Reminiscent - HackTheBox

Description

Suspicious traffic was detected from a recruiter's virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. Find and decode the source of the malware to find the flag.

Files Provided

• flounder-pc-memdump.elf - Memory dump from Windows 7 SP1 x64 VM
• imageinfo.txt - Volatility profile information (Win7SP1x64)
• Resume.eml - Recovered email with malicious link

Analysis

Initial Reconnaissance

Extracted the challenge archive (password: hackthebox) and examined the files:

• Memory dump is an ELF core file from VirtualBox
• Email shows phishing attempt from "Brian Loodworm" to "[email protected]"
• Email contains link to http://10.10.99.55:8080/resume.zip

The attack chain becomes clear: phishing email with malicious resume link.

Process Analysis

Listed processes from the memory dump using Volatility 3:

vol -f flounder-pc-memdump.elf windows.pslist

Key findings:

Process	PID	Parent	Time	Notes
thunderbird.exe	2812	-	-	Email client (opened malicious email)
powershell.exe	496	explorer.exe	18:06:58	First stage payload
powershell.exe	2752	496	18:07:00	Second stage (Empire stager)

The process tree reveals the infection chain: Thunderbird -> Explorer -> PowerShell -> PowerShell

Command Line Extraction

vol -f flounder-pc-memdump.elf windows.cmdline

Found two PowerShell processes with encoded payloads.

Solution

Decode First Payload (PID 496)

The first PowerShell had a base64-encoded command:

powershell.exe -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('...')); iex $r;

Decoded to a dropper script:

...