TryHackMe – Volatility Walk-Through

This will only cover Task 10 – Practical Investigations

Question 1: What is the build version of the host machine in Case 001?

In the above screenshot look at NTBuildLab.

Answer: 2600.xpsp.080413-2111

Question 2: At what time was the memory file acquired in Case 001?

Also, in the previous screenshot look at SystemTime.

Answer: 2012-07-22 02:45:08

Question 3: What process can be considered suspicious in Case 001?

Find the last line PID 1640.

Answer: reader_sl.exe

Question 4: What is the parent process of the suspicious process in Case 001?

See previous screenshot. It is the executable just above reader_sl.exe

Answer: explorer.exe

Question 5: What is the PID of the suspicious process in Case 001?

Also in the last screenshot, look under the PID column.

Answer: 1640

Question 6: What is the parent process PID in Case 001?

Again, same screenshot, look at the PID for explorer.exe

Answer: 1484

Question 7: What user-agent was employed by the adversary in Case 001?

We are going to use memmap to figure this out:

./ -f /Scenarios/Investigations/Investigation-1.vmem -o /tmp windows.memmap --pid 1640 --dump

This will load pid.1640.dmp in tmp

Now we use string to dig deeper

Answer: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US

Question 8: Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)

Strings to the recue again…

strings /tmp/pid.1640.dmp | grep "chase"

Answer: Y

Question 9: What suspicious process is running at PID 740 in Case 002?

Okay, case 2.

./ -f /Scenarios/Investigations/Investigation-2.raw windows.pstree

Look at PID 740

Answer: @WanaDecryptor@

Question 10: What is the full path of the suspicious binary in PID 740 in Case 002?

Time to break out dlllist and our friend grep

./ -f /Scenarios/Investigations/Investigation-2.raw windows.dlllist | grep 740

The directory is in the second line.

Answer: C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe

Question 11: What is the parent process of PID 740 in Case 002?

See screenshot above with PIDs listed. You can see that the executable before PID 740 is…

Answer: tasksche.exe

Question 12: What is the suspicious parent process PID connected to the decryptor in Case 002?

This is in the same screenshot. Basically this is asking what the PID for tasksche.exe is…

Answer: 1940

Question 13: From our current information, what malware is present on the system in Case 002?

This is kinda self-explanatory, so let’s take a wild guess..

Answer: WannaCry

Question 14: What DLL is loaded by the decryptor used for socket creation in Case 002?

PID 740 has a lot of DLLs listed. We could try each one in the answer box, but it did say socket in the question. WS stands for WinSock as in Winsock DLLs.

Answer: WS2_32.dll

Question 15: What mutex can be found that is a known indicator of the malware in question in Case 002?

We are going to use handles on this one and look for PID 1940

./ -f /Scenarios/Investigations/Investigation-2.raw windows.handles | grep 1940

I could have searched for this one, but it popped out of the screen when looking for mutex…

Answer: MsWinZonesCacheCounterMutexA

Question 16: What plugin could be used to identify all files loaded from the malware working directory in Case 002?

Again, we look at the reference and find filescan

Answer: windows.filescan