Zenith

CHALLENGE DESCRIPTION

We are contacting you with an urgent request concerning a potentially suspicious email that was recently received and unfortunately opened by one of our team members. As a construction company (Caymine builders), we regularly engage in project discussions with clients, and this email appeared to contain a project plan in PDF format. However, after further review, we have reason to believe this email and its attachment could be malicious. Despite our usual security protocols, the PDF was opened on one of our systems, which has raised significant concern regarding the security of our network.

SOLUTION

When did the client receive the email?

grep -i 'pdf' * 

We will see the file we need to analyze, view its content and get the answer.

Answer

2024-09-19 17:44:11

When was the malicious PDF file created? (UTC)

copy base64 string to CyberChef and read through it or find CreationDate

Answer

2024-09-18 13:57:04

What is the embedded file name with extension inside the malicious PDF?

copy base64 string to CyberChef and read through it or find pdf

Answer

downtown_construction_project_plan.pdf

When was the Windows PE malware compiled?

Answer

What was the original project name the attacker gave to their malware Windows PE project?

Answer

To which new location in the system is the malware copying itself?

Answer

What is the name of the registry value key that the malware is creating inside the Run folder?

Answer

What is the name of the process being targeted for injection by the malware?

Answer

Which operating system is the client using?

Answer

What is the full name of the Adobe PDF program?

Answer

When did the attacker use the GetSystem service installation to gain NT Authority/SYSTEM access?

Answer

When did the attacker establish their final persistence by installing the WindowsPooler service?

Answer