Masks — QnQSec CTF 2025

Challenge Scenario

Investigation of a phishing incident where a malicious email attachment compromised a system. We are provided with a memory dump (.mem) and tasked with answering 8 sequential questions to uncover the complete attack chain.

🔍 Investigation Process

Question 1: Process Used to Deliver Malicious Attachment

We enumerated all running processes using windows.pslist.

Process list showing OUTLOOK.exe

Question 2: Phishing Email Reception Time

We extracted the Outlook data files (OST) using windows.filescan and windows.dumpfiles.

Email timestamp from exported OST

Question 3: CVE Identification

The malicious attachment was a .rar file. Analyzing strings and cross-referencing with VirusTotal revealed the exploit.

VirusTotal showing CVE information

Question 4: Malicious Loader Path

Strings analysis of the suspicious RAR attachment revealed the drop location.

Question 5: Malicious Loader Hash

Directly dumping the file from memory failed to yield the correct hash for the platform. We pivoted to AmCache analysis.

[!TIP]
AmCache.hve stores SHA1 hashes of executed programs. We used windows.amcache to find the loader's SHA1, then cross-referenced it on VirusTotal to get the SHA256.

amcache output

Question 6: Shellcode URL

Using VirusTotal's Behavior tab for the identified loader hash:

Memory pattern urls

Question 7: Command & Control (C2) Server

Analyzed strings from a process memory dump (windows.memmap) of the loader.

the C2 IP

Question 8: Persistence Mechanism

Traditional registry Run keys were clean. We pivoted to Scheduled Tasks in C:\Windows\System32\Tasks.

Malicious scheduled task XML

🛠️ Tools & Techniques