L'entreprise Vin Concept étant sur le point de sortir leur toute dernière voiture, ils veulent s'assurer que leur SI n'est pas infecté davantage. Il leur est primordial de rétablir leurs services afin de finaliser Aurora. L'équipe de forensic va donc analyser différents PC pour des traces d'infections diverses.
Suite à l’identification de la période de début de l’incident, une analyse complémentaire est lancée sur un poste interne ayant présenté une activité réseau significative durant cet intervalle.
Les fichiers fournis contiennent une capture mémoire de l'ordinateur du stagiaire. Cette capture va permettre de répondre aux 3 premières questions.
Afin de respecter les limites de la plateforme, nous avons dû découper la capture mémoire en plusieurs parties. Afin de reconstituer la capture mémoire complète, vous pouvez utiliser la commande suivante :
$> cat mem.raw.gz.* > mem.raw.gz
Pour analyser la capture mémoire, nous allons utiliser l'outil Volatility3. Voici les étapes à suivre :
$> python3 vol.py -f mem.raw windows.pslist
ce qui nous donne la liste suivante :
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xc589a2697040 239 - N/A False 2025-09-10 00:14:27.000000 UTC N/A Disabled
128 4 Registry 0xc589a274c080 4 - N/A False 2025-09-10 00:14:24.000000 UTC N/A Disabled
488 4 smss.exe 0xc589a69ce040 2 - N/A False 2025-09-10 00:14:27.000000 UTC N/A Disabled
660 632 csrss.exe 0xc589a683e140 11 - 0 False 2025-09-10 00:14:35.000000 UTC N/A Disabled
732 632 wininit.exe 0xc589aa83e080 2 - 0 False 2025-09-10 00:14:35.000000 UTC N/A Disabled
740 724 csrss.exe 0xc589aa8870c0 22 - 1 False 2025-09-10 00:14:35.000000 UTC N/A Disabled
804 724 winlogon.exe 0xc589aa8c2080 8 - 1 False 2025-09-10 00:14:35.000000 UTC N/A Disabled
884 732 services.exe 0xc589aa5f9140 11 - 0 False 2025-09-10 00:14:35.000000 UTC N/A Disabled
904 732 lsass.exe 0xc589aa93f080 13 - 0 False 2025-09-10 00:14:36.000000 UTC N/A Disabled
8 884 svchost.exe 0xc589aa9f1080 14 - 0 False 2025-09-10 00:14:36.000000 UTC N/A Disabled
460 804 fontdrvhost.ex 0xc589aaa1e080 5 - 1 False 2025-09-10 00:14:36.000000 UTC N/A Disabled
476 732 fontdrvhost.ex 0xc589aaa1f080 5 - 0 False 2025-09-10 00:14:36.000000 UTC N/A Disabled
524 884 svchost.exe 0xc589aaa22080 13 - 0 False 2025-09-10 00:14:36.000000 UTC N/A Disabled
1052 884 svchost.exe 0xc589aaae0080 6 - 0 False 2025-09-10 00:14:36.000000 UTC N/A Disabled
1112 804 dwm.exe 0xc589aab430c0 23 - 1 False 2025-09-10 00:14:36.000000 UTC N/A Disabled
1216 884 svchost.exe 0xc589aabe9080 8 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1228 884 svchost.exe 0xc589aac53080 7 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1352 884 svchost.exe 0xc589aacbe080 3 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1456 884 svchost.exe 0xc589aad5b080 14 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1464 884 svchost.exe 0xc589aad58080 4 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1472 884 svchost.exe 0xc589aad57080 2 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1484 884 svchost.exe 0xc589aad53080 4 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1532 884 svchost.exe 0xc589aad69080 3 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1540 884 svchost.exe 0xc589aad67080 4 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1612 884 svchost.exe 0xc589aada4080 5 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1680 884 svchost.exe 0xc589aadbd080 7 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1824 884 svchost.exe 0xc589aaea6080 9 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1888 884 VBoxService.ex 0xc589aae9d080 12 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1976 884 svchost.exe 0xc589aafa6080 3 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1984 884 svchost.exe 0xc589aafa4080 9 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1332 884 svchost.exe 0xc589ab087080 5 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1348 884 svchost.exe 0xc589ab0850c0 3 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
1592 884 svchost.exe 0xc589ab0bf080 4 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
2104 884 svchost.exe 0xc589ab0ec080 12 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
2192 4 MemCompression 0xc589a26a1040 58 - N/A False 2025-09-10 00:14:37.000000 UTC N/A Disabled
2208 884 svchost.exe 0xc589ab0ae080 4 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
2288 884 svchost.exe 0xc589ab0ce080 3 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
2296 884 svchost.exe 0xc589a27b5080 8 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
2380 884 svchost.exe 0xc589a2793080 7 - 0 False 2025-09-10 00:14:37.000000 UTC N/A Disabled
2496 884 svchost.exe 0xc589a27a4080 6 - 0 False 2025-09-10 00:14:38.000000 UTC N/A Disabled
2508 884 svchost.exe 0xc589a269c0c0 3 - 0 False 2025-09-10 00:14:38.000000 UTC N/A Disabled
2600 884 svchost.exe 0xc589ab182080 11 - 0 False 2025-09-10 00:14:38.000000 UTC N/A Disabled
2644 884 svchost.exe 0xc589a269e080 7 - 0 False 2025-09-10 00:14:38.000000 UTC N/A Disabled
2716 884 svchost.exe 0xc589ab3af080 4 - 0 False 2025-09-10 00:14:38.000000 UTC N/A Disabled
2824 884 svchost.exe 0xc589ab3c0080 14 - 0 False 2025-09-10 00:14:38.000000 UTC N/A Disabled
2852 884 svchost.exe 0xc589ab3ce080 14 - 0 False 2025-09-10 00:14:38.000000 UTC N/A Disabled
2712 884 svchost.exe 0xc589ab79b080 2 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3224 884 svchost.exe 0xc589ab7b6080 6 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3240 884 svchost.exe 0xc589ab7b2080 2 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3420 884 svchost.exe 0xc589ab4cc080 6 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3436 884 svchost.exe 0xc589ab4bd080 18 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3456 884 svchost.exe 0xc589ab4b9080 3 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3468 884 svchost.exe 0xc589ab4b8080 7 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3524 884 svchost.exe 0xc589ab52a080 4 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3632 884 spoolsv.exe 0xc589ab5b5080 9 - 0 False 2025-09-10 00:14:39.000000 UTC N/A Disabled
3748 884 svchost.exe 0xc589ab8a0080 6 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3780 884 armsvc.exe 0xc589ab899080 2 - 0 True 2025-09-10 00:14:40.000000 UTC N/A Disabled
3816 884 OfficeClickToR 0xc589ab894080 16 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3824 884 svchost.exe 0xc589ab893080 17 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3832 884 svchost.exe 0xc589aabca080 18 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3912 884 svchost.exe 0xc589ab884080 7 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3944 884 svchost.exe 0xc589ab8ef080 9 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3952 884 svchost.exe 0xc589ab8ee080 3 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3968 884 pg_ctl.exe 0xc589ab8e8080 2 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3976 884 svchost.exe 0xc589ab8eb080 2 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
3984 884 MpDefenderCore 0xc589ab8f1080 7 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
4084 884 MsMpEng.exe 0xc589ab937080 41 - 0 False 2025-09-10 00:14:40.000000 UTC N/A Disabled
4372 3968 postgres.exe 0xc589abb14080 3 - 0 False 2025-09-10 00:14:41.000000 UTC N/A Disabled
4380 4372 conhost.exe 0xc589abb17080 4 - 0 False 2025-09-10 00:14:41.000000 UTC N/A Disabled
4540 4372 postgres.exe 0xc589abb8d080 3 - 0 False 2025-09-10 00:14:41.000000 UTC N/A Disabled
4596 4372 postgres.exe 0xc589abc04080 2 - 0 False 2025-09-10 00:14:41.000000 UTC N/A Disabled
4608 4372 postgres.exe 0xc589abbfa080 2 - 0 False 2025-09-10 00:14:41.000000 UTC N/A Disabled
4860 884 svchost.exe 0xc589ab6bc080 25 - 0 False 2025-09-10 00:14:43.000000 UTC N/A Disabled
4868 884 svchost.exe 0xc589ab6b9080 4 - 0 False 2025-09-10 00:14:43.000000 UTC N/A Disabled
5088 3832 AggregatorHost 0xc589ab948080 4 - 0 False 2025-09-10 00:14:43.000000 UTC N/A Disabled
4192 4372 postgres.exe 0xc589abbf7080 2 - 0 False 2025-09-10 00:14:44.000000 UTC N/A Disabled
4356 4372 postgres.exe 0xc589abcdf080 2 - 0 False 2025-09-10 00:14:44.000000 UTC N/A Disabled
4344 4372 postgres.exe 0xc589abcdb080 2 - 0 False 2025-09-10 00:14:44.000000 UTC N/A Disabled
3036 884 svchost.exe 0xc589ae0e8080 6 - 0 False 2025-09-10 00:14:45.000000 UTC N/A Disabled
4524 884 svchost.exe 0xc589ae1020c0 8 - 0 False 2025-09-10 00:14:54.000000 UTC N/A Disabled
2012 1680 sihost.exe 0xc589ae31b080 12 - 1 False 2025-09-10 00:14:54.000000 UTC N/A Disabled
4736 884 svchost.exe 0xc589ae325080 6 - 1 False 2025-09-10 00:14:54.000000 UTC N/A Disabled
5132 884 svchost.exe 0xc589ae339080 3 - 1 False 2025-09-10 00:14:54.000000 UTC N/A Disabled
5204 884 svchost.exe 0xc589ae34b080 4 - 1 False 2025-09-10 00:14:54.000000 UTC N/A Disabled
5232 884 svchost.exe 0xc589ae352080 7 - 0 False 2025-09-10 00:14:54.000000 UTC N/A Disabled
5332 1456 taskhostw.exe 0xc589ae3670c0 8 - 1 False 2025-09-10 00:14:54.000000 UTC N/A Disabled
5348 1456 MicrosoftEdgeU 0xc589ae36b080 4 - 0 True 2025-09-10 00:14:54.000000 UTC N/A Disabled
5536 884 svchost.exe 0xc589ae42c080 6 - 0 False 2025-09-10 00:14:55.000000 UTC N/A Disabled
5604 804 userinit.exe 0xc589ae4ec080 0 - 1 False 2025-09-10 00:14:55.000000 UTC 2025-09-10 00:15:25.000000 UTC Disabled
5656 5604 explorer.exe 0xc589ae43d080 73 - 1 False 2025-09-10 00:14:55.000000 UTC N/A Disabled
5716 2012 ShellHost.exe 0xc589ae4c0080 7 - 1 False 2025-09-10 00:14:55.000000 UTC N/A Disabled
6012 884 svchost.exe 0xc589ae6b7080 8 - 1 False 2025-09-10 00:14:56.000000 UTC N/A Disabled
6092 884 svchost.exe 0xc589ae6d4080 2 - 0 False 2025-09-10 00:14:56.000000 UTC N/A Disabled
6276 8 StartMenuExper 0xc589ae89b080 14 - 1 False 2025-09-10 00:14:57.000000 UTC N/A Disabled
6300 8 SearchHost.exe 0xc589ae899080 14 - 1 False 2025-09-10 00:14:57.000000 UTC N/A Disabled
6408 8 WidgetBoard.ex 0xc589aeb020c0 24 - 1 False 2025-09-10 00:14:58.000000 UTC N/A Disabled
6436 8 RuntimeBroker. 0xc589aea5d080 7 - 1 False 2025-09-10 00:14:58.000000 UTC N/A Disabled
6488 884 svchost.exe 0xc589aeac3080 3 - 1 False 2025-09-10 00:14:58.000000 UTC N/A Disabled
6548 884 SearchIndexer. 0xc589ae954080 11 - 0 False 2025-09-10 00:14:58.000000 UTC N/A Disabled
6592 884 svchost.exe 0xc589ae955080 0 - 0 False 2025-09-10 00:14:58.000000 UTC 2025-09-10 00:20:20.000000 UTC Disabled
6720 8 WidgetService. 0xc589aec3b080 7 - 1 False 2025-09-10 00:14:59.000000 UTC N/A Disabled
6980 6300 msedgewebview2 0xc589aee96080 46 - 1 False 2025-09-10 00:15:00.000000 UTC N/A Disabled
7056 6980 msedgewebview2 0xc589ae33b080 8 - 1 False 2025-09-10 00:15:00.000000 UTC N/A Disabled
7576 6980 msedgewebview2 0xc589aefa9080 19 - 1 False 2025-09-10 00:15:01.000000 UTC N/A Disabled
7644 6980 msedgewebview2 0xc589aa9440c0 16 - 1 False 2025-09-10 00:15:02.000000 UTC N/A Disabled
7752 6980 msedgewebview2 0xc589ac316080 9 - 1 False 2025-09-10 00:15:02.000000 UTC N/A Disabled
7836 6980 msedgewebview2 0xc589aefd7080 17 - 1 False 2025-09-10 00:15:02.000000 UTC N/A Disabled
7900 2716 ctfmon.exe 0xc589ac41c080 11 - 1 False 2025-09-10 00:15:02.000000 UTC N/A Disabled
8176 8 MicrosoftStart 0xc589ac10f080 8 - 1 False 2025-09-10 00:15:03.000000 UTC N/A Disabled
6112 884 svchost.exe 0xc589ac5da080 4 - 0 False 2025-09-10 00:15:04.000000 UTC N/A Disabled
996 884 svchost.exe 0xc589ac651080 2 - 0 False 2025-09-10 00:15:04.000000 UTC N/A Disabled
8884 8 smartscreen.ex 0xc589ab3be080 7 - 1 False 2025-09-10 00:15:13.000000 UTC N/A Disabled
8932 884 svchost.exe 0xc589aaa85080 5 - 0 False 2025-09-10 00:15:13.000000 UTC N/A Disabled
8956 5656 SecurityHealth 0xc589ae841080 3 - 1 False 2025-09-10 00:15:13.000000 UTC N/A Disabled
8988 884 SecurityHealth 0xc589ac6da080 14 - 0 False 2025-09-10 00:15:13.000000 UTC N/A Disabled
8328 5656 VBoxTray.exe 0xc589abb130c0 14 - 1 False 2025-09-10 00:15:14.000000 UTC N/A Disabled
2844 5656 msedge.exe 0xc589abc0f080 54 - 1 False 2025-09-10 00:15:15.000000 UTC N/A Disabled
8644 8 WmiPrvSE.exe 0xc589abbf5080 9 - 0 False 2025-09-10 00:15:15.000000 UTC N/A Disabled
8704 2844 msedge.exe 0xc589ac9f4080 9 - 1 False 2025-09-10 00:15:15.000000 UTC N/A Disabled
3660 2844 msedge.exe 0xc589accc1080 20 - 1 False 2025-09-10 00:15:15.000000 UTC N/A Disabled
6324 2844 msedge.exe 0xc589accbf080 19 - 1 False 2025-09-10 00:15:15.000000 UTC N/A Disabled
4648 2844 msedge.exe 0xc589acca1080 11 - 1 False 2025-09-10 00:15:15.000000 UTC N/A Disabled
9792 2844 msedge.exe 0xc589acecd080 19 - 1 False 2025-09-10 00:15:16.000000 UTC N/A Disabled
10036 2844 msedge.exe 0xc589acfcc080 16 - 1 False 2025-09-10 00:15:17.000000 UTC N/A Disabled
10148 5656 OneDrive.exe 0xc589aeeec080 26 - 1 False 2025-09-10 00:15:18.000000 UTC N/A Disabled
9684 9492 firefox.exe 0xc589ae4de080 65 - 1 False 2025-09-10 00:15:22.000000 UTC N/A Disabled
4188 9684 crashhelper.ex 0xc589af198080 4 - 1 False 2025-09-10 00:15:22.000000 UTC N/A Disabled
10264 9684 firefox.exe 0xc589af19a0c0 26 - 1 False 2025-09-10 00:15:22.000000 UTC N/A Disabled
10284 9684 firefox.exe 0xc589af23f080 7 - 1 False 2025-09-10 00:15:22.000000 UTC N/A Disabled
10532 9684 firefox.exe 0xc589ae557080 23 - 1 False 2025-09-10 00:15:23.000000 UTC N/A Disabled
10556 9684 firefox.exe 0xc589ae5510c0 7 - 1 False 2025-09-10 00:15:23.000000 UTC N/A Disabled
10772 9684 firefox.exe 0xc589ae559080 22 - 1 False 2025-09-10 00:15:23.000000 UTC N/A Disabled
10948 9684 firefox.exe 0xc589af2c5080 7 - 1 False 2025-09-10 00:15:24.000000 UTC N/A Disabled
11176 9684 firefox.exe 0xc589af115080 27 - 1 False 2025-09-10 00:15:25.000000 UTC N/A Disabled
5712 9684 firefox.exe 0xc589acece080 23 - 1 False 2025-09-10 00:15:28.000000 UTC N/A Disabled
11332 9684 firefox.exe 0xc589af6240c0 8 - 1 False 2025-09-10 00:15:28.000000 UTC N/A Disabled
10764 5656 Spotify.exe 0xc589af6020c0 64 - 1 False 2025-09-10 00:15:56.000000 UTC N/A Disabled
11044 9684 firefox.exe 0xc589af2dd080 22 - 1 False 2025-09-10 00:15:57.000000 UTC N/A Disabled
11200 9684 firefox.exe 0xc589aee52080 22 - 1 False 2025-09-10 00:15:57.000000 UTC N/A Disabled
5608 9684 firefox.exe 0xc589ae0e5080 23 - 1 False 2025-09-10 00:15:57.000000 UTC N/A Disabled
8588 1456 taskhostw.exe 0xc589a9fb7080 5 - 1 False 2025-09-10 00:15:57.000000 UTC N/A Disabled
668 10764 Spotify.exe 0xc589a9de0080 7 - 1 False 2025-09-10 00:15:58.000000 UTC N/A Disabled
5012 10764 Spotify.exe 0xc589a9af6080 17 - 1 False 2025-09-10 00:16:01.000000 UTC N/A Disabled
5112 10764 Spotify.exe 0xc589af5c5080 21 - 1 False 2025-09-10 00:16:01.000000 UTC N/A Disabled
5468 10764 Spotify.exe 0xc589ac64a080 11 - 1 False 2025-09-10 00:16:02.000000 UTC N/A Disabled
4792 10764 Spotify.exe 0xc589ac7de0c0 17 - 1 False 2025-09-10 00:16:03.000000 UTC N/A Disabled
7760 884 svchost.exe 0xc589ac8cc080 4 - 0 False 2025-09-10 00:16:10.000000 UTC N/A Disabled
10816 9684 firefox.exe 0xc589acc99080 17 - 1 False 2025-09-10 00:16:12.000000 UTC N/A Disabled
10636 9684 firefox.exe 0xc589a9d8b080 17 - 1 False 2025-09-10 00:16:12.000000 UTC N/A Disabled
4004 11584 slack.exe 0xc589a9ad2080 46 - 1 False 2025-09-10 00:16:30.000000 UTC N/A Disabled
3692 4004 slack.exe 0xc589a9c0d080 7 - 1 False 2025-09-10 00:16:32.000000 UTC N/A Disabled
7552 4004 slack.exe 0xc589ae25e080 14 - 1 False 2025-09-10 00:16:32.000000 UTC N/A Disabled
7176 4004 slack.exe 0xc589a669d080 12 - 1 False 2025-09-10 00:16:33.000000 UTC N/A Disabled
5908 4004 slack.exe 0xc589aa3e1080 9 - 1 False 2025-09-10 00:16:34.000000 UTC N/A Disabled
1344 884 svchost.exe 0xc589aa0860c0 13 - 0 False 2025-09-10 00:16:48.000000 UTC N/A Disabled
12044 884 svchost.exe 0xc589aa45b080 5 - 0 False 2025-09-10 00:16:49.000000 UTC N/A Disabled
11832 884 svchost.exe 0xc589a97af080 5 - 0 False 2025-09-10 00:16:49.000000 UTC N/A Disabled
8564 884 svchost.exe 0xc589a6452080 11 - 0 False 2025-09-10 00:16:50.000000 UTC N/A Disabled
11592 8 WmiPrvSE.exe 0xc589a9c1a080 4 - 0 False 2025-09-10 00:16:50.000000 UTC N/A Disabled
12208 884 svchost.exe 0xc589aa445080 2 - 1 False 2025-09-10 00:16:50.000000 UTC N/A Disabled
11580 9684 firefox.exe 0xc589aa44c080 15 - 1 False 2025-09-10 00:16:50.000000 UTC N/A Disabled
10472 2012 msteams_autost 0xc589a6448080 0 - 1 False 2025-09-10 00:16:51.000000 UTC 2025-09-10 00:16:51.000000 UTC Disabled
12308 10472 ms-teams.exe 0xc589affef080 32 - 1 False 2025-09-10 00:16:51.000000 UTC N/A Disabled
12424 2012 WindowsTermina 0xc589a9c9d080 21 - 1 False 2025-09-10 00:16:53.000000 UTC N/A Disabled
12504 8 RuntimeBroker. 0xc589b23ee080 2 - 1 False 2025-09-10 00:16:53.000000 UTC N/A Disabled
12596 12424 OpenConsole.ex 0xc589af9f5080 4 - 1 False 2025-09-10 00:16:53.000000 UTC N/A Disabled
12604 12424 powershell.exe 0xc589b23e4080 11 - 1 False 2025-09-10 00:16:53.000000 UTC N/A Disabled
12636 12308 msedgewebview2 0xc589b26e2080 46 - 1 False 2025-09-10 00:16:53.000000 UTC N/A Disabled
12796 12636 msedgewebview2 0xc589b26df080 7 - 1 False 2025-09-10 00:16:54.000000 UTC N/A Disabled
12956 12636 msedgewebview2 0xc589b29c6080 20 - 1 False 2025-09-10 00:16:54.000000 UTC N/A Disabled
12972 12636 msedgewebview2 0xc589b29c2080 17 - 1 False 2025-09-10 00:16:54.000000 UTC N/A Disabled
13044 12636 msedgewebview2 0xc589b2903080 10 - 1 False 2025-09-10 00:16:54.000000 UTC N/A Disabled
13104 12636 msedgewebview2 0xc589b296b080 19 - 1 False 2025-09-10 00:16:54.000000 UTC N/A Disabled
1552 2012 XboxPcTray.exe 0xc589a273a080 8 - 1 False 2025-09-10 00:16:58.000000 UTC N/A Disabled
1800 8 XboxPcAppFT.ex 0xc589aa3d9080 5 - 1 False 2025-09-10 00:16:58.000000 UTC N/A Disabled
2144 884 svchost.exe 0xc589a9b72080 3 - 0 False 2025-09-10 00:16:58.000000 UTC N/A Disabled
1968 884 svchost.exe 0xc589ab9d2080 4 - 0 False 2025-09-10 00:16:59.000000 UTC N/A Disabled
4952 3208 WebViewHost.ex 0xc589ab0b0080 24 - 1 False 2025-09-10 00:16:59.000000 UTC N/A Disabled
1164 8 RuntimeBroker. 0xc589abcd9080 2 - 1 False 2025-09-10 00:17:00.000000 UTC N/A Disabled
3740 4952 msedgewebview2 0xc589a99b1080 42 - 1 False 2025-09-10 00:17:00.000000 UTC N/A Disabled
4452 3740 msedgewebview2 0xc589afed0080 7 - 1 False 2025-09-10 00:17:00.000000 UTC N/A Disabled
13424 3740 msedgewebview2 0xc589b2d21080 19 - 1 False 2025-09-10 00:17:00.000000 UTC N/A Disabled
13444 3740 msedgewebview2 0xc589b2d1c080 16 - 1 False 2025-09-10 00:17:00.000000 UTC N/A Disabled
13512 3740 msedgewebview2 0xc589b2d0a080 8 - 1 False 2025-09-10 00:17:00.000000 UTC N/A Disabled
13532 3740 msedgewebview2 0xc589b2d07080 16 - 1 False 2025-09-10 00:17:00.000000 UTC N/A Disabled
13864 2012 Copilot.exe 0xc589ab537080 25 - 1 False 2025-09-10 00:17:03.000000 UTC N/A Disabled
5164 8 SystemSettings 0xc589b2e68080 26 - 1 False 2025-09-10 00:17:45.000000 UTC N/A Disabled
4800 8 ApplicationFra 0xc589b299b080 3 - 1 False 2025-09-10 00:17:45.000000 UTC N/A Disabled
12280 884 svchost.exe 0xc589a9b0d080 1 - 0 False 2025-09-10 00:17:47.000000 UTC N/A Disabled
10308 884 svchost.exe 0xc589a96450c0 13 - 0 False 2025-09-10 00:17:48.000000 UTC N/A Disabled
13068 12424 OpenConsole.ex 0xc589ab4c3080 4 - 1 False 2025-09-10 00:17:58.000000 UTC N/A Disabled
9484 12424 powershell.exe 0xc589ab7c5080 11 - 1 False 2025-09-10 00:17:58.000000 UTC N/A Disabled
10516 12424 OpenConsole.ex 0xc589ab857080 4 - 1 False 2025-09-10 00:18:01.000000 UTC N/A Disabled
4900 12424 powershell.exe 0xc589ab85b080 11 - 1 False 2025-09-10 00:18:01.000000 UTC N/A Disabled
8168 8 backgroundTask 0xc589aa27e080 10 - 1 False 2025-09-10 00:18:21.000000 UTC N/A Disabled
8788 8 backgroundTask 0xc589a9f21080 14 - 1 False 2025-09-10 00:18:21.000000 UTC N/A Disabled
11516 8 RuntimeBroker. 0xc589ab178140 2 - 1 False 2025-09-10 00:18:22.000000 UTC N/A Disabled
11920 11776 Postman.exe 0xc589ae263080 46 - 1 False 2025-09-10 00:18:48.000000 UTC N/A Disabled
11644 11920 Postman.exe 0xc589b50c6080 7 - 1 False 2025-09-10 00:18:48.000000 UTC N/A Disabled
4932 11920 Postman.exe 0xc589b50d4080 16 - 1 False 2025-09-10 00:18:48.000000 UTC N/A Disabled
3196 11920 Postman.exe 0xc589b50d0080 15 - 1 False 2025-09-10 00:18:49.000000 UTC N/A Disabled
9324 11920 Postman.exe 0xc589a9cd7080 18 - 1 False 2025-09-10 00:18:49.000000 UTC N/A Disabled
10584 884 svchost.exe 0xc589b20c6080 2 - 1 False 2025-09-10 00:18:57.000000 UTC N/A Disabled
4300 8 ShellExperienc 0xc589a9edc080 20 - 1 False 2025-09-10 00:19:06.000000 UTC N/A Disabled
7292 8 RuntimeBroker. 0xc589ac67b080 3 - 1 False 2025-09-10 00:19:06.000000 UTC N/A Disabled
6532 5656 thunderbird.ex 0xc589aaf5c080 55 - 1 False 2025-09-10 00:19:10.000000 UTC N/A Disabled
3680 6532 crashhelper.ex 0xc589a9a24080 2 - 1 False 2025-09-10 00:19:10.000000 UTC N/A Disabled
11140 6532 thunderbird.ex 0xc589aae61080 20 - 1 False 2025-09-10 00:19:11.000000 UTC N/A Disabled
1596 6532 thunderbird.ex 0xc589ae0dd080 19 - 1 False 2025-09-10 00:19:13.000000 UTC N/A Disabled
12592 6532 thunderbird.ex 0xc589b2d0b080 4 - 1 False 2025-09-10 00:19:13.000000 UTC N/A Disabled
13204 6532 thunderbird.ex 0xc589a9a69080 20 - 1 False 2025-09-10 00:19:14.000000 UTC N/A Disabled
6752 2112 com.docker.bac 0xc589aa460080 11 - 1 False 2025-09-10 00:19:25.000000 UTC N/A Disabled
14288 6752 conhost.exe 0xc589b24130c0 2 - 1 False 2025-09-10 00:19:25.000000 UTC N/A Disabled
3608 6752 com.docker.bac 0xc589a2920080 55 - 1 False 2025-09-10 00:19:25.000000 UTC N/A Disabled
6632 3608 com.docker.bui 0xc589b0146080 13 - 1 False 2025-09-10 00:19:28.000000 UTC N/A Disabled
13764 3608 Docker Desktop 0xc589b01f8080 42 - 1 False 2025-09-10 00:19:30.000000 UTC N/A Disabled
5752 13764 Docker Desktop 0xc589b068b080 16 - 1 False 2025-09-10 00:19:32.000000 UTC N/A Disabled
3572 13764 Docker Desktop 0xc589afbf1080 14 - 1 False 2025-09-10 00:19:32.000000 UTC N/A Disabled
14804 13764 Docker Desktop 0xc589b0564080 15 - 1 False 2025-09-10 00:19:33.000000 UTC N/A Disabled
15048 5656 AcroRd32.exe 0xc589b04db080 13 - 1 True 2025-09-10 00:19:50.000000 UTC N/A Disabled
2636 15048 AcroRd32.exe 0xc589ae244080 17 - 1 True 2025-09-10 00:19:51.000000 UTC N/A Disabled
14692 15048 AdobeCollabSyn 0xc589b25f1080 9 - 1 True 2025-09-10 00:19:54.000000 UTC N/A Disabled
14744 15048 RdrCEF.exe 0xc589b0207080 24 - 1 True 2025-09-10 00:19:54.000000 UTC N/A Disabled
14788 14692 AdobeCollabSyn 0xc589a9ed2080 25 - 1 True 2025-09-10 00:19:54.000000 UTC N/A Disabled
6668 14744 RdrCEF.exe 0xc589b05e7080 14 - 1 True 2025-09-10 00:19:56.000000 UTC N/A Disabled
8684 14744 RdrCEF.exe 0xc589b51f3080 9 - 1 True 2025-09-10 00:19:56.000000 UTC N/A Disabled
5364 14744 RdrCEF.exe 0xc589b02f7080 14 - 1 True 2025-09-10 00:19:56.000000 UTC N/A Disabled
9196 14744 RdrCEF.exe 0xc589b02f2080 15 - 1 True 2025-09-10 00:19:56.000000 UTC N/A Disabled
7336 14744 RdrCEF.exe 0xc589b02ec080 14 - 1 True 2025-09-10 00:19:56.000000 UTC N/A Disabled
2740 14744 RdrCEF.exe 0xc589b069e080 14 - 1 True 2025-09-10 00:19:56.000000 UTC N/A Disabled
2736 14744 RdrCEF.exe 0xc589b51c8080 14 - 1 True 2025-09-10 00:19:56.000000 UTC N/A Disabled
16228 5656 WinRAR.exe 0xc589b0cfa080 5 - 1 False 2025-09-10 00:20:00.000000 UTC N/A Disabled
8768 884 svchost.exe 0xc589b296c080 0 - 0 False 2025-09-10 00:21:03.000000 UTC 2025-09-10 00:21:19.000000 UTC Disabled
14640 6408 msedgewebview2 0xc589b0517080 45 - 1 False 2025-09-10 00:22:09.000000 UTC N/A Disabled
4656 14640 msedgewebview2 0xc589b2d3e080 7 - 1 False 2025-09-10 00:22:09.000000 UTC N/A Disabled
16332 14640 msedgewebview2 0xc589b299f080 21 - 1 False 2025-09-10 00:22:10.000000 UTC N/A Disabled
4180 14640 msedgewebview2 0xc589a2927080 18 - 1 False 2025-09-10 00:22:10.000000 UTC N/A Disabled
3488 14640 msedgewebview2 0xc589a9f7d080 10 - 1 False 2025-09-10 00:22:10.000000 UTC N/A Disabled
14440 14640 msedgewebview2 0xc589a64b7080 15 - 1 False 2025-09-10 00:22:10.000000 UTC N/A Disabled
11888 14640 msedgewebview2 0xc589b2429080 16 - 1 False 2025-09-10 00:22:10.000000 UTC N/A Disabled
15840 12424 OpenConsole.ex 0xc589b0e640c0 4 - 1 False 2025-09-10 00:22:44.000000 UTC N/A Disabled
8892 12424 cmd.exe 0xc589b0c020c0 1 - 1 False 2025-09-10 00:22:44.000000 UTC N/A Disabled
1604 884 svchost.exe 0xc589b0225080 21 - 0 False 2025-09-10 00:24:47.000000 UTC N/A Disabled
16224 8 WmiPrvSE.exe 0xc589b0227080 8 - 0 False 2025-09-10 00:24:48.000000 UTC N/A Disabled
15004 884 svchost.exe 0xc589b0f7c080 6 - 0 False 2025-09-10 00:24:58.000000 UTC N/A Disabled
2796 4852 MpSigStub.exe 0xc589a984a080 0 - 0 False 2025-09-10 00:25:15.000000 UTC 2025-09-10 00:25:58.000000 UTC Disabled
14496 884 NisSrv.exe 0xc589b29e3080 9 - 0 False 2025-09-10 00:25:58.000000 UTC N/A Disabled
9908 6532 cmd.exe 0xc589b31ca080 3 - 1 False 2025-09-10 00:25:59.000000 UTC N/A Disabled
932 9908 conhost.exe 0xc589acb5e080 4 - 1 False 2025-09-10 00:26:00.000000 UTC N/A Disabled
Après lecture de la sortie, nous observons un cmd.exe (PID 9908) lancé par Thunderbird (PID 6532), ce qui est inhabituel. En effet, Thunderbird n'a pas pour habitude de lancer des commandes système. Cela nous permet déjà de répondre aux deux premières questions.
Une fois le PID de Thunderbird identifié, nous pouvons utiliser la commande suivante pour analyser l'adresse mémoire du début de l'injection.
Pour ce faire nous utilisons le plugin malfind de Volatility :
$> python3 vol.py -f mem.raw windows.malfind --pid 6532
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Notes Hexdump Disasm
6532 thunderbird.ex __REDACTED__ 0x1a74b5c1fff VadS PAGE_EXECUTE_READWRITE 50 1 Disabled MZ header
4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 MZARUH..H.. H...
e8 00 00 00 00 5b 48 81 c3 e3 60 00 00 ff d3 48 .....[H...`....H
81 c3 08 b7 02 00 48 89 3b 49 89 d8 6a 04 5a ff ......H.;I..j.Z.
d0 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
__REDACTED__: pop r10
0x1a74b590002: push r10
0x1a74b590004: push rbp
0x1a74b590005: mov rbp, rsp
0x1a74b590008: sub rsp, 0x20
0x1a74b59000c: and rsp, 0xfffffffffffffff0
0x1a74b590010: call 0x1a74b590015
0x1a74b590015: pop rbx
0x1a74b590016: add rbx, 0x60e3
0x1a74b59001d: call rbx
0x1a74b59001f: add rbx, 0x2b708
0x1a74b590026: mov qword ptr [rbx], rdi
0x1a74b590029: mov r8, rbx
0x1a74b59002c: push 4
0x1a74b59002e: pop rdx
0x1a74b59002f: call rax
0x1a74b590031: add byte ptr [rax], al
0x1a74b590033: add byte ptr [rax], al
0x1a74b590035: add byte ptr [rax], al
0x1a74b590037: add byte ptr [rax], al
0x1a74b590039: add byte ptr [rax], al
0x1a74b59003b: add al, bh
0x1a74b59003d: add byte ptr [rax], al
6532 thunderbird.ex 0x1a74c270000 0x1a74c27ffff VadS PAGE_EXECUTE_READWRITE 16 1 Disabled N/A
00 00 00 00 00 00 00 00 3b 00 00 00 00 00 00 00 ........;.......
4c 8d 15 f9 ff ff ff ff 25 03 00 00 00 0f 1f 00 L.......%.......
48 a2 eb 4d fb 7f 00 00 00 6c 09 52 a7 01 00 00 H..M.....l.R....
10 8d 1e 4b fb 7f 00 00 00 4b 09 52 a7 01 00 00 ...K.....K.R....
0x1a74c270000: add byte ptr [rax], al
0x1a74c270002: add byte ptr [rax], al
0x1a74c270004: add byte ptr [rax], al
0x1a74c270006: add byte ptr [rax], al
0x1a74c270008: cmp eax, dword ptr [rax]
0x1a74c27000a: add byte ptr [rax], al
0x1a74c27000c: add byte ptr [rax], al
0x1a74c27000e: add byte ptr [rax], al
0x1a74c270010: lea r10, [rip - 7]
0x1a74c270017: jmp qword ptr [rip + 3]
0x1a74c27001d: nop dword ptr [rax]
0x1a74c270020: movabs byte ptr [0x6c0000007ffb4deb], al
0x1a74c27002a: or dword ptr [rdx - 0x59], edx
0x1a74c27002d: add dword ptr [rax], eax
0x1a74c27002f: add byte ptr [rax], dl
0x1a74c270031: lea ebx, [rsi]
0x1a74c270033: sti
0x1a74c270035: jg 0x1a74c270037
0x1a74c270037: add byte ptr [rax], al
0x1a74c270039: or qword ptr [r10 - 0x59], rdx
0x1a74c27003d: add dword ptr [rax], eax
Nous observons bien une injection dans la première occurrence de Thunderbird (PAGE_EXECUTE_READWRITE). De plus, le dump de la mémoire à cette adresse commence par les bytes 4d 5a, ce qui correspond au header MZ d'un exécutable Windows. En répondant par l'adresse figurant dans la colonne Start VPN, nous obtenons la réponse à la troisième question.
Une fois ces trois questions répondues, nous comprenons que le binaire malveillant s'est attaché à Thunderbird, ce qui nous pousse à analyser les e-mails reçus.
Dans un premier temps, nous allons identifier tous les mails contenant une pièce jointe. Pour ce faire, nous avons écrit un script Python donnant une vision globale sur les mails. Après exécution du script donné plus bas, nous obtenons le tableau suivant :
Filename,From,Subject,Attachment
mail_1758716599.eml,gregory.wheeler@vinconcept.com,Analyse des alertes de monitoring pour le projet Aurora,monitoring_alerts.rar
mail_1751638071.eml,info@financepro.fr,Transformez Votre Entreprise avec Nos Webinaires Exclusifs !,programme_webinaires.md
mail_1739103473.eml,kerri.solomon@vinconcept.com,Analyse du rapport mensuel et prochaines étapes,rapport_mensuel.pdf
mail_1751040220.eml,george.mccormick@vinconcept.com,Analyse des logs réseau pour le projet Aurora,network_logs.rar
mail_1757958869.eml,__REDACTED__,Documents administratifs à compléter,infos_formulaire_rh.rar
mail_1744135034.eml,jason.levy@vinconcept.com,Instructions de déploiement pour le projet Aurora,readme_deployment.txt
mail_1750591749.eml,offer@shopfast.com,Optimisez Vos Performances avec Notre Solution d'Observabilité Avancée,observabilite.docx
mail_1744560653.eml,vanessa@autocomponents.com,Révision du Runbook pour l'API Aurora,runbook_aurora.md
mail_1742469804.eml,k.payne@ville-techcity.fr,Confirmation de la prise en charge du cluster Aurora,cloud_request.txt
mail_1753452702.eml,heidi@motorsupply.com,Analyse des Logs d'Infrastructure pour le Projet Aurora,logs_infra.rar
mail_1756910419.eml,adam.reynolds@vinconcept.com,Présentation du Budget Marketing pour le Département Connectivité,presentation_budget.txt
mail_1738681557.eml,offer@cuisine-pro.fr,Transformez votre avenir automobile avec Car4Future !,conseil.pdf
mail_1749904118.eml,mr..brandon.kirby@vinconcept.com,Mise à jour sur l'infrastructure du projet Aurora,pexels-beyzaa-yurtkuran-279977530-16245252.jpg
mail_1756896064.eml,contact@food-tech.com,Boostez votre Performance avec notre Solution d’Observabilité Avancée,observabilite.docx
mail_1740914319.eml,matthew@mobilitytech.fr,Configuration de l'API Aurora pour une intégration fluide,aurora_config.json
mail_1759237429.eml,ann.johnson@vinconcept.com,Analyse des fichiers de configuration pour le projet Aurora,comm_ext.zip
mail_1736950856.eml,erin.melton@autocorp.com,Analyse de l'incident sur le projet Aurora,incident_aurora.rar
mail_1753290826.eml,tina.hall@vinconcept.com,Synthèse des Progrès au sein du Pôle Véhicules Autonomes,rapport_trimestriel_q3.txt
mail_1751465399.eml,k.stewart@vehicleplus.com,Analyse des résultats du rapport sur le projet Aurora,rapport_aurora.pdf
mail_1736156164.eml,a.buckley@autotech-solutions.fr,Installation du Nouveau Logiciel pour le Projet Aurora,procedure_installation.md
mail_1758370453.eml,promo@software-digital.com,Boostez votre carrière avec nos formations professionnelles certifiantes !,catalogue_formations.txt
mail_1751727290.eml,s.clark@cartech.fr,Vérification de la checklist pour l'intégration de Car4FutureDrive,checklist_deploiement.rar
mail_1750947666.eml,desiree.hardin@vinconcept.com,Analyse du fichier de sauvegarde pour le projet Aurora,backup_db.rar
mail_1740226865.eml,debra.dixon@vinconcept.com,Vérification de la conformité des fournisseurs pour le projet Aurora,consignes.txt
mail_1742307902.eml,aimee.miller@vinconcept.com,Revue des configurations pour le projet Aurora,config.json
mail_1757179829.eml,william.gill@vinconcept.com,Analyse des performances d'Aurora,metrics.csv
mail_1757352255.eml,samantha.bailey@vinconcept.com,Affiche pour le projet Aurora,affiche_pub_proto.png
Parmi les pièces jointes, nous remarquons plusieurs fichiers vulnérables aux attaques, notamment des archives RAR/ZIP et des PDF. Nous filtrons donc les e-mails contenant ces types de pièces jointes :
$> cat emails_report.csv | grep -E "(pdf|rar|zip)"
mail_1758716599.eml,gregory.wheeler@vinconcept.com,Analyse des alertes de monitoring pour le projet Aurora,monitoring_alerts.rar
mail_1739103473.eml,kerri.solomon@vinconcept.com,Analyse du rapport mensuel et prochaines étapes,rapport_mensuel.pdf
mail_1751040220.eml,george.mccormick@vinconcept.com,Analyse des logs réseau pour le projet Aurora,network_logs.rar
mail_1757958869.eml,__REDACTED__,Documents administratifs à compléter,infos_formulaire_rh.rar
mail_1753452702.eml,heidi@motorsupply.com,Analyse des Logs d\'Infrastructure pour le Projet Aurora,logs_infra.rar
mail_1738681557.eml,offer@cuisine-pro.fr,Transformez votre avenir automobile avec Car4Future !,conseil.pdf
mail_1759237429.eml,ann.johnson@vinconcept.com,Analyse des fichiers de configuration pour le projet Aurora,comm_ext.zip
mail_1736950856.eml,erin.melton@autocorp.com,Analyse de l\'incident sur le projet Aurora,incident_aurora.rar
mail_1751465399.eml,k.stewart@vehicleplus.com,Analyse des résultats du rapport sur le projet Aurora,rapport_aurora.pdf
mail_1751727290.eml,s.clark@cartech.fr,Vérification de la checklist pour l'intégration de Car4FutureDrive,checklist_deploiement.rar
mail_1750947666.eml,desiree.hardin@vinconcept.com,Analyse du fichier de sauvegarde pour le projet Aurora,backup_db.rar
En nous intéressant aux expéditeurs, nous pouvons remarquer une tentative de typo-squatting sur le domaine vinconcept.com ; l'adresse suspecte ressemble à une variante de marissa.martinez@vinconcept.com. Nous en déduisons que l'e-mail le plus suspect est celui-ci.
import os
import csv
import email
from email import policy
from email.parser import BytesParser
MAIL_DIR = "emails"
OUTPUT_CSV = "emails_report.csv"
def analyze_eml(file_path):
with open(file_path, "rb") as f:
msg = BytesParser(policy=policy.default).parse(f)
from_addr = msg.get("From", "UNKNOWN")
subject = msg.get("Subject", "UNKNOWN")
has_attachment = False
attachment = None
for part in msg.walk():
if part.get_content_disposition() == "attachment":
has_attachment = True
attachment = part.get_filename()
break
return from_addr, subject, has_attachment, attachment
def main():
results = []
for filename in os.listdir(MAIL_DIR):
if filename.endswith(".eml"):
file_path = os.path.join(MAIL_DIR, filename)
from_addr, subject, has_attachment, attachment = analyze_eml(file_path)
if has_attachment:
results.append([filename, from_addr, subject, attachment])
with open(OUTPUT_CSV, "w", newline="", encoding="utf-8") as csvfile:
writer = csv.writer(csvfile)
writer.writerow(["Filename", "From", "Subject", "Attachment"])
writer.writerows(results)
if __name__ == "__main__":
main()