Sysinternals

• login, then startup vmplayer, then load /virtual/Windows10.vmwarevm
• Choose I moved it, if it asks
• Login as student, ask arnold! for the password (SnowWhite)
• Navigate to the sysinternals directory
• Launch procexp
• There is something funny going on on this system, see if you can find it.
• See if all of the running binaries are signed, take a look at a few of them.
• Examine the Path for svchost.exe, look at some of the strings in the binary, find out if this is signed, submit this to Virus Total.
• "Process->Check VirusTotal.com" to submit a running images to virustotal.
• "Options->VirusTotal" to check all running images. This submits hashes, if an image is 'Unknown', you will need to submit it specifically'
• If you find any questionable tasks, search for them online, to determine what they do, look at the process to determine where the executable lives, let the class know and kill it.
• Restart the VM to see if the process comes back.
• Hmmm, it is getting started somewhere. See if you can find out where it starts. Go to Sysinternals->autoruns
• See if you can figure out how this got started.
• Run procmon filter by the Image Path to see it running. Kill it using procexp.
• Prevent this from running on autostart.
• Are there other questionable autostarts? Start with the compromised account and look in sysinternals->autoruns
• Hmmm...?
• Wash, Rinse, Repeat: Identify questionable processes, remove them, restart, see if they come back.
• System seems to start, from a questionable location (from a .bat file in Pictures), Notice that you don't see it running using either procmon or Taskmanager.
• Change the name of procexp, for example, zzexp, restart the machine and start zzexp
• Now you see 'System' running, pull up the process, submit it to VirusTotal, look at strings in the executable, try to kill the one running out of the student directory
• Each of the processes watches and runs the other. Kill the process tree, or pause both and then kill them.
• Use autoruns to see if you can find all of the places that this process is started from. There is more than one spot!
• Remove and restart.
• If we wanted to explore what this malware was actually doing, we would have examined it further while it was running.