~/portfolio / write-ups / boogeyman-3
TryHackMe Malware Analysis & Incident Response Medium Apr '26

Boogeyman 3

Threat hunted a full lateral movement chain through Elastic SIEM — traced a CEO-targeted phishing email through ISO payload delivery, rundll32 LOLBin abuse, UAC bypass via fodhelper, Mimikatz credential dumping, Pass-the-Hash lateral movement, DCSync domain compromise, and ransomware deployment.

Medium
Difficulty
100%
Completion
TryHackMe
Platform
TOOLS USED
Elastic SIEM
Kibana
01

Initial Access & Payload Execution

Q1. What is the PID of the process that executed the initial stage 1 payload?

we know that the initial payload was an HTML file named ProjectFinancialSummary. let's query that.

Elastic query for ProjectFinancialSummary showing PID 6392
Answer: 6392
Q2. What is the full command-line value of the file implant execution?

after the log from Q1, we see that a file was copied to an unusual location.

xcopy command copying review.dat to AppData Temp
Answer: "C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
Q3. What is the full command-line value of the implanted file's execution?

still following the command log. we see that it was eventually executed.

rundll32 executing review.dat with DllRegisterServer
Answer: "C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
Q4. What is the name of the scheduled task created by the malicious script?

after its execution, a persistence mechanism was established as a scheduled task. we follow the log where it was first made and we see a PowerShell execution.

PowerShell scheduled task creation named Review
Answer: Review
Q5. What is the IP and port used by the C2 connection?

filtering for rundll32.exe processes since we know that review.dat is being executed by that process. we can see a sudden burst of processes being made with the same outbound connection.

C2 connection burst from rundll32 to 165.232.170.151:80
Answer: 165.232.170.151:80
02

Privilege Escalation & Credential Dumping

Q6. What is the name of the process used by the attacker to execute a UAC bypass?

upon researching UAC bypass techniques we see this.

UAC bypass research showing fodhelper technique

so let's search for any fodhelper processes.

fodhelper.exe process spawned from review.dat

and there we go. we can also see that it's being executed by review.dat.

Answer: fodhelper.exe
Q7. What is the GitHub link used by the attacker to download a credential dumping tool?

we look for the logs happening after the UAC bypass. we see a suspicious encoded command.

encoded PowerShell command for defense evasion and C2

so far this is an encoded command for disabling the defenses of the host and connecting to the C2 server. looking further for more logs we see this.

recon activity logs

but we are looking for credential harvesting, this is still recon. then we also see this.

Mimikatz download from GitHub

mimikatz is well known as a credential extraction tool.

Answer: hxxps://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
Q8. What is the username and hash of the new credential pair?

since we know it used mimikatz, let's put that in the filter.

Mimikatz output showing itadmin credentials

and then we see this. the attacker is no longer on evan but now is on allan.

Answer: itadmin:F84769D250EB95EB2D7D8B4A1C5613F2
03

Lateral Movement

Q9. What is the name of the file accessed by the attacker from a remote share?

we filter for the parent process ID of 6160 and then we see this.

IT_Automation.ps1 accessed from remote share
Answer: IT_Automation.ps1
Q10. What is the new set of credentials discovered by the attacker?

we already know the new user the attacker moved to is allan.smith. looking at the logs we see this.

logs showing allan.smith credentials in plaintext
Answer: QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987
Q11. What is the hostname of the attacker's target machine for lateral movement?

we can also see the target host from the same logs.

WKSTN-1327 as the lateral movement target
Answer: WKSTN-1327
04

Domain Compromise & Ransomware

Q12. What is the parent process name of the malicious command executed on the second compromised machine?

still using the same filter, we know that this is being done remotely. looking at the logs we see this.

WmiPrvSE.exe as parent process for remote execution
Answer: WmiPrvSE.exe
Q13. What is the username and hash of the newly dumped credentials on the second machine?

we know from the logs in Q8 that there were 2 credentials accessed. one was itadmin and the other was administrator.

Answer: administrator:00f80f2538dcb54e7adc715c0e7091ec
Q14. Aside from the administrator account, what account did the attacker dump via DCSync?

filtering back to processes executed by mimikatz, we see that besides the administrator there is also another account.

DCSync command targeting backupda account
Answer: backupda
Q15. What is the link used by the attacker to download the ransomware binary?

now that we know what host it's using, we add that to the filter and look for events that use PowerShell. we finally see this.

PowerShell downloading ransomboogey.exe from sillytechninja.io final log confirming ransomware download
Answer: hxxp://ff.sillytechninja.io/ransomboogey.exe
Key Takeaways
  • ISO files mount as a separate drive letter. payloads running from D:\ don't look like the usual paths, and that's enough to slip past some attachment-based detections
  • rundll32 + a .dat file via DllRegisterServer is a classic LOLBin move. trusted binary, nothing traditional sitting on disk
  • fodhelper spawning from an unexpected parent is worth flagging every time. it's been around for years and keeps showing up
  • the attacker chained evan to itadmin to allan.smith to administrator. every account opened a new door, and that chain only held because least privilege wasn't enforced
  • DCSync looks like normal replication traffic. by the time you're looking at it, the damage is mostly done. the credential dumping stage is where you had the real shot at catching it

really good room. i always enjoy working in elastic. the credential dumping stage got me for a bit because i lost track of the timeline and couldn't work out the escalation sequence. what broke it open was going back and tracing which user was active at each point manually. good reminder that the timeline isn't just context, it's part of the method.

← Prev Boogeyman 2 Next → Tempest