In this lab, we investigate a potential malware infection stemming from a deceptive download of the SysInternals tool suite. The user reported that after attempting to open what they believed to be legitimate SysInternals tools, the applications failed to launch, and shortly thereafter, the system began exhibiting signs of performance degradation and unresponsiveness. As a Security Operations Center (SOC) Analyst, our objective is to perform a comprehensive forensic analysis to identify the source of the infection, understand how the malware operates, and determine the extent of the system compromise. We will employ various endpoint forensics tools and techniques, focusing primarily on disk analysis. Tools such as FTK Imager will allow us to explore the disk image and examine file system artifacts, while the AmCache and other registry hives will provide crucial metadata about executed programs. Additionally, we will leverage VirusTotal to analyze suspicious files and determine their threat classifications, along with tools like AmCacheParser and Timeline Explorer to extract and interpret system logs.
Throughout this investigation, we will examine downloaded files, analyze PowerShell command histories, inspect process creation logs, and trace any network connections initiated by the malware. This methodical approach will help us uncover the tactics, techniques, and procedures (TTPs) used by the attacker, providing a clear understanding of how the malware infiltrated the system and its subsequent impact.