Tryhackme Volatility writeup

一些无关紧要的内容我 就不写了，题目描述也不写了，直接写过程指令就行了，

题目信息：

Case 001 – BOB! THIS ISN’T A HORSE!

Your SOC has informed you that they have gathered a memory dump from a quarantined endpoint thought to have been compromised by a banking trojan masquerading as an Adobe document. Your job is to use your knowledge of threat intelligence and reverse engineering to perform memory forensics on the infected host. 

You have been informed of a suspicious IP in connection to the file that could be helpful. 41.168.5.140

The memory file is located in /Scenarios/Investigations/Investigation-1.vmem 

Case 002 – That Kind of Hurt my Feelings

You have been informed that your corporation has been hit with a chain of ransomware that has been hitting corporations internationally. Your team has already retrieved the decryption key and recovered from the attack. Still, your job is to perform post-incident analysis and identify what actors were at play and what occurred on your systems. You have been provided with a raw memory dump from your team to begin your analysis.

The memory file is located in /Scenarios/Investigations/Investigation-2.raw

解题与问题：

Answer the questions belowWhat is the build version of the host machine in Case 001? 

2600.xpsp.080413-2111

直接python3 vol.py -f /Scenarios/Investigations/Investigation-1.vmem windows.info即可

At what time was the memory file acquired in Case 001? 

2012-07-22 02:45:08

What process can be considered suspicious in Case 001? 

reader_sl.exe

python3 vol.py -f /Scenarios/Investigations/Investigation-1.vmem windows.pstree

询问哪个进程可疑

What is the parent process of the suspicious process in Case 001? 

explorer.exe

问的是父进程，所以还是pstree就行了

What is the PID of the suspicious process in Case 001? 

1640

What is the parent process PID in Case 001?

1484

strings大法好

 strings /Scenarios/Investigations/Investigation-1.vmem |grep -i “user-agent”

What user-agent was employed by the adversary in Case 001?

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N) 

Y

What suspicious process is running at PID 740 in Case 002? 

@WanaDecryptor@

还是pstree，不截图了

What is the full path of the suspicious binary in PID 740 in Case 002? 

\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe

What is the parent process of PID 740 in Case 002? 

tasksche.exe

What is the suspicious parent process PID connected to the decryptor in Case 002?

1940

From our current information, what malware is present on the system in Case 002? 

wannacry

What DLL is loaded by the decryptor used for socket creation in Case 002? 

ws2_32.dll

Threat Spotlight: Inside the WannaCry Attack (blackberry.com)

What mutex can be found that is a known indicator of the malware in question in Case 002?

MsWinZonesCacheCounterMutexA

What plugin could be used to identify all files loaded from the malware working directory in Case 002? 

windows.filescan