TryHackMe | Volatility Room Walkthrough

You can access the Volatility room here.

Task 10: Practical Investigations

Picture 1: Context for Q1 and Q2

Question 1 – What is the build version of the host machine in Case 001?

Answer: 2600.xpsp.080413-2111

Question 2 – At what time was the memory file acquired in Case 001?

Answer: 2012-07-22 02:45:08

Picture 2: Context for Q3

Question 3 –
What process can be considered suspicious in Case 001?
Note: Certain special characters may not be visible on the provided VM. When doing a copy-and-paste, it will still copy all characters.

Answer: reader_sl.exe

Picture 3: Context for Q4, Q5 & Q6

Question 4 – What is the parent process of the suspicious process in Case 001?

Answer: explorer.exe

Question 5 – What is the PID of the suspicious process in Case 001?

Answer: 1640

Question 6 – What is the parent process PID in Case 001?

Answer: 1484

Picture 4: Context for Q7

Question 7 – What user-agent was employed by the adversary in Case 001?

Answer: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Question 8 – Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)

Answer: Y

Picture 5: Context for Q9

Question 9 – What suspicious process is running at PID 740 in Case 002?

Answer: @WannaDecryptor@

Picture 6: Context for Q10

Question 10 – What is the full path of the suspicious binary in PID 740 in Case 002?

Answer: C:\Intel\ivecuqmanpnirkt615\@[email protected]

Picture 7: Context for Q11 & Q12

Question 11 – What is the parent process of PID 740 in Case 002?

Answer: tasksche.exe

Question 12 – What is the suspicious parent process PID connected to the decryptor in Case 002?

Answer: 1940

Question 13 – From our current information, what malware is present on the system in Case 002?

Answer: WannaCry

Question 14 – What DLL is loaded by the decryptor used for socket creation in Case 002?

Answer: ws2_32.dll

Picture 8: Context for Q15

Question 15 – What mutex can be found that is a known indicator of the malware in question in Case 002?

Answer: **************************** (THE ANSWER IS IN ABOVE IMAGE)

Question 16 – What plugin could be used to identify all files loaded from the malware working directory in Case 002?

Answer: windows.[********] (FIND YOURSELF FOR THIS ONE LOL :P)