Try   HackMD

Using sysinternals

https://www.youtube.com/watch?v=A_TPZxuTzBU

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

sigcheck -s -e -u *

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Nếu mà autorun không phát hiện được malware, thì check processmon, malware put on run once key
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Để phát hiện ra loại malware này thì capture startup và shutdown. Sau đó so sánh. Xem con malware làm gì khi startup và shutdown.
Để clean thì reboot lại machine trước khi nó shutdown.
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Nếu mà bị malware block tool.
Nếu bị block màn hình ấn window+Ctrl+D để mở desktop mới.

Overview
https://medium.com/@jcm3/sysinternals-tryhackme-walkthrough-4f1e99374c75

Malware in service

https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/

https://darkdefender.medium.com/can-you-check-if-my-computers-been-hacked-f18e8f971aed

https://sec.vnpt.vn/2022/06/windows-forensic-malware-persistence/

Lab

Sysmon
https://medium.com/@huseyin.eksi/important-sysmon-events-to-follow-a59464081dd0
How to get started with Microsoft Sysinternals' Sysmon advanced event logging
https://www.youtube.com/watch?v=B7Lf-IWVa5I

Regshot: take a snapshot of your registry and then compare it
https://github.com/winsiderss/systeminformer
https://github.com/marcosd4h/memhunter
https://github.com/marcosd4h/sysmonx
https://drive.google.com/drive/folders/1F4toqiJoc0OerAqmaKWMBLp2zHGI1Toz
Finding Malware with Sysinternals Process Explorer:
https://www.youtube.com/watch?v=y2bNLCWHFNs
Tool:
pr0c3xp64.exe: https://www.pconlife.com/download/otherfile/449839/2f37765933e6cdb8fa1bbba97f23c3ce/
Press CTRL+D to show dll

Everything: https://everything.softonic.vn/
Autoruns: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Lastactivityview: https://taimienphi.vn/download-lastactivityview-9700/taive
https://www.bleepingcomputer.com/download/getservices/
https://www.pconlife.com/viewfileinfo/checkinjectx64-exe/
PEiD can be used to identify whether a file is packed
https://medium.com/ce-malware-analysis/practical-malware-analysis-lab-solutions-static-analysis-4f892cbae9d
PC hunter
https://juggernaut-sec.com/scheduled-tasks/
accesschk: enumerate the permissions on the folder and file of interest
Accesschk, we could start by searching if we have write permissions on any files or folders in C:
Lab 1

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Lab 2 inject dll
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Lab 3 shedule tasks
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Lab 4 command in Schedul tasks
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Jump to entry and check command
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Lab 5
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

UserInitMprLogonScript là một khóa registry được sử dụng để chỉ định các tập lệnh (scripts) hoặc chương trình được thực thi khi một người dùng đăng nhập vào hệ thống.
Nếu chạy nhiều mimikatz sẽ quen cụm từ "sekurlsa:logonpasswd"
Lab 10
Trong thư mục tmp
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Sau khi chạy thì thay đổi
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Bài viết tương tự:
https://medium.com/ce-malware-analysis/battery-powered-trojan-part-1-3788e03f106f

Malware analyse

  1. Upload the file to VirusTotal and view the reports.
  2. Examine the PE Header
  3. Scan the file for any strings
  4. Is there any indication that the file is malicious?

https://medium.com/ce-malware-analysis/battery-powered-trojan-part-1-3788e03f106f
https://medium.com/ce-malware-analysis/battery-powered-trojan-part-2-f256d4fe60a
PE Studio is the categorization and classification for libraries, imports, exports, and strings. Here, it tells us info on what the imported functions do, and whether or not they are likely malicious
https://medium.com/ce-malware-analysis/battery-powered-trojan-part-3-abda2cb83256
IDA explain and use msf connect trojan.

Use procmon để quan sát một process cụ thể.
https://medium.com/ce-malware-analysis/lab-3-basic-dynamic-analysis-46303171da9a
ApateDNS: check DNS request.
iNetSim log: get log from all action

App monitor

Detect Hackers & Malware on your Computer (literally for free)
https://www.youtube.com/watch?v=R3fFzYXKn3c&t=242s
Clean ANY malware or virus off ANY Windows computer with one FREE and SIMPLE program
https://www.youtube.com/watch?v=9hWwY8Lo4ag
How to Remove ANY Virus from Windows in ONE STEP
https://www.youtube.com/watch?v=Rf1Y5o9FogA