https://app.letsdefend.io/challenge/ransomware-attack
Before start answering questions we can check system information we see its a Windows 7 Home Desktop, not domain joined, 32-bit OS, and the username is “charles”
I noticed MsMpEng.exe running from the Temp folder as a child of cmd.exe — that’s immediately suspicious because the real Defender service runs from C:\\Program Files\\Windows Defender\\MsMpEng.exe. I checked the MsMpEng.exe file’s hash and it matched the legitimate binary
which pointed to DLL side-loading rather than a fake EXE. Knowing side-loading looks for DLLs in the executable’s working directory first, I inspected the Temp folder and found
MpsVc.dllits hash matched malware on VirusTotal, confirming it was the malicious DLL
DLL side-loading: an attacker places a malicious DLL in the same directory as a trusted executable so when that executable runs it loads the attacker’s DLL instead of the real one. Windows searches for required DLLs starting in the executable’s current directory before consulting system folders; a signed or legitimate EXE copied into Temp (or a similarly writable folder) will happily load any DLL found there. In this case the attacker dropped a genuine
MsMpEng.exeinto Temp and paired it withMpsVc.dllso the trusted EXE would load the malicious DLL and execute the payload without needing to tamper with system binaries.
