Sysinternals

Link Lab : https://cyberdefenders.org/blueteam-ctf-challenges/sysinternals/

Q1 What was the malicious executable file name that the user downloaded?

Answer : Sysinternals.exe

Q2 When was the last time the malicious executable file was modified? 12-hour format

covert it to 12 hours format

Answer : 11/15/2022 09:18:51 PM

Q3 What is the SHA1 hash value of the malware?

Answer :

fa1002b02fc5551e075ec44bb4ff9cc13d563dcf

Q4 What is the malware's family?

Result may have few different depend on the day now this malware have some new

Answer : rozena

Q5 What is the first mapped domain's Fully Qualified Domain Name (FQDN)?

Answer : www.malware430.com

Q6 The mapped domain is linked to an IP address. What is that IP address?

The previous picture also given the ip address needed too

Answer :

192.168.15.10

Q7 What is the name of the executable dropped by the first-stage executable?

Maybe not the right file for analyze, find others

Found another sample on Hybid Analysis :

So find the executable dropped by the first-stage executable -> Create another process when running file -> move to find it at Spawn new Process Tag

Move to the process :

Answer : vmtoolsIO.exe

Q8 What is the name of the service installed by 2nd stage executable?

Also contain the Service from Hybid result too .

Answer : VMwareIOHelperService

Q9 What is the extension of files deleted by the 2nd stage executable?

Prefetch file are great artifacts for forensic investigators trying to analyze applications that have been run on a system-> https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/

Answer : pf