Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Question 319

A pharmaceutical company was recently compromised by ransomware. Given the following EDR output from the process investigation:

On which of the following devices and processes did the ransomware originate?

cpt-ws018, powershell.exe

cpt-ws026, DearCry.exe

cpt-ws002, NO-AV.exe

cpt-ws026, NO-AV.exe

cpt-ws002, DearCry.exe

Correct Answer: B

The ransomware originated from the device cpt-ws026 with the DearCry.exe process. DearCry.exe on cpt-ws026 is classified as 'Malicious' with the 'Create' threat type and was blocked, which suggests it was identified as a ransomware and its activity aligned with typical ransomware behavior.

Discussion

ThatGuyOverThereOption: C

I think the EventID is key here. It should be sequential in the EDR's logs. So following that logic... 2142685 cpt-ws002 userinit.exe malicious create process blocked (this was listed as blocked plus it isn't even a choice) 2142696 cpt-ws002 notepad.exe likely safe process execution allowed (no issues here) 2142734 cpt-ws002 NO-AV.exe Suspicious halt process allowed (this appears to be the start of the detected and allowed malicious behavior) Choosing C since that appears to be the first instance of a malicious process being allowed to run.

weaponxcelOption: C

1. The process "Dearcry.exe" on device "cpt-ws002" is classified as "Inconclusive" and was allowed to create something, making it a possible candidate. However, the name "Dearcry.exe" seems malicious, and on device "cpt-ws026" it was classified as "Malicious" but was blocked. This makes "Dearcry.exe" a suspect, but its activity on "cpt-ws002" isn't definitively malicious based on the given data. 2. The process "NO-AV.exe" on device "cpt-ws002" is classified as "Suspicious" and was allowed to halt a process. This behavior is typical of ransomware, which often tries to disable security measures. Thus, this makes "NO-AV.exe" on "cpt-ws002" a strong candidate for the ransomware's origin. 3. The process "NO-AV.exe" on device "cpt-ws026" was also classified as "Suspicious", but it was quarantined, which means its malicious activities were halted. Answer: C. cpt-ws002, NO-AV.exe Device: cpt-ws002 Process: NO-AV.exe

CXSSPOption: E

E. cpt-ws002, DearCry.exe

CraZeeOption: C

I believe that the first step of the ransomware was disabling the AV (answer C). I also believe that the subsequent step of executing dearcry.exe is where the ransomware began the victim's engagement part. So to me, the AV being disabled kicked the ransomware off.

Trap_D0_rOption: C

Read the event IDs carefully (they aren't really in order). Option C happened before Option A (AV was disabled before dearcry.exe could be run on the machine). We can see elsewhere in the logs that the AV should have been blocking dearcry.exe. it is reasonable to infer that the first step in the attack was to disable the AV with option C, therefore that is where it started. Else dearcry.exe would not have been allowed to run.

Trap_D0_r

C happened before option E*

JhonysOption: C

The 2142734 ID event in cpt-ws002 shows that the NO-AV.exe process, classified as "Suspicious", had the "Halt process" action allowed. If we follow the logic that this action (Halt process allowed) can represent the beginning of a detected and allowed malicious behavior, it can be concluded that the malicious activity started in cpt-ws002 with the NO-AV.exe process.

b49eb27Option: C

If you order the id's it looks like cpt-ws002 NO-AV.exe with the threat type “halt process” is the origin. If the attackers aren’t being creative with their naming conventions, AV typically stands for Antivirus. And the threat is Halt process. I think the attack started with cpt-ws002 no-av.exe shutting down the antivirus.

nmap_king_22Option: C

i am going with ThatGuyOverThere

Adeshola1960Option: B

Based on the provided data, it appears that the ransomware originated from the process Dearcry.exe with Event ID 2152773. This is because the action associated with this process was create and its classification was Malicious, which was subsequently Blocked. This suggests that an attempt was made to create a malicious process, which aligns with the behavior of ransomware. So, the answer to your question would be B) cpt-ws026, DearCry.exe if we assume that Event ID 2152773 corresponds to device cpt-ws026.

hheerreessjjoohhnnyy

The action was blocked for this process ID, so I'm not sure you're correct. Personally, I'm leaning more towards E as the answer.

icecool2019Option: D

Implementing DoH on mobile devices can be done through dedicated apps or manual settings on the device itself. For enterprises, using MDM to centrally configure and enforce DoH ensures compliance with security policies and simplifies the management process. This approach secures DNS queries by encrypting them and ensures they adhere to the network restrictions, providing enhanced security and privacy for mobile users.

ElDirecOption: E

A simpler way to put it, the first Dearcry.exe process allowed was the one that started the ransomware. Any other activity could or could not be related to the ransomware.

biggytechOption: E

Its E because the source of the ransomware was able to execute at cpt-ws002 then later recognized as malicious down the road and blocked.

[Removed]Option: E

Option C, cpt-ws002, NO-AV.exe, is not the correct answer because the ransomware did not originate from this process. The EDR output shows that the NO-AV.exe process on cpt-ws002 was allowed to halt, as indicated by the line 2142734 cpt- N0-AV.exe Halt process Allowed ws 0 02. This means that the NO-AV.exe process was stopped, so it could not have initiated the ransomware infection. On the other hand, the DearCry.exe process on cpt-ws002 was allowed to create, which is typically how ransomware begins its infection process. Therefore, the ransomware likely originated from cpt-ws002, DearCry.exe. So, the correct answer is E. cpt-ws002, DearCry.exe.

b49eb27

I'm going to make an assumption about the chart and say that the "Threat type" category means the "possible threat it could produce", not the action that happened because there is a specific category called "Action". So so 2142734 was not halted, that was the type of threat it potentially was classified as. It was allowed to execute and halt a process. I'm also assuming the attackers/comptia is not going to be too inventive in their naming conventions and assume that the "AV" in "NO-AV.exe" stands for "no antivirus" and that that process shut down the antivirus protection on that system. My only question is, is comptia being super picky about the wording of "originate" I think that the antivirus was shut down to allow event 2142773 to execute and actually deploy the malware. I'm going with C and hoping comptia isn't being too literal in determining which executable was the one to deploy and hoping they mean initiate.