Scenario
An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware aligns with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.
Q1 In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?
- Firstly i used Windows.pslist.PsList plugin to list all processes :
And since he asked about parent process , i used pstree plugin to get all parent child processes relations
The lssass.exe (PID 2748) process is likely malicious because it impersonates a legitimate security process (lsass.exe), has an unusual start time, and is associated with the suspicious parent process rundll32.exe. Attackers commonly use such techniques to hide their activities, such as credential dumping.
Q2. Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?
- Use FileScan plugin and grep with process name :
Q3. Persistent external communications suggest the malware’s attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?
Utilizing Netscan plugin
Q4 Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?
I tried FileScan plugin and others but give me nothing so i tried to dump malicious Process
- so after dumping the process i used strings command to extract HTTP GET Requests :
Q5. Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?
- From Q4 we known that the attacker downloaded another 2 malicious files named :
1– cred64.dll
2– clip64.dll
so i used FileScan plugin and grep with one of them :
Q6. Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?
RUNDLL32.EXE
Q7. Understanding the full range of Amadey’s persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?
- i used FileScan plugin and grep with malicious process :
