Black Basta: Email Bomb to Encryption

After anita.garcia reported unusual behavior on her workstation, we noticed a series of failed authentication attempts followed by a successful remote execution. Investigate the network traffic logs to determine which internal host was targeted and fully compromised by the attacker.

Around 2025-05-03T11:05:12Z, an alert was triggered indicating a potential C2 heartbeat. Analyze the firewall traffic to determine which internal workstation was communicating with the external adversary's infrastructure.

A high-severity alert triggered when cmd.exe was spawned by an unexpected parent process. Following this execution, an outbound connection was logged; you need to identify the internal victim host that was compromised during this sequence.

The user anita.garcia reported unusual system behavior while using quickassist.exe. Initial triage suggests an unauthorized data exfiltration attempt or proxy setup occurred shortly after the session began. Investigate the timeline events to find the name of the file that was dropped or referenced during this phase.

After anita.garcia reported unusual behavior on corp-wks-482, we noticed a suspicious process execution involving quickassist.exe at 2025-05-04T05:30:38.653Z. You must identify which internal host is now communicating with a known malicious command-and-control infrastructure.

An alert triggered for suspicious activity involving onedrivestandaloneupdater.exe on workstation corp-wks-482. You need to investigate the network connection events at 2025-05-01T10:15:06.726Z to determine which command-and-control domain the workstation was attempting to reach.

Around 2025-05-01T13:59:55.654Z, an alert was triggered indicating a potential data exfiltration attempt. Investigate the connection logs to determine which internal host was communicating with a high-reputation threat actor IP during this timeframe.

At 2025-05-04T17:05:54.193Z, an unusual execution chain was observed starting from quickassist.exe. You must investigate the process tree to identify the final payload launched through multiple nested child processes before the session was terminated.

An alert triggered on 2025-05-04T23:17:11.610Z involving a suspicious execution of onedrivestandaloneupdater.exe. Analyze the process details on corp-wks-482 to determine if the file signature and hash match the known-good Microsoft binary or if it has been replaced by an attacker.

After anita.garcia reported unusual behavior on her workstation, our network monitoring detected a surge in outbound traffic to an unauthorized external domain. Analyze the network telemetry around 2025-05-02T09:49:55.055Z to identify which internal system has been compromised by the attacker.