Boogey Man 2
TryHackMe Challenge Walkthrough
Challenge Overview
After a previous compromise, Quick Logistics LLC improved their defenses — but the Boogeyman threat group has returned with more advanced TTPs. In this challenge, we investigate a new spear-phishing attack targeting an HR employee. We’re tasked with analyzing a phishing email and memory dump to uncover the full attack chain, from initial compromise to C2 communications and persistence mechanisms.
Threat Analysis Summary
Analyst Summary Report
Incident Title
Boogeyman 2 – Malware Execution via Malicious DOC
Category
Memory Forensics, DFIR
Detection Source
Memory Dump (.raw), Email Artefact
Impact
Persistence established via scheduled task and C2 connection initiated from memory-resident malware
Tools Used
- Volatility
- Olevba
- md5sum
- strings, grep
Chain Attack Overview
Initial Access
Phishing email with malicious .doc attachment
Execution
VBA macro downloads and runs update.js via wscript.exe
Persistence
Scheduled task with Base64-encoded PowerShell payload
Privilege Escalation
Not observed
Defense Evasion
Payloads written to hidden directories (ProgramData, Tasks)
Discovery
Not observed
Credential Access
Not observed
Exfiltration
Not observed
Command & Control
updater.exe connects to external C2 server over HTTP
Impact
Execution of staged malware; system persistence established
MITRE ATT&CK Mapping
| Phase | ID | Technique | Description |
|---|---|---|---|
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | .doc attachment with embedded macro |
| Execution | T1059.005 | Command and Scripting Interpreter: VBScript | VBA macro executes wscript.exe |
| Execution | T1059.001 | PowerShell | Scheduled task runs obfuscated PowerShell payload |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | schtasks creates task to run PowerShell payload daily |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | PowerShell decodes Base64-encoded command from registry |
| C2 | T1071.001 | Application Layer Protocol: Web Protocols | HTTP connection to files.boogeymanisback.lol |
Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )
Q & A
Q1: What email was used to send the phishing email?
Just open the .eml file using Evolution Mail and we have the answer to our first 3 questions.
The sender’s email was listed at the top of the message.
Answer
westaylor23@outlook.com
Q2: What is the email address of the victim employee?
Also found in the same email by viewing the “To” field inside Evolution Mail.
Answer
maxine.beck@quicklogistics.com
Q3: What is the name of the attached malicious document?
The file attached to the email was clearly labelled within the email preview window.
Answer
Resume_WesleyTaylor.doc
Q4: What is the MD5 hash of the malicious attachment?
I used the md5sum command to generate the hash of the file.
bash:
md5sum Resume_WesleyTaylor.doc
Answer
52c4384a0b9e248b95804352ebec6c5b
Q5: What URL is used to download the stage 2 payload based on the document's macro?
At the beginning they gave us Olevba for analysisng and extractinv VBA macros from MSoffice documents, so let’s use it.
Download the resume and use olevba. and we can easily find the answer to our next 3 questions
olevba Resume_WesleyTaylor.doc
note:
The macro uses Microsoft.XMLHTTP to send a GET request to a remote URL, downloads a malicious file (update.png), and writes it to C:\\ProgramData\\update.js using ADODB.Stream. It is then executed with wscript.exe.
(URL is defanged)
Answer
hxxps[://]files[.]boogeymanisback[.]lol/aa2a9c53cbb80416d3b47d85538d9971/update[.]png
Q6: What is the name of the process that executed the newly downloaded stage 2 payload?
The macro code extracted via olevba showed that the downloaded script (update.js) is executed using wscript.exe, a native Windows script host for .js and .vbs files.
Answer
wscript.exe
Q7: What is the full file path of the malicious stage 2 payload?
From the same macro analysis, we see the downloaded payload is saved to:
Answer
C:\ProgramData\update.js
Q8: What is the PID of the process that executed the stage 2 payload?
So, we have our file WKSTN-2961.raw in the artefacts folder in the desktop
I used Volatility’s windows.pstree plugin (from volatily cheatsheet) to view the process tree and locate the wscript.exe process responsible for running update.js.
the process takes a minute.. be patient!
vol -f ./Desktop/Artefacts/WKSTN-2961.raw windows.pstree
Answer
4260
Q9: What is the parent PID of the process that executed the stage 2 payload?
From the same windows.pstree output, the Parent PID of wscript.exe is shown as 1124.
(next to the PID we have the parent PID)
Answer
1124
Q10: What URL is used to download the malicious binary executed by the stage 2 payload?
So we know that the attacker’s domain is (boogeymanisback.lol)
I used the command strings to scan the memory dump and filtered results (grep) for URLs tied to the attacker’s domain.
strings WKSTN-2961.raw | grep https | grep boogeyman
(URL is defanged)
Answer
hxxps[://]files[.]boogeymanisback[.]lol/aa2a9c53cbb80416d3b47d85538d9971/update[.]exe
Q11: What is the PID of the malicious process used to establish the C2 connection?
We already identified updater.exe as the process launched by wscript.exe.
I used Volatility’s windows.netscan plugin (network connection extablished) to confirm its network activity:
vol -f ./Desktop/Artefacts/WKSTN-2961.raw windows.netscan | grep updater.exe
Answer
6216
Q12: What is the full file path of the malicious process used to establish the C2 connection?
This time I used Volatility’s windows.dlllist plugin to inspect modules loaded by updater.exe.
from volatility room:
– dlllist: This plugin will list all DLLs associated with processes at the time of extraction. This can be especially useful once you have done further analysis and can filter output to a specific DLL that might be an indicator for a specific type of malware you believe to be present on the system.
vol -f ./Desktop/Artefacts/WKSTN-2961.raw windows.dlllist --pid 6216 | grep updater.exe
Alternatively, we could have used string command:
strings WKSTN-2961.raw | grep -i “updater.exe”
Answer
C:\Windows\Tasks\updater.exe
Q13: What is the IP address and port of the C2 connection?
We already saw in question 11 using windows.netscan plugin.
(IP is defanged
Answer
128[.]199[.]95[.]189:8080
Q14: What is the full file path of the malicious email attachment based on the memory dump?
Again we can use volatility or strings command
I searched the memory dump using windows.filescan and strings to locate the .doc file.
vol -f ./Desktop/Artefacts/WKSTN-2961.raw windows.filescan | grep Resume
or
strings WKSTN-2961.raw | grep Resume
Answer
C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc
Q15: What is the full command used by the attacker to maintain persistent access?
_HINT: You may use some known keywords that indicate a scheduled task execution to extract the information._
So following the hint so I checked scheduled task execution command on google and comes out schtasks, just to be sure 😀
I searched for schtasks commands in memory using strings:
strings WKSTN-2961.raw | grep schtasks
Answer
schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR ‘C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\”‘
Conclusion
Turns out a .doc file can still ruin your day. A well-crafted phishing email kicked off a neat little attack chain: macro-based payload, JavaScript stager, and a scheduled task hiding PowerShell in base64 — classic. No credential theft, no data exfil — just quiet persistence and a handshake with a shady C2. Not flashy, but effective. The Boogeyman doesn’t need fancy tricks — just a resume and some patience.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.