This lab investigates a cyber attack involving a phishing email that led to ransomware execution. By analyzing email artifacts, network traffic, and malware behavior, we aim to uncover how the initial compromise occurred and how the malicious payload was delivered. The phishing email used social engineering to trick the victim into opening a deceptive attachment, which executed hidden malware. Once triggered, the malware initiated malicious activities, including external communications, payload downloads, and file encryption, disrupting the victim’s system. Identifying these attack vectors is crucial for understanding how threat actors bypass security defenses.
Using different forensic techniques such as packet analysis in NetworkMiner and Wireshark, hash lookups, and VirusTotal intelligence, we examine how the malware communicates with external domains and exploits vulnerabilities. A key part of this analysis involves reviewing HTTP traffic to identify redirects from a compromised website to an attacker-controlled server hosting an exploit kit.
This lab highlights the importance of email security, endpoint protection, and proactive threat analysis in defending against phishing and exploit-based attacks. By dissecting each phase of the attack, we gain a deeper understanding of the techniques used by cybercriminals and how we can help mitigate such threats.