arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
DumpMe (Memory Image Forensics)
3 min read volatility

DumpMe (Memory Image Forensics)

Scenario

One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.

Given File

Triage-Memory.mem

Tool

Volatility

Challenge Questions

  • What is the SHA1 hash of triage.mem (memory dump)?
  • What volatility profile is the most appropriate for this machine?
  • What was the process ID of notepad.exe?
  • Name the child process of wscript.exe.
  • What was the IP address of the machine at the time the RAM dump was created?
  • Based on the answer regarding the infected PID, can you determine the IP of the attacker?
  • How many processes are associated with VCRUNTIME140.dll?
  • After dumping the infected process, what is its md5 hash?
  • What is the LM hash of Bob's account?
  • What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
  • What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
  • There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
  • An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)
  • What was written in notepad.exe at the time when the memory dump was captured?
  • What is the short name of the file at file record 59045?
  • This box was exploited and is running meterpreter. What was the infected PID?

Popular tags

Privilege Escalation OSCP-Like Machines Linux HackTheBox Bug Bounty