Evil Twin

Challenge:

One of the junior analysts thinks that there is a duplicate process - an “evil twin” - masquerading as a legitimate process. What is the name of the malicious process? Submit the flag as flag{process_name.ext}

Use the file from Captured Memories.
Max Attempts: 5

Solution:

Using Volatility3 with the PsTree plugin I generated a process tree listing:

vol.py -f mem.raw windows.pstree.PsTree

I spent quite a bit of time analyzing each process while paying extra attention to what the parent process was for each process. Eventually, I found an interesting set of explorer.exe processes running. This was the one of the sets and looks like the expected process tree during legitimate use:

PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime
564	500	winlogon.exe	0x87868f2e1080	5	-	1	False	2020-06-26 15:07:45.000000 	N/A
* 2184	564	userinit.exe	0x87868f2e1080	0	-	1	False	2020-06-26 15:08:57.000000 	2020-06-26 15:09:12.000000 
** 2316	2184	explorer.exe	0x87868f2e1080	93	-	1	False	2020-06-26 15:08:57.000000 	N/A
*** 6096	2316	explorer.exe	0x87868f2e1080	0

However, the second set of explorer.exe processes were launched by cmd.exe, which had been launched by SearchIndexer.

PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime
528	424	wininit.exe	0x87868f2e1080	1	-	0	False	2020-06-26 15:07:45.000000 	N/A
* 648	528	services.exe	0x87868f2e1080	6	-	0	False	2020-06-26 15:07:46.000000 	N/A
** 4448	648	SearchIndexer.	0x87868f2e1080	23	-	0	False	2020-06-26 15:09:31.000000 	N/A
*** 3944	4448	cmd.exe	0x87868f2e1080	0	-	0	False	2020-06-26 15:37:19.000000 	2020-06-26 15:44:33.000000 
**** 5448	3944	explorer.exe	0x87868f2e1080	1	-	0	True	2020-06-26 15:43:14.000000 	N/A
*** 4424	4448	cmd.exe	0x87868f2e1080	1	-	0	False	2020-06-26 15:46:51.000000 	N/A
**** 3100	4424	explorer.exe	0x87868f2e1080	5	-	0	True	2020-06-26 15:48:21.000000 	N/A
***** 4640	3100	cmd.exe	0x87868f2e1080	1	-	0	True	2020-06-26 15:48:21.000000 	N/A

This certainly meets the “evil twin” challenge criteria making the completed flag, flag{explorer.exe}

Published:

Updated:

Leave a comment