In this writeup, I walk through the forensic investigation of an infected memory image, identifying the malicious process, reconstructing its execution chain, and documenting the artifacts it left behind
Introduction
The memory image analyzed in this writeup was provided as part of the 13Cubed "Investigating Windows Memory" course and can also be found in this Youtube video. The intent of this memory image is to display how "Process Hollowing" can be analyzed\determined using Volatility 3.
Goal:
The goal of the investigation is to determine whether or not Process hollowing was really in place, what were the affects on the host, how was it executed and what evidence did it leave in memory that we can investigate.
Methodology
Tools:
The investigation mostly leverages volatility3 to analyze and dissect the memory image.
Other tools used during the investigation are MemProcFS + YARA, for further enrichment where volatility fails, multiple Eric Zimermman tools for easier artifact analysis, PEstudio for high-level binary analysis.
Investigation
Basic system information:
windows.infoThis plugin basic metadata information such as:
SystemTime - the time at which the image was taken
MajorOperatingSystemVersion - Windows Version
Major/Minor - Release version.
The plugin suggests that the Windows version is Windows 10 but the Major/Minor, which are "15.26100", seem to mismatch. So we will query the registry to determine the version more accurately:
windows.registry.printkey --key "Microsoft\Windows NT\CurrentVersion" | grep -E "ProductName|ReleaseId|CurrentBuild|CurrentBuildNumber|CompositionEditionID|DisplayVersion"
We an conclude this is Windows 11 because of the build number:
CurrentBuild = 26100andDisplayVersion = 24H2→ these belong to Windows 11 24H2.- Windows 10 never went beyond build 19045 (22H2).
ProductNamecan still say "Windows 10 Pro" due to upgrade leftovers, so it’s not reliable.
Rule of thumb: Any build ≥ 22000 is Windows 11, regardless of what ProductName says.
windows.sessionsThis plugin helps us determine the Hostname and Username:
Hostname: DESKTOP-MAHIJHF
Username: User
Due to some corruptions in the memory - I was not able to get the local IP address at this stage.
System Information
- OS Version:
Windows 11 - System Time (at capture):
2025-01-27 02:31:50 (UTC) - Hostname:
DESKTOP-MAHIJHF - Username:
User
Process enumeration
Starting off with simple process enumeration:
windows.pslistwindows.pslist in Volatility walks the ActiveProcessLinks doubly-linked list in the EPROCESS structure.
- Every process has an
ActiveProcessLinksentry that points forward and backward to its neighbors. - Together they form a circular doubly-linked list anchored at
PsActiveProcessHead. - By traversing this list,
pslistshows all "linked" processes that the OS knows about.
Note: Hidden processes (e.g. DKOM) won't be seen by windows.pslist.
To efficiently analyze and triage the output of windows.pslist we can rely on the "Windows Process Genealogy" - that way we can more easily tell which processes are most likely benign and which stand out.
Starting off withsvchost.exe, which is one of the most prevalent process on any given Windows system.
As such, quickly identifying whether it's instances are benign or potentially malicious will help us cut down on the result we need to analyze.
svchost.exe should always be the child process of services.exe on modern Windows systems.
windows.pslist | grep -i svchostAs we can see, all of the svchost.exe instances share the same PPID - 772:
Enumerating PID 772:
windows.pslist | grep 772 | grep -i servicesAs expected PID 772 algins with services.exe
With the svchost.exe instances deemed benign, attention shifts to other processes. windows.pslist shows two lsass.exe processes, a clear red flag since only one should exist, and it must always be a child of wininit.exe.
windows.pslist | grep -i lsass.exe
The suspicious process is likely PID 12028. Since wininit.exe starts early in the boot process-and lsass.exe should follow right after-seeing an lsass.exe with a high PID like 12028 and a parent of 11872 strongly suggests it’s malicious.
But we can also easily verify this:
windows.pslist | grep 628
PID 628 is wininit.exe, spawning lsass.exe (792) and services.exe.
Using windows.pstree (exported to a .txt for readability)
the rogue lsass.exe (PID 12028) is shown spawning cmd.exe (PID 12088), which in turn launches systeminfo.exe (PID 5240) and conhost.exe (PID 12100). Legitimate LSASS never spawns child processes, so this parent-child chain confirms the second lsass.exe is tampered/malicious.
Deeper process enumeration:
windows.psscanpslist relies on the active process linked list, so it only shows processes still linked into the OS.
psscan scans memory for EPROCESS structures directly, allowing it to catch hidden or terminated processes that no longer appear in the list.
I couldn’t find any process matching the PPID 11872 for the suspicious lsass.exe using pslist. Although psscan often uncovers additional evidence, it produced no useful results in this case.
windows.netscan
windows.netstatBoth of these plugins provide network data, local and remote IPs, ports and associated process but for this memory image the data seems to be unavailable, we do get the local IP address but the remote IP addresses are blank:
Findings
- Suspicious Processes
12028 - lsass.exe12088 - cmd.exe5240 - systeminfo.exe12100 - conhost.exe- Host IP Address
192.168.0.165
Investigation - Finding malware in memory
Now that suspicious activity and related processes have been identified, the next step is to dig deeper. Given the evidence, the primary focus will be on the anomalous lsass.exe, which is likely at the core of this compromise.
Investigating handles - lsass.exe:
windows.handles lists the handles each process has open (files, registry keys, mutexes, events, named pipes, etc.), Which gives us evidence that reveal what a process is interacting with.
windows.handles --pid 12028
- Process handle →
cmd.exe(PID 12088) withGrantedAccess = 0x1fffff(PROCESS_ALL_ACCESS) indicates full control, consistent with process injection or manipulation 1, 2, 3. - Thread handle →
cmd.exeTID 12092 with the same access rights suggests remote-thread style execution control . - File handle →
\Users\User\Downloadsis unusual forlsass.exe, pointing to possible user-space file enumeration\interaction. - Network handle →
\Device\Afd\Endpointinsidelsass.exeis suspicious here; while LSASS can legitimately use such sockets, in this context it suggests potential malicious network activity (C2, exfiltration, lateral movement). IP/port details couldn’t be confirmed sincenetscanproduced no output.
Investigating handles - cmd.exe:
windows.handles --pid 12088
\Users\User\Downloads- This showscmd.exeenumerating or interacting with the Downloads folder. While not malicious by itself, in the context of being spawned by a roguelsass.exe, it suggests the attacker may have been browsing user files or interacting with the directory in some way.\Device\Afd\Endpoint-cmd.exenormally doesn’t handle raw sockets or network endpoints. Seeing an AFD handle here strongly suggests that commands were executed through this shell which initiated or supported network activity (e.g., C2 communication, data transfer, or lateral movement).
On its own, cmd.exe may not appear overtly suspicious, but the presence of handles to the Downloads folder and AFD Endpoint, combined with its parent-child relationship to the rogue lsass.exe, indicates it was actively leveraged for attacker operations.
Detecting Memory Injection with ldrmodules, malfind and ProcSentinel:
windows.ldrmodules inspects the PEB’s DLL lists (InLoadOrder, InInitOrder, InMemOrder) to spot inconsistencies that indicate hidden/injected modules. It also shows each module’s Mapped Path: legit DLLs should map from System32/SysWOW64 (along with a few others). Unusual paths (e.g., Downloads, Temp) or a blank path (often memory-only/manual-mapped or deleted-on-disk) are strong injection/tampering indicators.
lsass.exe - PID 12028
windows.ldrmodules --pid 12028
In lsass.exe, the module at 0x140000000 is absent from all PEB lists and has no mapped path, strongly indicating memory-resident injected code (manual mapping/reflective injection).
I will quickly mention that cmd.exe does not show anything of note.
The malfind plugin identifies injected code or DLLs in user-mode memory by analyzing VAD structures and memory protections. It highlights regions that are private and executable-especially when marked RWX-since they lack file mappings and remain hidden from standard inspection tools.
lsass.exe - PID 12028
windows.malfind --pid 12028
In lsass.exe, malfind reveals an RWX memory region (0x140000000-0x140004fff) containing an MZ header with no backing file, confirming a reflectively injected PE. The region is marked PAGE_EXECUTE_READWRITE, a highly suspicious protection flag since legitimate modules are rarely loaded with both write and execute permissions - a strong indicator of malicious code injection.
windows.procsentinel is a fairly new plugin that scans processes for anomalies such as hollowing, injected code, suspicious RWX regions, or duplicate singleton processes (like multiple lsass.exe). It also dumps suspicious memory regions for deeper analysis.
windows.procsentinel
windows.procsentinel flags both a duplicate lsass.exe (singleton anomaly) and an RWX memory region with an MZ header, aligning with ATT&CK T1036 (Masquerading) and T1055 (Process Injection), confirming malicious tampering.
Before wrapping up this section, we know that both lsass.exe and cmd.exe interacted with the Downloads directory - making it a natural pivot point. We can use windows.filescan to quickly check for suspicious files:
windows.filescan | grep \Downloads
The results reveal a file named invoice.pdf.exe in the Downloads folder - a classic masquerading technique where a malicious executable disguises itself as a benign document.
Findings
- Rogue
lsass.exe(PID 12028) - duplicate singleton with a reflectively injected PE (RWXregion, MZ header, no mapped path). cmd.exe(PID 12088) - spawned as a child of the rogue LSASS, interacting with theDownloadsdirectory.- Suspicious file
invoice.pdf.exe- discovered inDownloads, posing as a document to evade detection.
Mapped TTPs (MITRE ATT&CK)
- Process Injection (T1055) - reflective PE injection into
lsass.exe. - Masquerading (T1036)
- Rogue
lsass.exeimitating a legitimate system process. invoice.pdf.exemimicking a benign PDF.
- Rogue
- Command and Scripting Interpreter (T1059) - attacker use of
cmd.exe.
Investigation - Extracting artifacts for disk based analysis
Now that we have solid evidence of malicious activity, including processes and files present in the memory image we can pivot to a more traditional disk based forensics by extracting several artifacts:
- ShimCache (AppCompatCache) - treat as evidence of presence, not reliable proof of execution. Use it mainly to show a file existed (with rare exceptions 1, 2). Even if the SYSTEM hive can’t be exported, Volatility 3’s
windows.shimcachecan parse it from memory. Note limitations and corroborate with Amcache/PCA/Prefetch. - Amcache - install/execution metadata (path, hash, timestamps).
- PCA (Program Compatibility Assistant) - AppCompat traces tied to user launches.
- Prefetch - Evidence of execution for PE binaries.
- Event logs (EVTX) - Mostly Windows Defender.
- Suspect files and processes - copy
invoice.pdf.exeand dump suspicious process (lsass.exe) memory/files for further analysis.
Shimcache:
windows.shimcachemem
Note that the timestamps are Last Modified - they do not indicate execution time. Entries higher in the list were shimmed more recently.
We find a high-priority anomaly:
C:\Users\User\AppData\Local\Temp\svchost.exe This nonstandard path is an immediate red flag and needs investigation.
The remaining hits - invoice.pdf.exe, conhost.exe (spawned by cmd.exe but cmd.exe itself is absent here), whoami.exe, and systeminfo.exe - align with earlier findings and further corroborate the activity.
Amcache:
I exported AmCache.hve and parsed it in RegistryExplorer. AmCache helps build an execution timeline (e.g., LastRunTime) and records file metadata, including SHA1. Critically, it shows invoice.pdf.exe with SHA1:
"f0780bcf35ef2324769d29778010f74ee76a32b9".
PCA:
Located at C:\Windows\appcompat\pca\PcaAppLaunchDic.txt, this artifact gives us another evidence that invoice.pdf.exe was indeed executed
Prefetch:
Prefetch confirms execution of whoami.exe and ipconfig.exe (WHOAMI.EXE-9D378AFE.pf, IPCONFIG.EXE-BFEC2AD0.pf - likely used for reconnaissance). As well as the other indicators we observed before. While Prefetch doesn’t record parentage, the Date Modified timestamps align with the cmd.exe spawned by the rogue lsass.exe, making it the likely launcher.
Event logs (EVTX)
I found little of value in most EVTX due to corruption/lack of signal, but Windows Defender (Operational) provided clear evidence:
- 2025-01-27 02:27:18 -
Downloadsfolder added to Defender exclusions. - 2025-01-27 02:27:51 - Defender Real-Time Protection disabled.
These actions significantly reduce detection on the host and likely enabled execution from Downloads without interception.
MITRE ATT&CK: T1562.001 - Impair Defenses (Disable or Modify Tools).
Investigation - Poor man's malware analysis:
This section uses basic triage tools-PEStudio, strings, and MemProcFS (for running Elastic YARA).
Target: svchost.exe at C:\Users\User\AppData\Local\Temp\
PEStudio - basic info
- SHA256:
79AEC4FDF6CC931BCEE95EA14F627AA7347DFDD861290BD40F518580CE028D86 - Compilation time:
Thu Jan 23 01:18:33 2025 (UTC)
PEStudio - flagged imports
Seven imports consistent with a hollowing/remote-injection toolchain:
CreateProcessA
GetThreadContext
SetThreadContext
VirtualAllocEx
VirtualProtect
VirtualQuery
WriteProcessMemoryAssessment
Given the confirmed memory-resident injection in LSASS and the abnormal Temp path, this import set strongly corroborates a process hollowing / remote injection utility. Imports alone show capability, but together with the RWX+MZ region and prior artifacts, confidence is high that this svchost.exe is malicious.
Strings
Strings and imports together narrate a textbook RunPE/process-hollowing sequence: a benign host is created with its primary thread suspended (CreateProcess), remote memory is reserved in the target (VirtualAllocEx), the payload's PE headers and sections are written in (WriteProcessMemory), the thread context is redirected to the payload entry point (GetThreadContext/SetThreadContext), and execution is handed off by resuming the thread (ResumeThread)-a flow squarely consistent with MITRE ATT&CK T1055.012 (Process Hollowing).
Target: invoice.pdf.exe at C:\Users\User\Downloads\
PEStudio - basic info
- SHA256:
B37156CF3019561D48E05F8258C51297C6CD0CC220FA3B7BD82EB13D549BEB63
- Compilation time:
N/A
PEStudio - flagged imports
- Injection/hollowing primitives -
GetThreadContext,SetThreadContext,SuspendThread,SwitchToThread,VirtualAlloc,VirtualQuery - Dropper / I-O / UX -
WriteFile,SetConsoleCtrlHandler,GetEnvironmentStringsW,GetCurrentThreadId - Anti-debug / packer hints -
AddVectoredExceptionHandler,AddVectoredContinueHandler - Telemetry evasion -
WerSetFlags
Strings
- Go loader markers -
go1.23.5,GOOS=windows,GOARCH=amd64,CGO_ENABLED=0,go:buildid - Developer artifact -
C:/Users/Mike/Desktop/malware/invoice2.pdf.go - _Implication:_ not a real PDF; indicates a build path on a developer machine with username
- Mike (paths can be spoofed, but it’s a useful lead).
- Process launch/env -
os.StartProcess,CreateEnvironmentBlock - Memory staging / thread control -
SuspendThread,ResumeThread,Get/SetThreadContext,VirtualAlloc,VirtualQuery,DuplicateHandle,CreateThread,LoadLibraryW/ExW - Networking -
WSASocket,WSAGetOverlappedResult - Packer / anti-debug -
AddVectoredExceptionHandler,AddVectoredContinueHandler,WerSetFlags
Assessment
Imports and strings together indicate a Go-based loader designed to stage and inject code (hollowing/reflective injection). The developer path string ties the sample to a Windows build environment under the account Mike.
invoice.pdf.exe - svchost.exe relationship:
Actor (controller/launcher) - invoice.pdf.exe
Masquerading loader executed by the user.
Orchestrates the attack by launching the next-stage tool.
Action file/process (injector/tool) - C:\Users\User\AppData\Local\Temp\svchost.exe
Malicious injector that performs process hollowing/reflective injection into lsass.exe (memory-resident PE).
Victim/target process - lsass.exe
Hosts the injected code and subsequently enables attacker activity (e.g., spawning cmd.exe).
Amcache provides execution evidence that invoice.pdf.exe ran; its strings indicate a Go-based loader. The Temp svchost.exe shows classic hollowing imports/strings, and LSASS contains an unmapped RWX region with an MZ header-consistent with reflective injection-followed by an anomalous cmd.exe child. Their absence in pslist/psscan is likely due to short-lived execution.
Target: lsass.exe PID 12028
Elastics's YARA Rules
Elastic YARA scanning of the injected VAD in LSASS (PID 12028) at 0x0000000140000000 produced three hits: Windows_Trojan_Metasploit_7bc0f998, Windows_Trojan_Metasploit_c9773203, and Windows_Trojan_Metasploit_91bc5d7d. These rules match the canonical x64 API-hashing/resolver stub used by Metasploit and derivatives. The matched bytes reference ws2_32 and include the inline IPv4 connect tuple 02 00 0d 3d c0 a8 00 9d, which decodes to AF_INET, 192.168.0.157:3389. All hits fall within the same unmapped RWX region with an MZ header previously identified by malfind, confirming a hollowed lsass.exe hosting network-capable shellcode.
Match Index: 0
Rule: Windows_Trojan_Metasploit_7bc0f998
Tags:
Author: Elastic Security
Id: 7bc0f998-7014-4883-8a56-d5ee00c15aed
Fingerprint: fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835
Creation_date: 2021-03-23
Last_modified: 2021-08-23
Description: Identifies the API address lookup function leverage by metasploit shellcode
Threat_name: Windows.Trojan.Metasploit
Severity: 84
Arch_context: x86
Scan_context: file, memory
License: Elastic License v2
Os: windows
Memory Type: Virtual Memory (VAD)
Memory Tag:
Base Address: 0x0000000140000000
PID: 12028
Process Name: lsass.exe
Process Path: \Device\HarddiskVolume3\Windows\System32\lsass.exe
CommandLine: "C:\Windows\System32\lsass.exe"
User: User
Created: 2025-01-27 02:30:54 UTC
Matches:
[]: 140004011
[] 140004011:
0000000140003fd0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140003fe0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140003ff0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140004000 fc 48 83 e4 f0 e8 c0 00 00 00 41 51 41 50 52 51 .H........AQAPRQ
0000000140004010 56 48 31 d2 65 48 8b 52 60 48 8b 52 18 48 8b 52 VH1.eH.R`H.R.H.R
0000000140004020 20 48 8b 72 50 48 0f b7 4a 4a 4d 31 c9 48 31 c0 H.rPH..JJM1.H1.
0000000140004030 ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed .<a|., A...A....
0000000140004040 52 41 51 48 8b 52 20 8b 42 3c 48 01 d0 8b 80 88 RAQH.R .B<H.....
---------------------------------------------------------------------------------------
Match Index: 1
Rule: Windows_Trojan_Metasploit_c9773203
Tags:
Author: Elastic Security
Id: c9773203-6d1e-4246-a1e0-314217e0207a
Fingerprint: afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36
Creation_date: 2021-04-07
Last_modified: 2021-08-23
Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Threat_name: Windows.Trojan.Metasploit
Reference: https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm
Severity: 10
Arch_context: x86
Scan_context: file, memory
License: Elastic License v2
Os: windows
Memory Type: Virtual Memory (VAD)
Memory Tag:
Base Address: 0x0000000140000000
PID: 12028
Process Name: lsass.exe
Process Path: \Device\HarddiskVolume3\Windows\System32\lsass.exe
CommandLine: "C:\Windows\System32\lsass.exe"
User: User
Created: 2025-01-27 02:30:54 UTC
Matches:
[]: 140004075
[] 140004075:
0000000140004030 ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed .<a|., A...A....
0000000140004040 52 41 51 48 8b 52 20 8b 42 3c 48 01 d0 8b 80 88 RAQH.R .B<H.....
0000000140004050 00 00 00 48 85 c0 74 67 48 01 d0 50 8b 48 18 44 ...H..tgH..P.H.D
0000000140004060 8b 40 20 49 01 d0 e3 56 48 ff c9 41 8b 34 88 48 .@ I...VH..A.4.H
0000000140004070 01 d6 4d 31 c9 48 31 c0 ac 41 c1 c9 0d 41 01 c1 ..M1.H1..A...A..
0000000140004080 38 e0 75 f1 4c 03 4c 24 08 45 39 d1 75 d8 58 44 8.u.L.L$.E9.u.XD
0000000140004090 8b 40 24 49 01 d0 66 41 8b 0c 48 44 8b 40 1c 49 .@$I..fA..HD.@.I
00000001400040a0 01 d0 41 8b 04 88 48 01 d0 41 58 41 58 5e 59 5a ..A...H..AXAX^YZ
---------------------------------------------------------------------------------------
Match Index: 2
Rule: Windows_Trojan_Metasploit_91bc5d7d
Tags:
Author: Elastic Security
Id: 91bc5d7d-31e3-4c02-82b3-a685194981f3
Fingerprint: 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3
Creation_date: 2021-08-02
Last_modified: 2021-10-04
Threat_name: Windows.Trojan.Metasploit
Reference_sample: 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987
Severity: 100
Arch_context: x86
Scan_context: file, memory
License: Elastic License v2
Os: windows
Memory Type: Virtual Memory (VAD)
Memory Tag:
Base Address: 0x0000000140000000
PID: 12028
Process Name: lsass.exe
Process Path: \Device\HarddiskVolume3\Windows\System32\lsass.exe
CommandLine: "C:\Windows\System32\lsass.exe"
User: User
Created: 2025-01-27 02:30:54 UTC
Matches:
[]: 1400040cb
[] 1400040cb:
0000000140004080 38 e0 75 f1 4c 03 4c 24 08 45 39 d1 75 d8 58 44 8.u.L.L$.E9.u.XD
0000000140004090 8b 40 24 49 01 d0 66 41 8b 0c 48 44 8b 40 1c 49 .@$I..fA..HD.@.I
00000001400040a0 01 d0 41 8b 04 88 48 01 d0 41 58 41 58 5e 59 5a ..A...H..AXAX^YZ
00000001400040b0 41 58 41 59 41 5a 48 83 ec 20 41 52 ff e0 58 41 AXAYAZH.. AR..XA
00000001400040c0 59 5a 48 8b 12 e9 57 ff ff ff 5d 49 be 77 73 32 YZH...W...]I.ws2
00000001400040d0 5f 33 32 00 00 41 56 49 89 e6 48 81 ec a0 01 00 _32..AVI..H.....
00000001400040e0 00 49 89 e5 49 bc 02 00 0d 3d c0 a8 00 9d 41 54 .I..I....=....AT
00000001400040f0 49 89 e4 4c 89 f1 41 ba 4c 77 26 07 ff d5 4c 89 I..L..A.Lw&...L.
---------------------------------------------------------------------------------------
Assessment: The YARA matches, their location inside the injected VAD, and the embedded network parameters indicate Metasploit-style payload behavior running within a process-hollowed LSASS, corroborating earlier ldrmodules and malfind findings.
Although Volatility 3 (windows.netstat, windows.netscan) did not yield networking artifacts, MemProcFS recovered the missing evidence and reconstructed the connection details:
Result: lsass.exe connected to 192.168.0.157:3389 at 2025-01-27 02:30:55 UTC-exactly what we’d expect given the Elastic YARA hits on the injected VAD (Metasploit-style connect stub).
MITRE ATT&CK
- T1055 - Process Injection (primary)
- T1055.012 - Process Hollowing (sub-technique)
- T1021 - Remote Services (RDP)
- T1021.001 - Remote Services: RDP (lateral movement via RDP)
Timelining - MemProcFS:
MemProcFS exports multiple timeline CSVs (e.g., NTFS, Processes, Network). By normalizing to UTC and merging these files, we can build a single, ordered chronology of the threat actor’s activity and correlate file events, process launches, and connections into one coherent timeline.
invoice.pdf.exe
invoice.pdf.exe was created at 2025-01-27 01:34:28 UTC and executed at ~2025-01-27 02:30:49 UTC. This is corroborated by the Prefetch artifact (INVOICE.PDF.EXE-*.pf) being created within 0-10 seconds of first run _(7 seconds here, at 02:30:56 UTC)_, and by the NTFS MOD event (M in MACB) at 02:30:49 UTC, which reflects metadata updates occurring at execution time.
svchost.exe
C:\Users\User\AppData\Local\Temp\svchost.exe was created at 2025-01-27 02:30:52 UTC, showed an NTFS MOD (M in MACB) at 02:30:53 UTC, and its Prefetch file SVCHOST.EXE-8FEEB679.pf was created at 02:30:55 UTC. Prefetch is generated within ~0-10 seconds of first run, so these artifacts indicate execution around 02:30:53-02:30:55 UTC.
Processes timeline:
- 02:30:54 -
lsass.exe(PID 12028, PPID 11872) starts - the rogue second instance. - 02:30:55 -
cmd.exe(PID 12088, PPID 12028) spawns fromlsass.exe. - 02:30:55 -
conhost.exe(PID 12100, PPID 12088) attaches tocmd.exe. - 02:31:54 → 02:32:04 -
systeminfo.exe(PID 5240, PPID 12088) runs briefly undercmd.exe.
From previous sections we know that lsass.exe connected to 192.168.0.157:3389 at 2025-01-27 02:30:55 UTC (RDP) and that the Windows Defender has the following canges:
- 2025-01-27 02:27:18 -
Downloadsfolder added to Defender exclusions. - 2025-01-27 02:27:51 - Defender Real-Time Protection disabled.
Timelines table:
| Time (UTC) | Source | Artifact/Event | Details | MITRE ATT&CK |
|---|---|---|---|---|
| --- | --- | --- | --- | --- |
| 2025-01-27 01:34:28 | NTFS | invoice.pdf.exe created | C:\Users\User\Downloads\invoice.pdf.exe | T1036 (masquerading) |
| 2025-01-27 02:27:18 | Defender Operational | Exclusion added | Downloads folder added to Defender exclusions | T1562.001 |
| 2025-01-27 02:27:51 | Defender Operational | Real-Time Protection disabled | RTP off | T1562.001 |
| 2025-01-27 02:30:49 | NTFS/Prefetch | invoice.pdf.exe executed | NTFS MOD at 02:30:49; Prefetch INVOICE.PDF.EXE-*.pf created at 02:30:56 (+7 s) | T1036, T1055 (stager) |
| 2025-01-27 02:30:52 | NTFS | Temp svchost.exe created | C:\Users\User\AppData\Local\Temp\svchost.exe | T1036 |
| 2025-01-27 02:30:53 | NTFS | Temp svchost.exe metadata modified (execution-correlated) | NTFS MOD (M in MACB) | |
| 2025-01-27 02:30:54 | MemProcFS VAD/YARA | Metasploit-style shellcode in LSASS | Hits in injected VAD @ 0x140000000 (block_api/API hashing), RWX+MZ | T1055, T1055.012 |
| 2025-01-27 02:30:54 | Processes | Rogue lsass.exe started | PID 12028, PPID 11872 | T1036 |
| 2025-01-27 02:30:55 | Prefetch | Temp svchost.exe Prefetch created | SVCHOST.EXE-8FEEB679.pf | |
| 2025-01-27 02:30:55 | Processes | cmd.exe spawned by lsass.exe | PID 12088 from PID 12028; conhost.exe (PID 12100) attaches | T1059 |
| 2025-01-27 02:30:55 | MemProcFS Network | LSASS network connection | lsass.exe → 192.168.0.157:3389 (RDP) | T1021.001 |
| 2025-01-27 02:30:56 | Prefetch | invoice.pdf.exe Prefetch created | INVOICE.PDF.EXE-*.pf | |
| 2025-01-27 02:31:50 | Memory capture | System time at capture | Anchor | |
| 2025-01-27 02:31:54 | Processes | systeminfo.exe started (child of cmd.exe) | PID 5240 from PID 12088; exits at 02:32:04 | T1059 |
Closing thoughts
This intrusion is well supported by the memory image. Defender was weakened before execution (Downloads exclusion at 2025-01-27 02:27:18 UTC and Real-Time Protection disabled at 02:27:51 UTC), creating space for the payload to run with minimal friction. invoice.pdf.exe then executed from Downloads at ~02:30:49 UTC, a masqueraded dropper confirmed by Amcache and Prefetch. Its imports and strings show a Go-based loader capable of thread/context manipulation and memory staging.
Within seconds, a fake svchost.exe appeared in AppData\Local\Temp (created 02:30:52, Prefetch 02:30:55), whose imports and strings describe a hollowing workflow (create suspended, allocate, write PE, set entry, resume). A second lsass.exe (PID 12028) then surfaced at 02:30:54 UTC. Memory triage (ldrmodules, malfind, procsentinel) identified an unmapped RWX region with an MZ header at 0x140000000 inside that LSASS instance, which Elastic YARA matched to Metasploit-style block_api/API hashing shellcode. The process graph showed lsass.exe → cmd.exe → conhost.exe/systeminfo.exe, consistent with hands-on activity, and MemProcFS recovered the missing network evidence: lsass.exe connecting to 192.168.0.157:3389 at 02:30:55 UTC. Even though pslist/psscan did not retain short-lived launcher artifacts, the combined evidence chain is coherent and mutually reinforcing.
Assessment: A user-executed, masqueraded dropper staged a Temp svchost.exe injector that hollowed a rogue lsass.exe and ran Metasploit-style shellcode within it, followed by RDP activity and interactive commands. Confidence is high given the convergence of Prefetch/Amcache, Defender Operational logs, process timelines, injected VAD characteristics, YARA hits, and reconstructed network telemetry.
Mapped TTPs
- T1055.012 - Process Hollowing (Temp
svchost.execreating the rogue LSASS) - T1055 - Process Injection (injected RWX+MZ VAD in LSASS)
- T1036 - Masquerading (
invoice.pdf.exeas a PDF, duplicate LSASS) - T1562.001 - Impair Defenses (Defender exclusions and RTP disabled)
- T1021.001 - Remote Services: RDP (LSASS connection to 192.168.0.157:3389)
- T1059 - Command and Scripting Interpreter (LSASS spawning
cmd.exe)
IOCs
| Type | Value | Artifact |
|---|---|---|
| SHA256 | B37156CF3019561D48E05F8258C51297C6CD0CC220FA3B7BD82EB13D549BEB63 | invoice.pdf.exe |
| SHA256 | 79AEC4FDF6CC931BCEE95EA14F627AA7347DFDD861290BD40F518580CE028D86 | vchost.exe |
| SHA256 | 8375F5DEAD870E3B208DD84512521DADA3A2AAA5A23AED096CB1AD878A43BA21 | lsass-12028.exe |
| Remote IP | 192.168.0.157 | RDP destination (3389) |