Sysinternals cyberdefenders

Category : Digital Forensics FTK Windows Disk

Scenario:

A user thought they were downloading the SysInternals tool suite and attempted to open it, but the tools did not launch and became inaccessible. Since then, the user has observed that their system has gradually slowed down and become less responsive.

Q1 What was the malicious executable file name that the user downloaded?

let's go to C:\Users\Public\Downloads folder which stores files downloaded by any user account on the computer .

Sysinternals.exe

Ans : Sysinternals.exe

Q2 When was the last time the malicious executable file was modified?

First we need to use AppCompatCacheParser is a tool used to parse AppCompatCache entries from the SYSTEM registry hive.

The SYSTEM hive is a binary file that contains configuration information and settings for the Windows operating system.

To use AppCompatCacheParser to parse the SYSTEM hive, follow these steps:

1. Download the latest version of AppCompatCacheParser from the Github repository: https://github.com/EricZimmerman/AppCompatCacheParser/.
2. Copy the SYSTEM hive file from the target computer to your forensic workstation. The SYSTEM hive file is located in the %SystemRoot%\System32\Config folder on the target computer.

3. Open a command prompt or PowerShell window on your forensic workstation.

4. Run the following command to parse the SYSTEM hive file:

5. AppCompatCacheParser.exe -f .\SYSTEM --csv <DestinationPath> --csvf <Output.csv>

Then open file we generated and filter syinternal.exe

2022-11-15 21:18:51

Q3 What is the SHA1 hash value of the malware?

we can use AmcacheParser.exe to parse Amcache.hve files, which contain information about programs and files on a Windows system. located in the %SystemRoot%\AppCompat\Programs directory.

To use AmcacheParser.exe to parse the Amcache.hve file, follow these steps:

1. Download it

2. Copy the Amcache.hve file from the target computer to your forensic workstation. The Amcache.hve file is located in the %SystemRoot%\AppCompat\Programs directory on the target computer.

3. Open a command prompt or PowerShell window on your forensic workstation.

4. Run the following command to parse the Amcache.hve file:

   AmcacheParser.exe -f amcache.hve -csv <output.csv>

we can see the files we generated

let's investigate Amcache_UnassociatedFileEntires.csv file

Ans : fa1002b02fc5551e075ec44bb4ff9cc1*******

Q4 What is the malware's family?

by going to Virustotal and submitting the hash from the last Q

Ans : re***

Q5 What is the first mapped domain's Fully Qualified Domain Name (FQDN)?

We can check the ConsoleHost_history.txt which is a default file on Windows operating systems that contains a history of commands entered in the Windows Command Prompt or PowerShell console.

located in Users\IEUser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

Q6 The mapped domain is linked to an IP address. What is that IP address?

from prev screen you can found it

Q7 What is the name of the executable dropped by the first-stage executable?

From behavior tab in virus total

C:\Windows\System32\cmd.exe /C c:\Windows\vmtoolsIO.exe -install && net start VMwareIOHelperService && sc config VMwareIOHelperService start= auto

You can also Check strings of Sysinternals.exe

Ans : vmtoolsIO.exe

Q8 What is the name of the service installed by 2nd stage executable?

Ans : VMwareIOHelperService

Q9 What is the extension of files deleted by the 2nd stage executable?

we can check the system logs to see if there are any entries related to the deletion of files. This may give you some information about the deleted files and their extensions.

which store in C:\Windows\System32\winevt\Logs.

you can searching for sysmon event and filter with event id 26 or preftech directory to see what has been removed that time

you can find it with youself >>

we finished it

I know each Q have more way to get answers but i choose the easiest one

Thanks for your timeeeeeee 🥰