REVEAL

Q1: Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

Answer: powershell.exe

How: Didapat dari menggunakan plugin malfind

Q2: Knowing the parent process ID (PPID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

Answer: 4120

Q3: Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload?

3435.dll

How: Kedua jawaban ini dapat ditemukan dengan menggunakan plugin pstree

Q4: Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

Answer: davwwwroot

Q5: What is the MITRE ATT&CK sub-technique ID that describes the execution of a second-stage payload using a Windows utility to run the malicious file?

Answer: T1218.011 (System Binary Proxy Execution: Rundll32)

How: Dapat ditemukan pada MITRE

Q6: Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

Answer: elon

How: Gunakan plugin getsids untuk pid 3692

Q7: Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?

Answer: STRELASTEALER

How: virustotal.com/gui/ip-address/45.9.74.32