This repository documents a hands-on Incident Response (IR) case study completed as part of the Incident Response Process lab on TryHackMe. The case simulates a real-world Windows malware incident and follows the complete incident response lifecycle: detection, analysis, containment, eradication, recovery, and reporting.
A user reported extreme slowness and poor performance on a Windows workstation. The IT team confirmed unusually high CPU usage even with no active applications running. Although no SIEM or EDR alerts were triggered, firewall logs revealed repeated outbound connections from the workstation to a single external IP address. The incident was escalated to the Incident Response Team for investigation.
- User-reported system performance degradation
- IT identified abnormally high CPU usage
- SOC observed repetitive outbound connections occurring every second
- No SIEM or EDR alerts were triggered
- User did not recognize the activity
- Suspicious background process identified: 32th4ckm3.exe
- Process consumed excessive CPU resources
- Executable located in: C:\Users\IRUser\AppData\Local\Temp
- Process continued running after system reboot
- Command-and-Control (C2) communication identified: 45.33.32.156:42424
- Macro-enabled Word document: invoice n. 65748224.docm
- Downloaded from: http://172.233.61.246/
- Embedded
AutoOpenVBA macro executed automatically on document open - Macro leveraged
certutilto download the malware - Malware executed in a hidden command prompt
- Persistence established via Windows Registry Run key
- Registry path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Malicious registry value: MyApp -> C:\Users\IRUser\AppData\Local\Temp\32th4ckm3.exe
- Isolated the infected workstation from the network
- Terminated the malicious process using Task Manager
- Documented all Indicators of Compromise (IOCs)
- Recommended blocking malicious IPs and URLs at the firewall
- Recommended adding malware indicators to SIEM and EDR detection rules
- Deleted the malicious executable from the temporary directory
- Removed the macro-enabled Word document from the Downloads folder
- Cleared browser download history
- Removed registry-based persistence
- Verified the system returned to a clean operational state
- Malicious Process:
32th4ckm3.exe - C2 Server:
45.33.32.156:42424 - Malicious Document:
invoice n. 65748224.docm - Download Source:
http://172.233.61.246/ - Registry Persistence Key:
MyApp
- Initial Access: Phishing (Macro-enabled document)
- Execution: User Execution – VBA AutoOpen macro
- Persistence: Registry Run Keys
The incident occurred when a user opened a malicious macro-enabled Word document downloaded from an external IP-based URL. The embedded VBA macro used a legitimate Windows utility (certutil) to download and execute a crypto-mining malware, establish persistence via the registry, and communicate with a C2 server.
- User-reported issues are critical early indicators of compromise
- Macro-enabled documents remain a common malware delivery method
- Network traffic analysis is essential when endpoint alerts are absent
- Registry-based persistence must be validated during Windows IR
This case study demonstrates a complete end-to-end incident response workflow on a Windows malware infection, including investigation, containment, eradication, recovery, and formal reporting aligned with industry best practices.