Sysinternals Lab

CyberDefenders Endpoint Forensics Lab

Scenario

A user thought they were downloading the SysInternals tool suite and attempted to open it, but the tools did not launch and became inaccessible. Since then, the user has observed that their system has gradually slowed down and become less responsive.

Question 1

What was the malicious executable file name that the user downloaded?

Answer 1

Navigating through the file system in FTK Imager I was able to find the download that was mentioned in the above scenario.

Question 2

When was the last time the malicious executable file was modified?

Answer 2

While the timestamp is in a 12 hour clock format, the answer requires a 24 hour clock format.

Question 3

What is the SHA1 hash value of the malware?

Answer 3

Right clicking on the malware and exporting the hash is a clean safe way of obtaining a SHA1 hash value. This also allows you to look it up on VirusTotal. However this wasn’t the case here. I needed to look into the Amcache file that records exes that were executed on the system. Using Eric Zimmerman’s AmcacheParser to convert the hve file to a csv. Giving me the following:

2022-11-15 21:19:01,fa1002b02fc5551e075ec44bb4ff9cc13d563dcf,False,c:\users\public\downloads\sysinternals.exe,SysInternals.exe

Question 4

Based on the Alibaba vendor, what is the malware’s family?

Answer 4

Now I can take the SHA1 hash to VirusTotal:

Question 5

What is the first mapped domain’s Fully Qualified Domain Name (FQDN)?

Answer 5

Looking under the relations tab reveals the answer:

Question 6

The mapped domain is linked to an IP address. What is that IP address?

Answer 6

There was one place that sprung to mind when thinking about IP addresses and where they can be stored in the Windows file system. The host file.

Navigating to the following, I was able to obtain the IP address of the URL above:

Windows/System32/drivers/etc/hosts

Question 7

What is the name of the executable dropped by the first-stage executable?

Answer 7

Looking through the VirusTotal page on the behavior tab you can find that the malware drops another exe file, vmtoolsio.exe.

Question 8

What is the name of the service installed by 2nd-stage executable?

Answer 8

In the same command line its clear that the service started is VMwareIOHelperService:

Lab complete!