Introduction

On November 17, 2025, network monitoring detected unusual outbound traffic from a DMZ server (10.10.3.0/24) followed by signs of lateral movement toward the internal network (10.10.11.0/24). Hours later, ransomware began encrypting files across multiple endpoints. Investigators recovered a suspicious executable and collected logs from affected systems. Using Splunk and malware analysis techniques, piece together the full attack chain—from initial compromise to final impact.

Analysis

Phase 1: Malware Analysis & Initial Access

Q1) This vulnerability was how the attacker gained initial access and later moved to DC01. What is the CVE ID associated with this exploit?

To identify the specific vulnerability used in the initial compromise, we must analyze the malicious executable that facilitated the attack. The investigation reveals that the attacker downloaded a file named ping.exe on the WSUS-SERVER-01 and used it to move laterally to the Domain Controller (DC01). This executable is the key to understanding the exploit.

Our first step in malware analysis is to understand the nature of the executable. We use a tool called Detect It Easy (DIE) to examine the file's properties. The analysis shows that ping.exe is not a standard ICMP utility but a 64-bit Python application packaged using PyInstaller. This is a common technique used by attackers to bundle scripts and dependencies into a single executable file, making it portable and harder to analyze.

Since the executable is a PyInstaller package, we can