Investigating Windows 2.0 — TryHackMe

This is a Walkthrough for TryHackeMe’s room named “Investigating Windows 2.0”.This room can be found here:
Brief Introduction of Tools used
Yara is the pattern matching swiss knife for malware researchers which can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.
Free open source IOC (Indicator of Compromise) scanner
Now on to the questions.
What registry key contains the same command that is executed within a scheduled task?
Open Task Scheduler via Run (CTRL+R) and then type taskschd.msc
. You will notice an entry called GameOver. This task is running an exe named mim.exe
. Now open Autoruns from C:\Users\Administrator\Desktop\Tools\SysinternalSuite
. Here you will notice a registry entry associated with this mim.exe

What analysis tool will immediately close if/when you attempt to launch it?
From SysinternalSuite folder, if we open procexp64.exe
it closes immediately.

What is the full WQL Query associated with this script?
Run loki.exe
from C:\Users\Administrator\Desktop\Tools\loki_0.33.0\loki
folder, you will see the WQL query.
SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ‘procexp64.exe’

What is the script language?
vbscript
What is the name of the other script?
From the above output: LaunchBeaconingBackdoor
Also from C:\TMP\WMIBackdoor.ps1
:

WMIBackdoor.ps1
What is the name of the software company visible within the script?
from C:\TMP\WMIBackdoor.ps1
: Motobit Software

WMIBackdoor.ps1
What 2 websites are associated with this software company? (answer, answer)
http://www.motobit.com
http://Motobit.cz
Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?
Searching then gives is this script: WMIBackdoor.ps1

WMIBackdoor.ps1
What is the location of this file within the local machine?
WMIBackdoor.ps1 is located in C:\TMP
on the local machine.
Which 2 processes open and close very quickly every few minutes? (answer, answer)
If you observer carefully two windows will pop up every few minutes mainly:
mim.exe,powershell.exe
This can also be confirmed via the Task Scheduler:

What is the parent process for these 2 processes?
svchost.exe
When mim.exe runs,just press anywhere inside that command prompt window. This will force the process not to exit and we can see it’s process id via the Task Manager.Now use the following command to find the parent process id and name for mim.exe
wmic process get processid,parentprocessid,executablepath | find “Process ID”

What is the first operation for the first of the 2 processes?
We can use Process Monitor ProcMon64.exe
available here C:\Users\Administrator\Desktop\Tools\SysinternalSuite
to monitor what mim.exe
is doing. We can put the filter with the Process Name and can check that the first operation is “Process Start”.

Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed? (answer, answer, answer, answer)
From the last snapshot: Parent PID,Command line,Current directory,Environment
Inspect the disk operations, what is the name of the unusual process?
Locate and open Process Hacker 2 from C:\Users\Administrator\Desktop\Tools
folder.Look under the Disk Tab and notice an unusual process named “No process”.

Run Loki. Inspect the output. What is the name of the module after `Init`?
For this we need to run Loki with while dumping the output to the Logfile.

loki.exe -l log.txt
Then from log.txt, we can see name of the module after Init is “WMIScan”.

Regarding the 2nd warning, what is the name of the eventFilter?
Run loki.exe
from C:\Users\Administrator\Desktop\Tools\loki_0.33.0\loki
folder. Notice the 2 WARNING.The name of event filter is “ProcessStartTrigger”.

For the 4th warning, what is the class name?
The class name for the 4th warning is “__FilterToConsumerBinding”

What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?
These FIRST_BYTES are from binary “nbtscan.exe”

According to the results, what is the description listed for reason 1?
From the snapshot of the last question we can see the description(DESC) as “ Known Bad / Dual use classics”
Which binary alert is marked as APT Cloaked?
From the output of loki.exe
the binary which is marked as APT cloaked is “p.exe”. This is actually PSExec.exe.

What are the matches? (str1, str2)
From the above snapshot the matches are: psexesvc.exe, Sysinternals PsExec
Which binary alert is associated with somethingwindows.dmp found in C:\TMP?
From the output of loki.exe
binary alert associated with somethingwindows.dmp is from file “schtasks-backdoor.ps1”

Which binary is encrypted that is similar to a Trojan?
From the output of loki.exe
binary “xCmd.exe” is encrypted which is similar to a Trojan.

There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?
From the output of loki.exe
the binary which is masquerading as a windows core process svchost.exe
is C:\Users\Public\svchost.exe

What is the full path location for the legitimate version?
The legitimate version of svchost.exe
is C:\Windows\System32

What is the description listed for reason 1?
As the svchost.exe
from the above trace is running from a non standard location, the REASON_1 is “Stuff running where it normally shouldn’t”
There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?
From the output of loki.exe
the file name is “en-US.js” which is also in the same folder C:\Users\Public

What is the name of the Yara Rule MATCH?
From the last answer Yara Rule MATCH is “CACTUSTORCH”
Which binary didn’t show in the Loki results?
We didn’t see “mim.exe” in the Loki results, which is periodically running via the Task Scheduler.
Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn’t hit on? (answer, answer, answer)
So we need to complete the following yar rule in test.yar file in the Tools folder:

From the YARA room we know that we can use strings to search for specific text or hexadecimal in files or programs. So here we need to figure out these strings from “mim.exe” which is available in C:\TEMP
directory. We can use strings64.exe
which is already available here C:\Users\Administrator\Desktop\Tools\SysinternalSuite
and can find out our patterns as we already know the lengths of the strings required in the yara rules using findstr
and regex.
strings64.exe C:\TMP\mim.exe | findstr “^…..1$”
strings64.exe C:\TMP\mim.exe | findstr “^….x.$”
strings64.exe C:\TMP\mim.exe | findstr “^v……..7$”

That’s it. Thanks for reading.