DEV Community

loading...
Cover image for Investigating Windows 2.0 - TryHackMe

Investigating Windows 2.0 - TryHackMe

hextrace
Writing about software security
・4 min read

Here is the writeup for the room Investigating Windows 2.0.

This room is the continuation of Investigating Windows.

What registry key contains the same command that is executed within a scheduled task?

Open the task scheduler:

task scheduler

From Regedit, search for the task (e.g. sekurlsa or LogonPasswords). You'll end up there:

\HKCU\Environment\UserInitMprLogonScript
Enter fullscreen mode Exit fullscreen mode

What analysis tool will immediately close if/when you attempt to launch it?

To get a good overview of the running maching, The SysInternals tools are the way to go. However, the famous process explorer refuses to start :

procexp64.exe
Enter fullscreen mode Exit fullscreen mode

What is the full WQL Query associated with this script?

For this one, start Loki, the IOC scanner. It can take a while to run but it is super useful. It detected some suspicious/malicious files and gives us the culprit playing with procexp64 through WQL queries:

LOKI

Query is:

SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'procexp64.exe'
Enter fullscreen mode Exit fullscreen mode

What is the script language?

Open the file \TMP\WMIBackdoor.ps1:

vbscript
Enter fullscreen mode Exit fullscreen mode

What is the name of the other script?

We'll have to read/understand the script to find this one. Loki also found it:

LaunchBeaconingBackdoor

LaunchBeaconingBackdoor
Enter fullscreen mode Exit fullscreen mode

What is the name of the software company visible within the script?

Motobit

We can read it within comments:

Motobit Software
Enter fullscreen mode Exit fullscreen mode

What 2 websites are associated with this software company?

We can also read the two URLS within the script comments:

  • http://www.motobit.com
  • http://Motobit.cz

Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?

WMIBackdoor.ps1
Enter fullscreen mode Exit fullscreen mode

What is the location of this file within the local machine?

C:\TMP
Enter fullscreen mode Exit fullscreen mode

Which 2 processes open and close very quickly every few minutes?

By looking at the window titles:

  1. mim.exe
  2. powershell.exe

What is the parent process for these 2 processes?

We can start the SysInternals Process monitor procmon64.exe. The we can add filter on "Process Name" to mim.exe so we capture the process creation. In the properties of that event, we have the parent PID which is 916. In task manager, we can get the name for the pid 916 which is:

svchost.exe
Enter fullscreen mode Exit fullscreen mode

What is the first operation for the first of the 2 processes?

Again in the process monitor, we can capture the first opertion made which is:

Process Start
Enter fullscreen mode Exit fullscreen mode

Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed?

Go back to the event properties:

  • Parent PID
  • Command line
  • Current directory
  • Environment

or

Parent PID, Command line, Current directory, Environment
Enter fullscreen mode Exit fullscreen mode

Inspect the disk operations, what is the name of the unusual process?

The hint tells us to use Process Hacker.

No Process

No Process
Enter fullscreen mode Exit fullscreen mode

Run Loki. Inspect the output. What is the name of the module after Init?

From 'loki-output.txt' MODULE section:

WMIScan
Enter fullscreen mode Exit fullscreen mode

Regarding the 2nd warning, what is the name of the eventFilter?

From 'loki-output.txt' NAME section:

ProcessStartTrigger
Enter fullscreen mode Exit fullscreen mode

For the 4th warning, what is the class name?

From 'loki-output.txt' CLASS section:

__FilterToConsumerBinding
Enter fullscreen mode Exit fullscreen mode

What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?

From 'loki-output.txt' FIRST_BYTES section:

nbtscan.exe
Enter fullscreen mode Exit fullscreen mode

According to the results, what is the description listed for reason 1?

From 'loki-output.txt' DESC section:

Known Bad / Dual use classics
Enter fullscreen mode Exit fullscreen mode

Which binary alert is marked as APT Cloaked?

From 'loki-output.txt' FILE section

C:\TMP\p.exe
Enter fullscreen mode Exit fullscreen mode

or

p.exe
Enter fullscreen mode Exit fullscreen mode

What are the matches?

From 'loki-output.txt' MATCHES section

  • psexesvc.exe
  • Sysinternals PsExec

or

psexesvc.exe, Sysinternals PsExec
Enter fullscreen mode Exit fullscreen mode

Which binary alert is associated with somethingwindows.dmp found in C:\TMP?

From 'loki-output.txt' FILE/INFO:

C:\TMP\schtasks-backdoor.ps1
Enter fullscreen mode Exit fullscreen mode

or simply

schtasks-backdoor.ps1
Enter fullscreen mode Exit fullscreen mode

Which binary is encrypted that is similar to a trojan?

Loki found a xor-encrypted binary ("Derusbi trojan") under C:\TMP\xCmd.exe

xCmd.exe
Enter fullscreen mode Exit fullscreen mode

There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?

Remember pid 916 under name svchost? Loki raised an alert for a svchost located at:

C:\Users\Public\svchost.exe
Enter fullscreen mode Exit fullscreen mode

What is the full path location for the legitimate version?

Svchost is a system process that can host one or many Windows services. It is lcoated at

  • %SystemRoot%\System32\Svchost.exe
  • %SystemRoot%\SysWOW64\Svchost.exe

and on the THM maching:

C:\Windows\System32
Enter fullscreen mode Exit fullscreen mode

What is the description listed for reason 1?

Look at the corresponding DESC section:

Stuff running where it normally shouldn't
Enter fullscreen mode Exit fullscreen mode

There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?

Next to the malicious svchost.exe, there is a strange javascript file:

en-US.js
Enter fullscreen mode Exit fullscreen mode

What is the name of the Yara Rule MATCH?

Loki raised a warning for that file, with the rule:

CACTUSTORCH
Enter fullscreen mode Exit fullscreen mode

It looks like a javascript shellcode injector.

Which binary didn't show in the Loki results?

mim.exe
Enter fullscreen mode Exit fullscreen mode

Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn't hit on?

We'll have to complete the strings (regular expressions) of the provided yara rule. We can help ourselves with strings64.exe from SysInternals suite to test our regexps through findstr :

strings64.exe \tmp\mim.exe | findstr "??.?x?"
strings64.exe \tmp\mim.exe | findstr "...exe"
strings64.exe \tmp\mim.exe | findstr "mk.exe"
Enter fullscreen mode Exit fullscreen mode

Finally,

mk.ps1, mk.exe, v2.0.50727
Enter fullscreen mode Exit fullscreen mode

Alright, you're done!

This room was fun, I hope there's a 3.0 at some point! Congrats to heavenraiza, the creator of that one.

Discussion (0)