BTLO – Investigation: BEN


Ben was working very hard at FaanG industries to get a maximum percentage of the hike. He was talking about this with his HR as well. While he was preparing for a Salary Negotiation meeting, Ben received a phishing email and an attachment explaining to him a New Salary Negotiation process at the company. This resulted in the theft of the super-secret Database credentials of Ben. Necessary remediation steps were taken to reduce the damage. CISO advised the security team to study Ben’s case, analyze the Evidence and prepare an Awareness workshop with technical details of the attack. Evidence and the necessary analysis tools were placed on the Desktop. Note: If prompted for Admin Privileges choose BTLOPlayer account.


Using Kernel EML Viewer, I navigated to \Desktop\CollectedEvidence to view the email that Ben received. We can see the subject of Salary Renegotiations (Q1), and the from/to emails of [email protected], [email protected] (Q2). The body of the email was base64 encoded; Using the provided Cyberchef webapp, it decodes as follows:

Dear Ben,
The Department of Human Resources has amended the salary renegotiation process. In order to qualify for a pay raise, all interested employees, must schedule a one-on-one meeting with a member of the HR staff. The particular HR salary staff member assigned to work with you on salary negotiations will email you separately.
Prior to scheduling a meeting with your HR liaison, please review the attached PDF document outlining the new salary renegotiation process. Failure to review the file will disqualify you from petitioning for a pay raise this quarter.
Thank you, 
[1]: Know the New Salary Negotiation Process.pdf

Based on the fact the email came from an internal email that appears legitimate, in the correct format, with language specifically targeted to Ben, knowing he was preparing for a salary negotiation meeting is an extraordinarily advanced phishing scheme. I honestly don’t fully blame Ben for clicking and downloading the attachment due to these circumstances.

But now once we actually open the PDF, it becomes immediately apparent something seems wrong. The presentation of the PDF is horrible, and does not appear to automatically run anything so he must have clicked the link manually. The download button directs you to this link (Q3, Q4):

Unzipping this contains a SalaryNegotiationProcess.pdf.exe. It’s a clever naming scheme and uses the icon of an actual PDF document while clicking it will run an executable.

I started up Noriben with .\ and it is ready for us to double-click the exe. I did some research online, because I had never used Noriben before, and it was recommended to let Noriben/Procmon run for about 4 minutes before killing it. Also because the Note on the desktop mentioned a keylogger was installed, I was typing in the notepad window in case the keylogger maybe drops files of what was logged.

Using CTRL+C, I stopped the log.

At the top of our File Activity portion of the log is the following:

[CreateFile] SalaryNegotiationProcess.pdf.exe:1316 > %LocalAppData%\Microsoft\Windows\History\salaryhike\explorer.exe
[CreateFile] explorer.exe:4940 > %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

These exe files are the copies for persistence (Q6). I also noticed %LocalAppData%\Microsoft\Windows\History\salaryhike\explorer.exe.tmp. being used right after the Microsoft Corporation.exe several times as seen here:

explorer.exe.tmp file

This indicates it is probably the keylogger file (Q7). I tried accessing the file but it isn’t shown on disk.

By pulling up netstat we can see in the SYN_SENT appear (Q8). It doesn’t always appear but I ran a few times and got it to show up. It must be exfiltrating the data from the tmp quick enough that you can’t see it on the machine.

The last question we have available is to submit the mutex. The issue is our machine does not have internet connection, so we cannot download tools like ProcessExplorer or use SysInternals or strings. I decided to load the file into Cyberchef and just read through the output. I tried strings on here, but still saw nothing.

By manually reading through, you can see what looks like text followed by a period after every character such as W.a.i.t.F.o.r.E.x.i.t, which is why strings failed to (Q5) pick up. Because a mutex is basically a lock on a file, shortly after the wait for exit text is the mutex in curly braces:


This box was actually fairly challenging for me, particularly Q5 and Q8 as they did not rely solely on Noriben and required some out of the box thinking in order to find them. But I definitely felt I learned a lot and added some new tools under my blue team toolbelt!


No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *