Hacking Note
  • 🧐Cyber Defenders
    • Flare-on 1
    • KrakenKeylogger
    • AzurePot
    • Sysinternals
    • BlackEnergy
    • Eli
    • MrGamer
    • GET PDF
  • 😎HackTheBox Machine
    • Surveillance
    • Monitored
    • Skyfall
    • WifineticTwo
    • Analytics
    • Lantern
  • 🙂TryHackMe Room
    • Squid Game
    • Stealth
  • 😐Some CTF Pentest Boxs
    • AKasec CTF 2024
      • AKasec CTF 2024 ( English Writeup )
  • Pwnable.VN
    • Mineme2
  • 👿Fortresses Hackthebox
    • Jet
Powered by GitBook
On this page
  1. Cyber Defenders

BlackEnergy

Link lab : https://cyberdefenders.org/blueteam-ctf-challenges/blackenergy/

PreviousSysinternalsNextEli

Last updated 1 year ago

Q1 Which volatility profile would be best for this machine?

Answer : WinXPSP2x86

Q2 How many processes were running when the image was acquired?

Answer : 19

Q3 What is the process ID of cmd.exe?

Answer : 1960

Q4 What is the name of the most suspicious process?

The process is from previous picture too. ( rootkit is suspicious)

Answer : rootkit.exe

Q5 Which process shows the highest likelihood of code injection?

The process is from previous picture too.

Answer : svchost.exe

Q6 There is an odd file referenced in the recent process. Provide the full path of that file?

Answer : C:\WINDOWS\system32\drivers\str.sys

Q7 What is the name of the injected dll file loaded from the recent process?

Answer : msxml3r.dll

Q8 What is the base address of the injected dll?

Answer : 0x980000

🧐
Not contain the process have exit column -> this process is exit , not running
dump the handler and option file from it