BlackEnergy

Link lab : https://cyberdefenders.org/blueteam-ctf-challenges/blackenergy/

Q1 Which volatility profile would be best for this machine?

Answer : WinXPSP2x86

Q2 How many processes were running when the image was acquired?

Not contain the process have exit column -> this process is exit , not running

Answer : 19

Q3 What is the process ID of cmd.exe?

Answer : 1960

Q4 What is the name of the most suspicious process?

The process is from previous picture too. ( rootkit is suspicious)

Answer : rootkit.exe

Q5 Which process shows the highest likelihood of code injection?

The process is from previous picture too.

Answer : svchost.exe

Q6 There is an odd file referenced in the recent process. Provide the full path of that file?

dump the handler and option file from it

Answer : C:\WINDOWS\system32\drivers\str.sys

Q7 What is the name of the injected dll file loaded from the recent process?

Answer : msxml3r.dll

Q8 What is the base address of the injected dll?

Answer : 0x980000