Overview
On this page, I have included the IOC’s and MITRE ATT&CK mappings encountered during my analysis of this compromise, as well as my full incident report – it is embedded and linked for download.
Taking it a step further, I did so in semi-alignment with incident report guidelines listed in NIST SP 800–61 Rev. 2 (Computer Security Incident Handling Guide).
Introduction
This one is a big deal for me!
Unit42 is rated as Very Easy on HackTheBox Labs. On paper, it is exactly that – open and filter a .evtx file for various Sysmon Event IDs to answer eight simple questions. I could have done that and moved on, but I wanted to learn more, so I spent significantly more time on this Sherlock. I cross-referenced Palo Alto: Unit42’s threat intelligence report for this malware campaign, uncovered and analyzed the full attack chain, and wrote a full commercial-grade incident report in HTB CDSA format.
This is my very first Sherlock and comprehensive incident report. Although I’ve achieved the CompTIA’s Security+ and CySA+ certificates, participated in, created, and led various competitions, and completed labs, this was my first time applying knowledge gained from certificates, competitions, academics, internships, labs, and projects to a compromised environment. Beyond that, this Sherlock was extremely straightforward, which gave me the much-needed confidence to undertake a full forensic analysis and incident report creation. I understood every step, detection, and the “what” and “why” behind all of it – I am proud of this milestone!
The Scenario
This Sherlock involves a Windows host (DESKTOP-887GK2L) belonging to a single user (CyberJunkie). A malicious executable was found on the user’s system, and it was my job to identify and analyze its malicious activity through the provided Sysmon log. This malware is part of an Italian malspam (Malware-Spam) campaign tracked by Palo Alto’s Unit 42 threat intelligence team.
There are only eight official tasks within the Sherlock:
- How many files were created?
- What is the malicious process?
- Which cloud drive was used to distribute the malware?
- What timestamp was changed via Time Stomping?
- Where was
once.cmdcreated? - What dummy domain did the malware connect to?
- What IP address did the malware reach out to?
- When did the malicious process self-terminate?
These questions are very straightforward through EventViewer’s XML filters; however, as this is a contained environment compromised by a real-world malware campaign, I wanted the full picture.
What I Found Beyond the Tasks
Mark-of-the-Web Removal
Before the malware’s initial execution, Explorer.EXE deleted the files’ Zone.Identifier Alternate Data Stream (ADS).
The ADS is appended to any file downloaded from the internet – ex.
filename.ext:Zone.Identifier– and when removed, Windows SmartScreen and User Account Control (UAC) warnings are suppressed.
This behavior maps to MITRE T155.005: Subvert Trust Controls: Mark-of-the-Web Bypass, indicating the user either manually unblocked the file or Explorer automatically stripped its Zone.Identifier on execution. Either way, an essential security warning was silenced when it should not have been.
Manipulation of Certificate Stores
The malware created registry keys in both the trusted root and Certificate Authority (CA) certificate stores – behavior mapping to MITRE T1553.004: Subvert Trust Controls: Install Root Certificate.
This malicious action was likely to suppress TLS/SSL trust warnings during the VNC session or to enable the interception of secure traffic.
Malicious DLL Loads
The loading of mscoree.dll and mscoreei.dll was consistent with MITRE T1055.001: Process Injection: Dynamic-link Library Injection, and taskschd.dll with MITRE T1053.005: Scheduled Task/Job: Scheduled Task; however, as there were no CreateRemoteThread or direct scheduled task creation events present within the Sysmon log, neither could be explicitly concluded as malicious. Still, the loading of these DLLs was suspicious behavior worth documenting.
Secure Shredding and Data Destruction
Although many related DLLs, scripts, temporary files, and installer files were deleted throughout this infection, there was one action that stood out among the others: once.cmd. This file triggered the same EventID 23 (FileDelete) as the others, except the event metadata revealed something different: Archived: shredded file with pattern 0x74697865.
This behavior aligns most closely with MITRE T1485: Data Destruction and is a defense evasion technique used to render data irrecoverable – this is not standard file deletion but rather deliberate forensic obstruction. By overwriting the file contents with a repeating byte pattern before standard deletion, the attackers prevent forensic recovery.
Every other file deleted throughout this infection was done through routine installer cleanup.
Elevated Installer Privileges
Interestingly, msiexec.exe – the executable used to extract and install the contents of this malware – was elevated to NT AUTHORITY\SYSTEM during the installation chain. As no privilege escalation exploit was confirmed, it is worth noting that, not only did this malware request elevated privileges, it received them.
All of these findings and more are included within the full incident report. I documented my forensic analysis step-by-step with Sysmon XML queries, MITRE ATT&CK mappings, and cross references to Unit 42’s threat intelligence report for this campaign.
The Incident Report
I wrote this incident report using the HTB CDSA certificate’s required format, produced in SysReptor with my reimagined version of the official HTB CDSA report template. It covers every section the CDSA format requires:
- Executive Summary
- Affected Systems and Users
- Evidence Sources and Analysis
- Indicators of Compromise (IOCs)
- Root Cause Analysis
- Technical Timeline
- Nature of the Attack
- Appendix Technical Timeline
Most notably, the Technical Analysis section includes a dedicated subsection for every Sysmon Event ID query, the XML filter used, the results, and an analysis of what I was seeing.
The full report is embedded below and available for download.
Indicators of Compromise
Files
| Name | Path | SHA256 | Notes |
|---|---|---|---|
Preventivo24.02.14.exe.exe | C:\Users\CyberJunkie\Downloads\ | 0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3 | Trojanized UltraVNC installer; Creates and sets specific registry keys |
Fatture 2 2024.exe | – | – | Preventivo24.02.14.exe.exe‘s original filename as identified by its embedded metadata |
~.pdf | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\TempFolder\ | 01fa678a302763b83703f0449fc63309cf7677fc119d2755defad6dea9d25bcd | Decoy PDF, timestomped |
taskhost.exe | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | 3fb38eefb8db4d52be428facc8a242997ab2ad58a8d08980a7688c9bf0b30454 | Renamed instance of WinVNC.exe |
on.cmd | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | 1ce4768f825372d55c1d30ce3ac41afb913de6299a64ae5b0ac1b3b752421d64 | Launches UltraVNC, establishes persistence via registry as per Unit42 analysis |
c.cmd | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | c2ab7b8701bdc36198a8f01791c8a3479ef3e8bcc6ccd3bd8c2f60dd9672e8e1 | Called by on.cmd |
cmmc.cmd | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | d69e739f18bd24db5cfd451fb2bdab32b4efeef41145b75cb89c7dc56641852d | Observed in Sysmon logs, not documented by Unit42 |
once.cmd | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | e596899f114b5162402325dfb31fdaa792fabed718628336cc7a35a24f38eaa9 | Securely shredded post-execution with a repeating byte pattern 0x74697865 |
viewer.exe | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f | Observed in Sysmon logs, not documented by Unit42 |
ddengine.dll | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | 0d44439a0425df8abf338bd1496679a144dd705a51832a05c1a4ed1f76756eba | UltraVNC component, deleted post-installation |
vnchooks.dll | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | 4d12febd622266220aa2dd2074972ee82545c144dc599f68866212a29db9f442 | UltraVNC component, deleted post-installation |
UVncVirtualDisplay.dll | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\YVncVirtualDisplay\ | ff9d8f7fc2c3f5d0afaf6f76e87d41feeabf54facbe26dc59661a78830f32972 | UltraVNC virtual display driver, deleted post-installation |
main1.msi | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\ | b73b46f35142989a10c91aa887f94037271b8ee7148cc3bfb061ae9848ed1fd9 | MSI installer package, deleted post-extraction |
powercfg.msi | C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ | c5bf02c8c23dbf8798d87fad91ea44a3153fc1026248bd931f360ba0d6c5989e | MSI installer package, deleted post-extraction |
Network
| Type | Value | Notes |
|---|---|---|
| Dropbox delivery URL | https://www.dropbox[.]com/ | ReferrerUrl at download |
| Dropbox CDN | https://uc2f030016253ec53f4953980a4e.dl.dropboxusercontent[.]com/[…] | HostUrl at download |
| Connectivity check domain | | Not malicious, connectivity check only |
| Connectivity check IP | | Resolves to |
| VNC C2 domain | | Attacker-controlled VNC server, per Unit 42 threat intelligence |
| VNC C2 IP | | Resolves to VNC C2 domain |
| Compromised source IP | | Outbound connection from |
Registry
| Key | Notes |
|---|---|
| Root certificate store key created by malware (T1553.004) |
| CA certificate store key created by malware (T1553.004) |
Named Pipes
| Pipe Name | Notes |
|---|---|
| Created by ProcessID |
Directory Artifacts
| Path | Notes |
|---|---|
| Root malware installation directory |
| Decoy PDF drop location |
| Primary payload drop location |
| UltraVNC virtual display driver location |
| Temporary installer extraction files; deleted post-installation |
| MSI staging directory used during elevated installation |
MITRE ATT&CK TTPs
| Technique ID | Name | Observed Behavior |
|---|---|---|
| Masquerading: Double File Extension | |
| Subvert Trust Controls: Mark-of-the-Web Bypass | |
| Hijack Execution Flow: DLL Side-Loading | The malware loaded itself as a DLL at execution, flagged by Sysmon |
| Process Injection: Dynamic-link Library Injection | |
| Scheduled Task/Job: Scheduled Task | |
| Subvert Trust Controls: Install Root Certificate | Registry keys created in both the trusted root and CA certificate stores, likely to suppress TLS trust warnings during the VNC session |
| Application Layer Protocol | VNC used as the C2 communication channel over TCP port 5500 |
| Indicator Removal: Timestomp | Decoy PDF ~.pdf creation timestamp forged from 2024-02-14 to 2024-01-14, approximately one month prior |
| Indicator Removal | Temporary installer files deleted post-extraction |
| Data Destruction | once.cmd securely shredded with repeating byte pattern 0x74697865 to prevent forensic recovery |