In this forensic investigation, we analyze a security breach at FinTrust Bank, where unusual outbound traffic patterns were detected from multiple workstations. The initial analysis suggests that attackers exploited a WinRAR vulnerability, allowing them to deliver and execute malicious payloads. Our objective is to uncover the full scope of the attack by examining disk images, tracking execution timelines, and identifying artifacts that reveal how the adversary gained access, maintained persistence, and exfiltrated data. This walkthrough follows a structured forensic approach, leveraging tools such as Arsenal Image Mounter , NTFS Log Tracker, Process Monitor, and VirusTotal to analyze file system modifications, process executions, and network activity. The investigation begins by identifying the initial infection vector, tracing the origins of the suspicious file, and determining when the attack was executed. Further analysis focuses on uncovering obfuscated scripts, persistence mechanisms, and evidence of log tampering, which attackers often use to erase their footprints and evade detection.
As we progress, we will explore how the adversary attempted to maintain control over the compromised system through scheduled tasks and hidden scripts, ensuring their access remained intact even after system reboots. Additionally, we will investigate potential data exfiltration techniques, examining how stolen information was stored and transmitted to an external command-and-control (C2) server. By following these forensic steps, we aim to reconstruct the attack timeline, understand the tactics employed, and extract key insights to strengthen defenses against similar threats in the future.