Boogeyman 2

The Boogeyman is back. Are you still afraid of the Boogeyman?

CONTEXT

Challenge Link: TryHackMe - Boogeyman 2

I. Background

Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.

Header
Value

From

"[email protected]" <[email protected]>

To

"[email protected]"

Content-Type

application/msword; name="Resume_WesleyTaylor.doc"

II. Artifacts

1. Exfiltration

A Python3 http server was started in the THM machine:

Then the files were downloaded using a local browser:

2. Email Attachment

The attachment includes a .doc file which was extracted and checked for completion:

3. Memory Dump

The compromised workstation seems to be running on Windows 10:

And that particular endpoint is owned by maxine.beck:

ANALYSIS

I. MalDoc

The email attachment includes a macro (denoted by the character, M) named NewMacros:

Looking at what it does:

Once the document is opened, it will download a file (upload.png) and save it as update.js then execute it via wscript.exe:

Confirming the execution via the memory dump, the malicious process, wscript.exe (PID 4260) indeed spawned from Microsoft Word (PID 1124) and eventually updater.exe (PID 6216):

II. C2 Callback

To figure out the origins of updater.exe, the initially downloaded file (update.png) was extracted from the memory dump:

The following shows that a file (update.exe) is downloaded and saved as updater.exe which is then executed as is:

Looking at what updater.exe is, it was extracted from the memory dump then decompiled using dnSpy:

It is an Empire stager compiled via Sharpire:

And calls back to 128.199.95.189:8080:

Which when confirmed via the memory dump, there was a connection but seems to have been marked as CLOSED but the process is still running meaning the agent might be currently inactive:

III. Persistence

Extracting the process memory of updater.exe from the dump to see if command executions could be discovered:

It can be seen that a scheduled task named Updater was attempted to be created:

Confirming if the scheduled task was created, the task file was extracted from the memory dump:

The following is the XML configuration of the scheduled task indicating its successful creation:

The command being run by the scheduled task executes a base64 encoded string stored in an HKEY_CURRENT_USER registry meaning that it should be visible in the compromised user, maxine.beck's NTUSER.DAT file. And, extracting the particular hive from the memory dump:

Then, looking for long base64 strings stored:

It is another Empire stager which was set up for persistence:

Which also calls back to 128.199.95.189:8080:

PreviousBoogeyman 3NextBoogeyman 1

Last updated