attack. What IP address and port number did the downloader connect to in order to retrieve the payload?

In the log, we find that the user downloaded the PowerShell Script from:

192.168.1.54:4561

Q12. Understanding encryption behavior is vital for response and recovery planning. What file extension did the ransomware append to encrypted files?

Since we found the hash previously, we can check the behavior tab and we find:

.flocked

Q13. Ransom communication links are key for attribution and negotiation strategy. What is the .onion link provided by the attacker for ransom payment or communication?

Researching about fog ransomware reveals the .onion (unintended way to answer the question):

xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion

Fog Ransomware Lab – CyberDefenders

Scenario

Questions

Initial Access

Q1. To trace the origin of the attack, it’s essential to identify where the malicious file was obtained. What is the complete URL from which the user downloaded the malicious RAR file?

Q2. Establishing an exact timeline helps reconstruct the attack sequence accurately. What is the exact timestamp when the user downloaded the RAR file to the system? (in 24H format)

Q3. Understanding how the payload was executed reveals the user action that led to compromise. Which file extracted from the archive was launched by the user, triggering the attack?

Execution

Q4. Identifying the initial script clarifies the method used to deliver and execute malicious payloads. What is the name of the PowerShell script that executed the payloads?

Q5. Pinpointing when ransomware activity began is crucial for defining the start of encryption. When did the ransomware first execute on the victim machine?

Q6. Hash values allow correlation of the malware across systems and threat intelligence sources. What is the SHA256 hash of the ransomware executable used in this attack?

Persistence & Privilege Escalation

Q7. Knowing how persistence was maintained helps ensure thorough malware removal. What MITRE ATT&CK sub-technique ID did the attacker use to gain persistence post-reboot?

Q8. Exploited drivers often reveal the attacker’s method for gaining elevated privileges. What is the name of the vulnerable driver the attacker used for privilege escalation?

Q9. Mapping kernel-level techniques helps identify sophisticated system access methods. What technique did the attacker use to gain kernel-level access?

Collection

Q10. Tracking files written by malware provides insight into its actions and scope. What is the name of the log file created by the ransomware to record its operations?

Command and Control & Impact

Q11. Command-and-control contact details help trace external infrastructure used in the attack. What IP address and port number did the downloader connect to in order to retrieve the payload?

Q12. Understanding encryption behavior is vital for response and recovery planning. What file extension did the ransomware append to encrypted files?

Q13. Ransom communication links are key for attribution and negotiation strategy. What is the .onion link provided by the attacker for ransom payment or communication?

Support – Hack The Box

Timelapse – Hack The Box

Sauna – Hack The Box

Forest

Active – Hack The Box

Scenario

Questions

Initial Access

Q1. To trace the origin of the attack, it’s essential to identify where the malicious file was obtained. What is the complete URL from which the user downloaded the malicious RAR file?

Q2. Establishing an exact timeline helps reconstruct the attack sequence accurately. What is the exact timestamp when the user downloaded the RAR file to the system? (in 24H format)

Q3. Understanding how the payload was executed reveals the user action that led to compromise. Which file extracted from the archive was launched by the user, triggering the attack?

Execution

Q4. Identifying the initial script clarifies the method used to deliver and execute malicious payloads. What is the name of the PowerShell script that executed the payloads?

Q5. Pinpointing when ransomware activity began is crucial for defining the start of encryption. When did the ransomware first execute on the victim machine?

Q6. Hash values allow correlation of the malware across systems and threat intelligence sources. What is the SHA256 hash of the ransomware executable used in this attack?

Persistence & Privilege Escalation

Q7. Knowing how persistence was maintained helps ensure thorough malware removal. What MITRE ATT&CK sub-technique ID did the attacker use to gain persistence post-reboot?

Q8. Exploited drivers often reveal the attacker’s method for gaining elevated privileges. What is the name of the vulnerable driver the attacker used for privilege escalation?

Q9. Mapping kernel-level techniques helps identify sophisticated system access methods. What technique did the attacker use to gain kernel-level access?

Collection

Q10. Tracking files written by malware provides insight into its actions and scope. What is the name of the log file created by the ransomware to record its operations?

Command and Control & Impact

Q11. Command-and-control contact details help trace external infrastructure used in the attack. What IP address and port number did the downloader connect to in order to retrieve the payload?

Q12. Understanding encryption behavior is vital for response and recovery planning. What file extension did the ransomware append to encrypted files?

Q13. Ransom communication links are key for attribution and negotiation strategy. What is the .onion link provided by the attacker for ransom payment or communication?

Related Posts

Trending now