Hack The Box - Sherlocks\Unit42
Sherlocks are defensive investigatory scenarios within Hack the Box’s Dedicated Labs, designed enhance digital forensics and incident response (DFIR) capabilities, provide a deeper understanding of security tools and technologies, improved ability to prioritize during real investigations and proficiency in technical analysis. This writeup is for Unit42 (DFIR very easy), aimed at familiriazing with Windows Sysmon logs and corresponding EventIDs.
Sherlock Information
Scenario
Palo Alto’s Unit42 conducted research on UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by the campaign and is structured around the initial access stage of the campaign.
Artifacts
- Unit42/Microsoft-Windows-Sysmon-Operational.evtx
Initial Review and Inference
UltraVNC Campaign Overview
On 2024-01-23, @Tac_Mangusta posted on X (Twitter) information about an Italian malspam campaign with a link to malware. Per Unit42’s analysis, the campagin happened as early as 2024-01-22 with a Trojanized version of UltraVNC establishing VNC connection over TCP and keeping it alive without any activity. UltraVNC is an open-source remote-administration/remote-desktop software utility. The client supports Windows and Linux, however the server only supporting Window with RFB protocol used under the hood for remote connections.
Infection Chain was highlighted as Email –> Dropbox link –> Downloaded EXE –> Trojanized UltraVNC package –> VNC traffic
Artifact Review and Research
Microsoft-Windows-Sysmon-Operational.evtx is the event log file generated by Sysmon (System Monitor), a Windows system service and device driver. Sysmon remains resident across system reboots to monitor and log system activity to the Windows event log, providing detailed information about process creations, network connections and changes to file creation time. Sysmon generates events, with further information around Sysmon Events availaible through Microsoft documentation.
Sysmon-Operational.evtx file (often found as C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon-Operational.evtx) records operational logs from Sysmon and is stored in the Windows Event Log directory. The file contains valuable security-related data such as Process creation logs, Network connection events, File creation and modification details, Registry key and value changes, Driver/DLL loading and WMI event monitoring amongst others.
Additionally, Sysmon-Operational.evtx is a binary and evtx_dump utility will be used to prepare file for analysis on a Linux Distro. The utility is part of the python-evtx library, and is a python script designed to parse and extract data from Windows Event Log(.evtx) files. The command evtx_dump.py Microsoft-Windows-Sysmon-Operational.evtx > evtx_output.txt is used to convert the contents of the binary file to readable txt file for further analysis.
Tasks
Task 1: How many Event logs are there with Event ID 11?
We can use grep -c "EventID Qualifiers=\"\">11" evtx_output.txt to pivot off of the dumped content of the Event Log binary.
Task 2: Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim’s system?
Executing the referenced grep commands on evtx_output.txt, we primarily observe C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe which does appear to interesting as it is downloaded from the Downloads folder, filename is suspicious(double .exe extension), its described as “Photo and vn installer” which matches the scenario description about backdoored UltraVNC and is observed to be creating further files in C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ directories.
Grep File analysis for Event IDs 1
$ grep -A 40 "<EventID Qualifiers=\"\">1</EventID>" evtx_output.txt | grep -A 22 "<EventData>" | grep "Data Name=\".*\">" | awk '/RuleName/{print "\n---New Event---\n"}{print}' | cat
---New Event---
<EventData><Data Name="RuleName">technique_id=T1027,technique_name=Obfuscated Files or Information</Data>
<Data Name="UtcTime">2024-02-14 03:41:45.304</Data>
<Data Name="ProcessGuid">{817bddf3-3679-65cc-2902-000000001900}</Data>
<Data Name="ProcessId">5584</Data>
<Data Name="Image">C:\Program Files\Mozilla Firefox\pingsender.exe</Data>
<Data Name="FileVersion">122.0.1</Data>
<Data Name="Description">-</Data>
<Data Name="Product">Firefox</Data>
<Data Name="Company">Mozilla Foundation</Data>
<Data Name="OriginalFileName">pingsender.exe</Data>
<Data Name="CommandLine">"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/cb88145b-129d-471c-b605-4fdf09fec680/event/Firefox/122.0.1/release/20240205133611?v=4 C:\Users\CyberJunkie\AppData\Roaming\Mozilla\Firefox\Profiles\avsa4d81.default-release\saved-telemetry-pings\cb88145b-129d-471c-b605-4fdf09fec680 https://incoming.telemetry.mozilla.org/submit/telemetry/6fcd92a2-cc60-4df6-b6fb-66356dd011c1/main/Firefox/122.0.1/release/20240205133611?v=4 C:\Users\CyberJunkie\AppData\Roaming\Mozilla\Firefox\Profiles\avsa4d81.default-release\saved-telemetry-pings\6fcd92a2-cc60-4df6-b6fb-66356dd011c1</Data>
<Data Name="CurrentDirectory">C:\Program Files\Mozilla Firefox\</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
<Data Name="LogonGuid">{817bddf3-311e-65cc-a7ae-1b0000000000}</Data>
<Data Name="LogonId">0x00000000001baea7</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=282F855BEB4FACF0726E13ECCADB7D3411B30B85,MD5=A1F5FF25E3D0F160BC7CE7CA57349D83,SHA256=B412C45DE423534D85F121ABC348FB38020FDA804EA0A972708B7447B0E7325D,IMPHASH=F84029681F81FED23E3E067364DA1699</Data>
<Data Name="ParentProcessGuid">{817bddf3-3514-65cc-0802-000000001900}</Data>
<Data Name="ParentProcessId">4292</Data>
<Data Name="ParentImage">C:\Program Files\Mozilla Firefox\firefox.exe</Data>
<Data Name="ParentCommandLine">"C:\Program Files\Mozilla Firefox\firefox.exe"</Data>
<Data Name="ParentUser">DESKTOP-887GK2L\CyberJunkie</Data>
---New Event---
<EventData><Data Name="RuleName">technique_id=T1204,technique_name=User Execution</Data>
<Data Name="UtcTime">2024-02-14 03:41:56.538</Data>
<Data Name="ProcessGuid">{817bddf3-3684-65cc-2d02-000000001900}</Data>
<Data Name="ProcessId">10672</Data>
<Data Name="Image">C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe</Data>
<Data Name="FileVersion">1.1.2</Data>
<Data Name="Description">Photo and vn Installer</Data>
<Data Name="Product">Photo and vn</Data>
<Data Name="Company">Photo and Fax Vn</Data>
<Data Name="OriginalFileName">Fattura 2 2024.exe</Data>
<Data Name="CommandLine">"C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe" </Data>
<Data Name="CurrentDirectory">C:\Users\CyberJunkie\Downloads\</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
<Data Name="LogonGuid">{817bddf3-311e-65cc-a7ae-1b0000000000}</Data>
<Data Name="LogonId">0x00000000001baea7</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA</Data>
<Data Name="ParentProcessGuid">{817bddf3-311f-65cc-0a01-000000001900}</Data>
<Data Name="ParentProcessId">1116</Data>
<Data Name="ParentImage">C:\Windows\explorer.exe</Data>
<Data Name="ParentCommandLine">C:\Windows\Explorer.EXE</Data>
<Data Name="ParentUser">DESKTOP-887GK2L\CyberJunkie</Data>
---New Event---
<EventData><Data Name="RuleName">technique_id=T1218,technique_name=Signed Binary Proxy Execution</Data>
<Data Name="UtcTime">2024-02-14 03:41:57.604</Data>
<Data Name="ProcessGuid">{817bddf3-3685-65cc-2e02-000000001900}</Data>
<Data Name="ProcessId">10220</Data>
<Data Name="Image">C:\Windows\System32\msiexec.exe</Data>
<Data Name="FileVersion">5.0.19041.3636 (WinBuild.160101.0800)</Data>
<Data Name="Description">Windows® installer</Data>
<Data Name="Product">Windows Installer - Unicode</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">msiexec.exe</Data>
<Data Name="CommandLine">C:\Windows\system32\msiexec.exe /V</Data>
<Data Name="CurrentDirectory">C:\Windows\system32\</Data>
<Data Name="User">NT AUTHORITY\SYSTEM</Data>
<Data Name="LogonGuid">{817bddf3-307b-65cc-e703-000000000000}</Data>
<Data Name="LogonId">0x00000000000003e7</Data>
<Data Name="TerminalSessionId">0</Data>
<Data Name="IntegrityLevel">System</Data>
<Data Name="Hashes">SHA1=32B8B2E3B3ECD8E194ACE65A5E5052C326D7CCAA,MD5=3A8464F2CECDF1D89430C64237949F20,SHA256=8CA4B8B7A2F8E6E7D1DF1AE46437FC252CD9C4B78CA3C7ADCAB721BD0F68B358,IMPHASH=0990A9500FF8DF93E0E059EE13E7C796</Data>
<Data Name="ParentProcessGuid">{817bddf3-307b-65cc-0b00-000000001900}</Data>
<Data Name="ParentProcessId">740</Data>
<Data Name="ParentImage">C:\Windows\System32\services.exe</Data>
<Data Name="ParentCommandLine">C:\Windows\system32\services.exe</Data>
<Data Name="ParentUser">NT AUTHORITY\SYSTEM</Data>
---New Event---
<EventData><Data Name="RuleName">technique_id=T1218,technique_name=Signed Binary Proxy Execution</Data>
<Data Name="UtcTime">2024-02-14 03:41:57.787</Data>
<Data Name="ProcessGuid">{817bddf3-3685-65cc-2f02-000000001900}</Data>
<Data Name="ProcessId">6996</Data>
<Data Name="Image">C:\Windows\SysWOW64\msiexec.exe</Data>
<Data Name="FileVersion">5.0.19041.3636 (WinBuild.160101.0800)</Data>
<Data Name="Description">Windows® installer</Data>
<Data Name="Product">Windows Installer - Unicode</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">msiexec.exe</Data>
<Data Name="CommandLine">C:\Windows\syswow64\MsiExec.exe -Embedding 5364C761FA9A55D636271A1CE8A6742D C</Data>
<Data Name="CurrentDirectory">C:\Windows\SysWOW64\</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
<Data Name="LogonGuid">{817bddf3-311e-65cc-a7ae-1b0000000000}</Data>
<Data Name="LogonId">0x00000000001baea7</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41</Data>
<Data Name="ParentProcessGuid">{817bddf3-3685-65cc-2e02-000000001900}</Data>
<Data Name="ParentProcessId">10220</Data>
<Data Name="ParentImage">C:\Windows\System32\msiexec.exe</Data>
<Data Name="ParentCommandLine">C:\Windows\system32\msiexec.exe /V</Data>
<Data Name="ParentUser">NT AUTHORITY\SYSTEM</Data>
---New Event---
<EventData><Data Name="RuleName">technique_id=T1218,technique_name=Signed Binary Proxy Execution</Data>
<Data Name="UtcTime">2024-02-14 03:41:57.905</Data>
<Data Name="ProcessGuid">{817bddf3-3685-65cc-3002-000000001900}</Data>
<Data Name="ProcessId">10324</Data>
<Data Name="Image">C:\Windows\SysWOW64\msiexec.exe</Data>
<Data Name="FileVersion">5.0.19041.3636 (WinBuild.160101.0800)</Data>
<Data Name="Description">Windows® installer</Data>
<Data Name="Product">Windows Installer - Unicode</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">msiexec.exe</Data>
<Data Name="CommandLine">"C:\Windows\system32\msiexec.exe" /i "C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe SETUPEXEDIR=C:\Users\CyberJunkie\Downloads\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707880560 " AI_EUIMSI=""</Data>
<Data Name="CurrentDirectory">C:\Users\CyberJunkie\Downloads\</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
<Data Name="LogonGuid">{817bddf3-311e-65cc-a7ae-1b0000000000}</Data>
<Data Name="LogonId">0x00000000001baea7</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41</Data>
<Data Name="ParentProcessGuid">{817bddf3-3684-65cc-2d02-000000001900}</Data>
<Data Name="ParentProcessId">10672</Data>
<Data Name="ParentImage">C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe</Data>
<Data Name="ParentCommandLine">"C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe" </Data>
<Data Name="ParentUser">DESKTOP-887GK2L\CyberJunkie</Data>
---New Event---
<EventData><Data Name="RuleName">technique_id=T1218,technique_name=Signed Binary Proxy Execution</Data>
<Data Name="UtcTime">2024-02-14 03:41:58.178</Data>
<Data Name="ProcessGuid">{817bddf3-3686-65cc-3102-000000001900}</Data>
<Data Name="ProcessId">10280</Data>
<Data Name="Image">C:\Windows\SysWOW64\msiexec.exe</Data>
<Data Name="FileVersion">5.0.19041.3636 (WinBuild.160101.0800)</Data>
<Data Name="Description">Windows® installer</Data>
<Data Name="Product">Windows Installer - Unicode</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">msiexec.exe</Data>
<Data Name="CommandLine">C:\Windows\syswow64\MsiExec.exe -Embedding 5250A3DB12224F77D2A18B4EB99AC5EB</Data>
<Data Name="CurrentDirectory">C:\Windows\SysWOW64\</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
<Data Name="LogonGuid">{817bddf3-311e-65cc-a7ae-1b0000000000}</Data>
<Data Name="LogonId">0x00000000001baea7</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41</Data>
<Data Name="ParentProcessGuid">{817bddf3-3685-65cc-2e02-000000001900}</Data>
<Data Name="ParentProcessId">10220</Data>
<Data Name="ParentImage">C:\Windows\System32\msiexec.exe</Data>
<Data Name="ParentCommandLine">C:\Windows\system32\msiexec.exe /V</Data>
<Data Name="ParentUser">NT AUTHORITY\SYSTEM</Data>
Task 3: Which Cloud drive was used to distribute the malware?
This task is possibly asking us to identify the initial infection vector, and how the suspicious file Preventivo24.02.14.exe ended up in users Downloads folder. Executed the referenced awk command to extract EventIDs and EventData corresponding to the suspicious file in a seperate file for further analysis
Extracting EventIDs and EventData corresponding to suspicious file
awk '
BEGIN {
RS="</Event>";
FS="\n";
IGNORECASE=1; # Make the search case-insensitive
print "=== Events containing PREVENTIVO24.02.14.EXE.EXE (case-insensitive) ===\n"
}
/PREVENTIVO24\.02\.14\.EXE\.EXE/ {
found_event = 0
event_output = ""
# First find the EventID
for (i=1; i<=NF; i++) {
if (match($i, /<EventID Qualifiers="">[0-9]+<\/EventID>/)) {
found_event = 1
event_output = $i "\n"
break
}
}
# Then get all Data fields if we found an EventID
if (found_event) {
print "\n---New Event---\n"
print event_output
for (i=1; i<=NF; i++) {
if (match($i, /<Data Name="[^"]*">[^<]+<\/Data>/)) {
print $i
}
}
}
}
' evtx_output.txt > preventivo_extracted_events.txt
Performing a timeline analysis of the preventivo_extracted_events.txt file corresponding to first few events for the suspicious file, we observe event id 15 (FileCreateStreamHash) with ReferrerUrl=hxxps_[:]//www[.]dropbox[.]com/
Timeline analysis of preventivo_extracted_events.txt
=== Events containing PREVENTIVO24.02.14.EXE.EXE (case-insensitive) ===
---New Event---
<EventID Qualifiers="">11</EventID>
<EventData><Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-02-14 03:41:26.459</Data>
<Data Name="ProcessGuid">{817bddf3-3514-65cc-0802-000000001900}</Data>
<Data Name="ProcessId">4292</Data>
<Data Name="Image">C:\Program Files\Mozilla Firefox\firefox.exe</Data>
<Data Name="TargetFilename">C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe</Data>
<Data Name="CreationUtcTime">2024-02-14 03:41:26.459</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
---New Event---
<EventID Qualifiers="">15</EventID>
<EventData><Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-02-14 03:41:30.441</Data>
<Data Name="ProcessGuid">{817bddf3-3514-65cc-0802-000000001900}</Data>
<Data Name="ProcessId">4292</Data>
<Data Name="Image">C:\Program Files\Mozilla Firefox\firefox.exe</Data>
<Data Name="TargetFilename">C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe</Data>
<Data Name="CreationUtcTime">2024-02-14 03:41:26.459</Data>
<Data Name="Hash">SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA</Data>
<Data Name="Contents">-</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
---New Event---
<EventID Qualifiers="">11</EventID>
<EventData><Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-02-14 03:41:30.472</Data>
<Data Name="ProcessGuid">{817bddf3-3514-65cc-0802-000000001900}</Data>
<Data Name="ProcessId">4292</Data>
<Data Name="Image">C:\Program Files\Mozilla Firefox\firefox.exe</Data>
<Data Name="TargetFilename">C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe:Zone.Identifier</Data>
<Data Name="CreationUtcTime">2024-02-14 03:41:26.459</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
---New Event---
<EventID Qualifiers="">15</EventID>
<EventData><Data Name="RuleName">technique_id=T1189,technique_name=Drive-by Compromise</Data>
<Data Name="UtcTime">2024-02-14 03:41:30.472</Data>
<Data Name="ProcessGuid">{817bddf3-3514-65cc-0802-000000001900}</Data>
<Data Name="ProcessId">4292</Data>
<Data Name="Image">C:\Program Files\Mozilla Firefox\firefox.exe</Data>
<Data Name="TargetFilename">C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe:Zone.Identifier</Data>
<Data Name="CreationUtcTime">2024-02-14 03:41:26.459</Data>
<Data Name="Hash">SHA1=2CFE549E8DEB113DFAD2E7702637C1772ACFDBE6,MD5=41F87E73FBAEA5D3B335EBC3B3B70FAE,SHA256=5607425CF7DCB090216F4531D099FD780193899383CBB3441017E3615E03068B,IMPHASH=00000000000000000000000000000000</Data>
<Data Name="Contents">[ZoneTransfer] ZoneId=3 ReferrerUrl=https://www.dropbox.com/ HostUrl=https://uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com/cd/0/get/CNNlOCYTD8cqLXFQzXaeYHRkHg_PoR35Et2T0_IkqE5ijvkTAQNljV7ZkK2fLXWI2bJy944RnwKttvmNWpVd5olpBcffnvnL_IfEjzr65jZZUOxtWA9rSgJ1jc91IZILHVAJHgRhjpZYLtGo83_QbeInB7x2oEAoYg-JLF54zbhziQ/file# </Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
---New Event---
<EventID Qualifiers="">26</EventID>
<EventData><Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-02-14 03:41:56.467</Data>
<Data Name="ProcessGuid">{817bddf3-311f-65cc-0a01-000000001900}</Data>
<Data Name="ProcessId">1116</Data>
<Data Name="User">DESKTOP-887GK2L\CyberJunkie</Data>
<Data Name="Image">C:\Windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe:Zone.Identifier</Data>
<Data Name="Hashes">SHA1=2CFE549E8DEB113DFAD2E7702637C1772ACFDBE6,MD5=41F87E73FBAEA5D3B335EBC3B3B70FAE,SHA256=5607425CF7DCB090216F4531D099FD780193899383CBB3441017E3615E03068B,IMPHASH=00000000000000000000000000000000</Data>
<Data Name="IsExecutable">False</Data>
Task 4: For many of the files it wrote to disk, the initial malicious file used a defense evasion technique called Time Stomping, where the file creation date is changed to make it appear older and blend in with other files. What was the timestamp changed to for the PDF file?
Event ID 2 corresponds to processes changing file creation time in Windows Event Log. Pivoting off of preventio extracted events file through grep -B1 -A10 '<EventID Qualifiers="">2</EventID>' preventivo_extracted_events.txt we observe 2024-01-14 08:10:06.029 corresponding to a pdf file
Task 5: The malicious file dropped a few files on disk. Where was “once.cmd” created on disk? Please answer with the full path along with the filename.
Event ID 11 corresponds to file creation in Windows Event Log. Pivoting off of preventio extracted events file through grep -i -B 10 -A 1 "once\.cmd" preventivo_extracted_events.txt we observe a single event corresponding to Event ID 11.
Task 6: The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?
Event ID 22 corresponds to DNS query event in Windows Event Log. Pivoting off of preventio extracted events file through grep -i -B 1 -A 10 '<EventID Qualifiers="">22</EventID>' preventivo_extracted_events.txt we observe a single event corresponding to Event ID 22.
Task 7: Which IP address did the malicious process try to reach out to?
Event ID 3 corresponds to Network Connection event in Windows Event Log. Pivoting off of preventio extracted events file through grep -i -B 1 -A 10 '<EventID Qualifiers="">3</EventID>' preventivo_extracted_events.txt we observe a single event corresponding to Event ID 3.
Task 8: The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?
Event ID 5 corresponds to Process Terminated event in Windows Event Log. Pivoting off of preventio extracted events file through grep -i -B 1 -A 10 '<EventID Qualifiers="">5</EventID>' preventivo_extracted_events.txt we observe a single event corresponding to Event ID 3.