Here is the writeup for the room Investigating Windows 2.0.
This room is the continuation of Investigating Windows.
Open the task scheduler:
From Regedit, search for the task (e.g.
LogonPasswords). You'll end up there:
To get a good overview of the running maching, The SysInternals tools are the way to go. However, the famous process explorer refuses to start :
For this one, start Loki, the IOC scanner. It can take a while to run but it is super useful. It detected some suspicious/malicious files and gives us the culprit playing with
procexp64 through WQL queries:
SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'procexp64.exe'
Open the file
We'll have to read/understand the script to find this one. Loki also found it:
We can read it within comments:
We can also read the two URLS within the script comments:
Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?
By looking at the window titles:
We can start the SysInternals Process monitor
procmon64.exe. The we can add filter on "Process Name" to
mim.exe so we capture the process creation. In the properties of that event, we have the parent PID which is
916. In task manager, we can get the name for the pid
916 which is:
Again in the process monitor, we can capture the first opertion made which is:
Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed?
Go back to the event properties:
Parent PID, Command line, Current directory, Environment
The hint tells us to use Process Hacker.
From 'loki-output.txt' MODULE section:
From 'loki-output.txt' NAME section:
From 'loki-output.txt' CLASS section:
From 'loki-output.txt' FIRST_BYTES section:
From 'loki-output.txt' DESC section:
Known Bad / Dual use classics
From 'loki-output.txt' FILE section
From 'loki-output.txt' MATCHES section
psexesvc.exe, Sysinternals PsExec
From 'loki-output.txt' FILE/INFO:
Loki found a xor-encrypted binary ("Derusbi trojan") under
There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?
916 under name
svchost? Loki raised an alert for a
svchost located at:
Svchost is a system process that can host one or many Windows services. It is lcoated at
and on the THM maching:
Look at the corresponding DESC section:
Stuff running where it normally shouldn't
There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?
Next to the malicious
Loki raised a warning for that file, with the rule:
Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn't hit on?
We'll have to complete the strings (regular expressions) of the provided yara rule. We can help ourselves with
strings64.exe from SysInternals suite to test our regexps through
strings64.exe \tmp\mim.exe | findstr "??.?x?" strings64.exe \tmp\mim.exe | findstr "...exe" strings64.exe \tmp\mim.exe | findstr "mk.exe"
mk.ps1, mk.exe, v2.0.50727
Alright, you're done!
This room was fun, I hope there's a 3.0 at some point! Congrats to heavenraiza, the creator of that one.