TryHackMe - New Hire Old Artifacts - Notes
Octavious W.
Incident Response | Digital Forensics | Vulnerability Analysis | Security+ | CHFI | CEH | Cisco Certified CyberOps Associate | GFACT | GSEC (2025) | GCIH (2025)
Scenario Notes:
- Widget LLC has some concerns with the endpoints in the Finance Dept.
- Especially an endpoint for a recently hired Financial Analyst.
- The concern is that there was a period (December 2021) when the endpoint security product was turned off, but an official investigation was never conducted.?
- Your manager has tasked you to sift through the events of Widget LLC's Splunk instance to see if there is anything that the customer needs to be alerted on.?
Questions:
Question 1:
A Web Browser Password Viewer executed on the infected machine. What is the name of the binary? Enter the full path.
Answer:
C:\Users\FINANC~1\AppData\Local\Temp\11111.exe
Explanation:
Search for all the logs with the wild card.
Narrow down the amount of logs to look through by selecting the user we know was compromised (someone in FINANCE) based on the scenario notes.
From 27k to 4k events:
Click the Description field and select the Web Browser Password Viewer value:
Click the Image field to see executables and we find the answer:
Question 2:
What is listed as the company name?
Answer:
Nirsoft
Explanation:
Click the Show all 31 lines link on the first event and scroll down to the Company field:
Question 3:
Another suspicious binary running from the same folder was executed on the workstation. What was the name of the binary? What is listed as its original filename? (format: file.xyz,file.xyz)
Answer:
IonicLarge.exe, PalitExplorer.exe
Explanation:
Broaden the scope of the search to look for all events related to the Finance machine.
Click the Image field to see the executables.
There’s another odd looking executable in the Temp folder.
Click on the IconicLarge executable, click the OriginalFileName field, then click PalitExplorer.exe
In the first event we can confirm that the OriginalFileName for IconicLarge.exe is PalitExplorer.exe
Question 4:
The binary from the previous question made two outbound connections to a malicious IP address. What was the IP address? Enter the answer in a defang format.
Answer:
2[.]56[.]59[.]42
Explanation:
Modify the search for events related to IconicLarge.exe.
Click the DestinationIP field; there’s an IP with 2 connections.
Defang the IP address in CyberChef.
Question 5:
The same binary made some change to a registry key. What was the key path?
Answer:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Explanation:
Search for the name of the executable with the word registry.
领英推è
Check out the EventCode field.
Google to see what these values mean.
Select EventCode 13.
Looking through the logs we can see a pattern of key modifications made to the Windows Defender key path.
Question 6:
Some processes were killed and the associated binaries were deleted. What were the names of the two binaries? (format: file.xyz,file.xyz)
Answer:
phcIAmLJMAIMSa9j9MpgJo1m.exe, WvmIOrcfsuILdX6SNwIRmGOJ.exe
Explanation:
Create a table that displays all the command line data in the Sysmon logs.
Remove the duplicate values.
Going through the results, we can see 2 instances where a task was killed and deleted/erased.
Question 7:
The attacker ran several commands within a?PowerShell?session to change the behaviour of Windows Defender. What was the last command executed in the series of similar commands?
Answer:
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
Explanation:
Look for all events related to powershell and windows defender.
List all the CommandLine field values with the duplicates removed.
Go to the last event and look at the last powershell command ran:
Question 8:
Based on the previous answer, what were the four IDs set by the attacker? Enter the answer in order of execution. (format: 1st,2nd,3rd,4th)
Answer:
2147735503, 2147737010, 2147737007, 2147737394
Explanation:
We can see these 4 IDs in the powershell commands.
Question 9:
Another malicious binary was executed on the infected workstation from another AppData location. What was the full path to the binary?
Answer:
C:\Users\Finance01\AppData\Roaming\EasyCalc\EasyCalc.exe
Explanation:
Look for all Sysmon events in the AppData\Local folder on the targert finance machine. (use an extra \ to escape the \ in the path)
List all the info related to Image, CommandLine, Company, & Description in a table with the duplicates removed.
We can see that the EasyCalc.exe doesn’t have a Description and does not come from Microsoft Corporation.
Question 10:
What were the DLLs that were loaded from the binary from the previous question? Enter the answers in alphabetical order. (format: file1.dll,file2.dll,file3.dll)
Answer:
ffmpeg.dll, nw.dll, nw_elf.dll
Explanation:
Display a table showing all OriginalFileNames, and Descriptions of all events related to the malicious EasyCalc.exe binary; remove duplicates for OriginalFileName.
We can see 3 libraries used by the suspicious binary.