Investigating Windows 2.0 — TryHackMe

Investigating Windows 2.0

This is a Walkthrough for TryHackeMe’s room named “Investigating Windows 2.0”.This room can be found here:

https://tryhackme.com/room/investigatingwindows2

Brief Introduction of Tools used

YARA

Yara is the pattern matching swiss knife for malware researchers which can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.

LOKI

Free open source IOC (Indicator of Compromise) scanner

Now on to the questions.

What registry key contains the same command that is executed within a scheduled task?

Open Task Scheduler via Run (CTRL+R) and then type taskschd.msc . You will notice an entry called GameOver. This task is running an exe named mim.exe . Now open Autoruns from C:\Users\Administrator\Desktop\Tools\SysinternalSuite . Here you will notice a registry entry associated with this mim.exe

Autoruns

What analysis tool will immediately close if/when you attempt to launch it?

From SysinternalSuite folder, if we open procexp64.exe it closes immediately.

procexp64.exe

What is the full WQL Query associated with this script?

Run loki.exefrom C:\Users\Administrator\Desktop\Tools\loki_0.33.0\loki folder, you will see the WQL query.

SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ‘procexp64.exe’

loki.exe

What is the script language?

vbscript

What is the name of the other script?

From the above output: LaunchBeaconingBackdoor

Also from C:\TMP\WMIBackdoor.ps1 :

WMIBackdoor.ps1

What is the name of the software company visible within the script?

from C:\TMP\WMIBackdoor.ps1 : Motobit Software

WMIBackdoor.ps1

What 2 websites are associated with this software company? (answer, answer)

http://www.motobit.com
http://Motobit.cz

Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?

Searching then gives is this script: WMIBackdoor.ps1

WMIBackdoor.ps1

What is the location of this file within the local machine?

WMIBackdoor.ps1 is located in C:\TMP on the local machine.

Which 2 processes open and close very quickly every few minutes? (answer, answer)

If you observer carefully two windows will pop up every few minutes mainly:

mim.exe,powershell.exe

This can also be confirmed via the Task Scheduler:

Task Scheduler

What is the parent process for these 2 processes?

svchost.exe

When mim.exe runs,just press anywhere inside that command prompt window. This will force the process not to exit and we can see it’s process id via the Task Manager.Now use the following command to find the parent process id and name for mim.exe

wmic process get processid,parentprocessid,executablepath | find “Process ID”
Parent Process ID

What is the first operation for the first of the 2 processes?

We can use Process Monitor ProcMon64.exeavailable here C:\Users\Administrator\Desktop\Tools\SysinternalSuite to monitor what mim.exe is doing. We can put the filter with the Process Name and can check that the first operation is “Process Start”.

Process Monitor

Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed? (answer, answer, answer, answer)

From the last snapshot: Parent PID,Command line,Current directory,Environment

Inspect the disk operations, what is the name of the unusual process?

Locate and open Process Hacker 2 from C:\Users\Administrator\Desktop\Tools folder.Look under the Disk Tab and notice an unusual process named “No process”.

Process Hacker

Run Loki. Inspect the output. What is the name of the module after `Init`?

For this we need to run Loki with while dumping the output to the Logfile.

loki with logfile

loki.exe -l log.txt

Then from log.txt, we can see name of the module after Init is “WMIScan”.

logfile

Regarding the 2nd warning, what is the name of the eventFilter?

Run loki.exefrom C:\Users\Administrator\Desktop\Tools\loki_0.33.0\loki folder. Notice the 2 WARNING.The name of event filter is “ProcessStartTrigger”.

Loki.exe

For the 4th warning, what is the class name?

The class name for the 4th warning is “__FilterToConsumerBinding”

Loki.exe

What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?

These FIRST_BYTES are from binary “nbtscan.exe”

Loki.exe

According to the results, what is the description listed for reason 1?

From the snapshot of the last question we can see the description(DESC) as “ Known Bad / Dual use classics”

Which binary alert is marked as APT Cloaked?

From the output of loki.exe the binary which is marked as APT cloaked is “p.exe”. This is actually PSExec.exe.

Loki.exe

What are the matches? (str1, str2)

From the above snapshot the matches are: psexesvc.exe, Sysinternals PsExec

Which binary alert is associated with somethingwindows.dmp found in C:\TMP?

From the output of loki.exe binary alert associated with somethingwindows.dmp is from file “schtasks-backdoor.ps1”

Loki.exe

Which binary is encrypted that is similar to a Trojan?

From the output of loki.exe binary “xCmd.exe” is encrypted which is similar to a Trojan.

Loki.exe

There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?

From the output of loki.exe the binary which is masquerading as a windows core process svchost.exe is C:\Users\Public\svchost.exe

Loki.exe

What is the full path location for the legitimate version?

The legitimate version of svchost.exe is C:\Windows\System32

svchost

What is the description listed for reason 1?

As the svchost.exe from the above trace is running from a non standard location, the REASON_1 is “Stuff running where it normally shouldn’t”

There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?

From the output of loki.exe the file name is “en-US.js” which is also in the same folder C:\Users\Public

Loki.exe

What is the name of the Yara Rule MATCH?

From the last answer Yara Rule MATCH is “CACTUSTORCH”

Which binary didn’t show in the Loki results?

We didn’t see “mim.exe” in the Loki results, which is periodically running via the Task Scheduler.

Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn’t hit on? (answer, answer, answer)

So we need to complete the following yar rule in test.yar file in the Tools folder:

yara rule

From the YARA room we know that we can use strings to search for specific text or hexadecimal in files or programs. So here we need to figure out these strings from “mim.exe” which is available in C:\TEMP directory. We can use strings64.exe which is already available here C:\Users\Administrator\Desktop\Tools\SysinternalSuite and can find out our patterns as we already know the lengths of the strings required in the yara rules using findstr and regex.

strings64.exe C:\TMP\mim.exe | findstr “^…..1$”
strings64.exe C:\TMP\mim.exe | findstr “^….x.$”
strings64.exe C:\TMP\mim.exe | findstr “^v……..7$”

findstr

That’s it. Thanks for reading.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Javelin Spotlights 4iQ Innovation in a Sea of Booths

Apple warns iPhone users should update to new iOS 14.8 ASAP

Apple warns iPhone users should update to new iOS 14.8 ASAP

Taming the Beast

Who Are you…? It’s Me…!

Making The Smart Bet On Cybersecurity

Cloudbit (CDB) IEO Referral Competition — CDB Bonuses up for grabs!

Prices for Zero-Days Double and Triple in One Year

{UPDATE} Jumping Ball Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

SysInternals — The Other Way Around

Man in the Middle Attack Using Bettercap

Deep web OSINT

BASICS OF SHELLCODE ANALYSIS