Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.
The security team was able to flag some suspicious commands executed on the workstation of Maxine, which prompted the investigation. Given this, you are tasked to analyse and assess the impact of the compromise.
Email sender: [email protected] Victim email: [email protected] Attachment: Resume_WesleyTaylor.doc MD5 Hash of the email: 52c4384a0b9e248b95804352ebec6c5b
Upon performing OSINT in the gathered IOC, here's the details: "The macro named 'AutoOpen' is triggered automatically when the document is opened. It begins by defining a file path ('spath') that points to the 'ProgramData' folder. Next, it creates two objects: an XMLHTTP object ('xHttp') and an ADODB Stream object ('bStrm').
The 'xHttp' object is used to establish a connection with a remote server ('**https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png'**) and retrieve a response. The response from the server is then saved to a stream object ('bStrm').
The stream object is configured to save the data as a file named 'update.js' in the 'ProgramData' folder. This suggests that the macro is attempting to download and save a JavaScript file from the remote server.
After saving the file, the macro creates a 'WScript.Shell' object ('shell_object') and uses it to execute the downloaded JavaScript file ('wscript.exe C:\\ProgramData\\update.js'). This indicates that the macro is attempting to run the downloaded JavaScript code.
The behavior of this macro raises concerns as it involves downloading and executing an external script from an untrusted source. This could potentially allow malicious code to be introduced into the system, leading to various security risks."
In volatility this command must be useful:
vol -f WKSTN-2961.raw windows.pstree #Shows you the process tree
vol -f WKSTN-2961.raw windows.cmdline #Shows you the cmd executed
vol -f WKSTN-2961.raw windows.netscan #shows you the network connection
strings WKSTN-2961.raw | grep boogeymanisback
strings WKSTN-2961.raw | grep schtask
Output of CMDline:
Output of pstree:
