Hacktober 2020 CTF - Captured Memories
Oct 26, 2020
Challenge Description
We found some unusual activity coming from an employee's Windows 10 workstation at De Monne Financial. Our IT guy saved the memory dump to the file provided below. What was the PID of the program used to capture the memory dump? Submit the flag as flag{PID}.
Download url : https://tinyurl.com/y9r3wnhh
Max Attempts : 10
Solution
Once Downloading the memory dump file, we directly start inspectign it with voatility, the first thing was to identiry the image
m3dsec@cloudshell:~/ctf/foren$ volatility -f mem.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_15063 (Instantiated with Win10x64_15063)
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/m3dsec/ctf/foren/mem.raw)
PAE type : No PAE
DTB : 0x1aa000L
KDBG : 0xf8001e43d520L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff8001d4e2000L
KPCR for CPU 1 : 0xffffd40032268000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-06-26 15:51:36 UTC+0000
Image local date and time : 2020-06-26 08:51:36 -0700
its was a Windows 10 x64 bit Memory dump image, we can use this in our further analysis, as we where searching for a program used to capture the memory dump we will use the psscan module.
m3dsec@cloudshell:~/ctf/foren$ volatility -f mem.raw pslist --profile=Win10x64_17134 psscan
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffff87868e88d440 System 4 0 111 0 ------ 0 2020-06-26 15:07:32 UTC+0000
0xffff87868e975040 Registry 88 4 3 0 ------ 0 2020-06-26 15:07:23 UTC+0000
0xffff878690147040 smss.exe 348 4 2 0 ------ 0 2020-06-26 15:07:32 UTC+0000
0xffff878690722080 csrss.exe 436 424 10 0 0 0 2020-06-26 15:07:43 UTC+0000
0xffff878690472280 csrss.exe 508 500 12 0 1 0 2020-06-26 15:07:45 UTC+0000
0xffff878690495080 wininit.exe 528 424 1 0 0 0 2020-06-26 15:07:45 UTC+0000
0xffff87869049c580 winlogon.exe 564 500 5 0 1 0 2020-06-26 15:07:45 UTC+0000
0xffff8786904cd080 services.exe 648 528 6 0 0 0 2020-06-26 15:07:46 UTC+0000
0xffff8786904fb080 lsass.exe 664 528 9 0 0 0 2020-06-26 15:07:47 UTC+0000
0xffff8786904cc580 svchost.exe 764 648 31 0 0 0 2020-06-26 15:07:50 UTC+0000
0xffff8786904d1580 fontdrvhost.ex 792 528 5 0 0 0 2020-06-26 15:07:50 UTC+0000
0xffff878690ac5580 fontdrvhost.ex 800 564 5 0 1 0 2020-06-26 15:07:50 UTC+0000
0xffff878690b71580 svchost.exe 884 648 25 0 0 0 2020-06-26 15:07:53 UTC+0000
0xffff878690c07080 dwm.exe 968 564 13 0 1 0 2020-06-26 15:07:55 UTC+0000
0xffff878690c2d580 svchost.exe 60 648 64 0 0 0 2020-06-26 15:07:56 UTC+0000
0xffff878690bbd580 svchost.exe 384 648 14 0 0 0 2020-06-26 15:07:56 UTC+0000
0xffff878690c8d580 svchost.exe 1052 648 18 0 0 0 2020-06-26 15:07:58 UTC+0000
0xffff878690cae580 svchost.exe 1092 648 24 0 0 0 2020-06-26 15:07:58 UTC+0000
0xffff878690ccc040 MemCompression 1168 4 50 0 ------ 0 2020-06-26 15:07:58 UTC+0000
0xffff8786903bf580 svchost.exe 1248 648 8 0 0 0 2020-06-26 15:07:59 UTC+0000
0xffff878690d12580 svchost.exe 1284 648 21 0 0 0 2020-06-26 15:07:59 UTC+0000
0xffff878690dc3580 svchost.exe 1312 648 5 0 0 0 2020-06-26 15:07:59 UTC+0000
0xffff878690dc7580 svchost.exe 1320 648 8 0 0 0 2020-06-26 15:07:59 UTC+0000
0xffff878690e87580 spoolsv.exe 1408 648 10 0 0 0 2020-06-26 15:08:00 UTC+0000
0xffff878690e93580 svchost.exe 1416 648 25 0 0 0 2020-06-26 15:08:00 UTC+0000
0xffff878690fbe580 svchost.exe 1860 648 13 0 0 0 2020-06-26 15:08:04 UTC+0000
0xffff878690fcd580 MsMpEng.exe 1884 648 10 0 0 0 2020-06-26 15:08:04 UTC+0000
0xffff878690fdd400 SecurityHealth 1900 648 12 0 0 0 2020-06-26 15:08:04 UTC+0000
0xffff878691216580 svchost.exe 1268 648 13 0 0 0 2020-06-26 15:08:14 UTC+0000
0xffff878690a07580 svchost.exe 2144 648 2 0 0 0 2020-06-26 15:08:16 UTC+0000
0xffff8786909b0580 sihost.exe 2672 60 15 0 1 0 2020-06-26 15:08:51 UTC+0000
0xffff8786909c9580 svchost.exe 2712 648 22 0 1 0 2020-06-26 15:08:52 UTC+0000
0xffff8786909e1580 taskhostw.exe 2764 60 10 0 1 0 2020-06-26 15:08:52 UTC+0000
0xffff8786913c2080 ctfmon.exe 2956 384 9 0 1 0 2020-06-26 15:08:55 UTC+0000
0xffff87869141c2c0 userinit.exe 2184 564 0 -------- 1 0 2020-06-26 15:08:57 UTC+0000 2020-06-26 15:09:12 UTC+0000
0xffff8786913f9580 explorer.exe 2316 2184 93 0 1 0 2020-06-26 15:08:57 UTC+0000
0xffff87868fd7a580 chrmstp.exe 3256 2316 0 -------- 1 0 2020-06-26 15:09:13 UTC+0000 2020-06-26 15:09:13 UTC+0000
0xffff87868fd65580 dllhost.exe 3520 764 7 0 1 0 2020-06-26 15:09:16 UTC+0000
0xffff8786900eb080 ShellExperienc 3708 764 24 0 1 0 2020-06-26 15:09:18 UTC+0000
0xffff8786901a0080 SearchUI.exe 4052 764 50 0 1 0 2020-06-26 15:09:23 UTC+0000
0xffff878690969580 RuntimeBroker. 4064 764 6 0 1 0 2020-06-26 15:09:23 UTC+0000
0xffff87868ee50580 RuntimeBroker. 2528 764 11 0 1 0 2020-06-26 15:09:29 UTC+0000
0xffff87868ece5580 ApplicationFra 4104 764 11 0 1 0 2020-06-26 15:09:30 UTC+0000
0xffff87868ede8580 SearchIndexer. 4448 648 23 0 0 0 2020-06-26 15:09:31 UTC+0000
0xffff87868ef10580 RuntimeBroker. 4504 764 8 0 1 0 2020-06-26 15:09:31 UTC+0000
0xffff87868efaf080 MicrosoftEdge. 4660 764 0 -------- 1 0 2020-06-26 15:09:32 UTC+0000 2020-06-26 15:11:12 UTC+0000
0xffff87868f008080 RuntimeBroker. 3936 764 0 -------- 1 0 2020-06-26 15:09:37 UTC+0000 2020-06-26 15:11:42 UTC+0000
0xffff87868edc2580 RuntimeBroker. 5680 764 6 0 1 0 2020-06-26 15:09:46 UTC+0000
0xffff87868f150580 MSASCuiL.exe 5928 2316 3 0 1 0 2020-06-26 15:09:52 UTC+0000
0xffff8786909e5080 OneDrive.exe 6032 2316 20 0 1 1 2020-06-26 15:09:53 UTC+0000
0xffff87868f1d5580 cmd.exe 6072 2316 0 -------- 1 0 2020-06-26 15:09:54 UTC+0000 2020-06-26 15:09:56 UTC+0000
0xffff87868f1d2080 cmd.exe 6080 2316 0 -------- 1 0 2020-06-26 15:09:54 UTC+0000 2020-06-26 15:09:55 UTC+0000
0xffff87868f1cc580 explorer.exe 6096 2316 0 -------- 1 0 2020-06-26 15:09:54 UTC+0000 2020-06-26 15:10:01 UTC+0000
0xffff8786909da580 RuntimeBroker. 3436 764 3 0 1 0 2020-06-26 15:10:04 UTC+0000
0xffff8786916b2580 dllhost.exe 6432 764 7 0 1 0 2020-06-26 15:10:15 UTC+0000
0xffff878691061580 GoogleCrashHan 4332 2776 5 0 0 1 2020-06-26 15:10:38 UTC+0000
0xffff8786910be080 GoogleCrashHan 5936 2776 3 0 0 0 2020-06-26 15:10:38 UTC+0000
0xffff87868f821080 SgrmBroker.exe 6756 648 2 0 0 0 2020-06-26 15:10:41 UTC+0000
0xffff87868ed21080 WmiPrvSE.exe 3304 764 9 0 0 0 2020-06-26 15:12:07 UTC+0000
0xffff87869150c580 sedsvc.exe 3040 648 5 0 0 0 2020-06-26 15:17:18 UTC+0000
0xffff87868fb57580 cmd.exe 3180 2316 0 -------- 1 0 2020-06-26 15:19:51 UTC+0000 2020-06-26 15:31:26 UTC+0000
0xffff87868f9a6580 Microsoft.Phot 4724 764 14 0 1 0 2020-06-26 15:20:49 UTC+0000
0xffff87868ede9080 SkypeApp.exe 5896 764 23 0 1 0 2020-06-26 15:21:02 UTC+0000
0xffff87868f826080 HxOutlook.exe 7160 764 0 -------- 1 0 2020-06-26 15:31:23 UTC+0000 2020-06-26 15:31:54 UTC+0000
0xffff878691080580 HxTsr.exe 5172 764 14 0 1 0 2020-06-26 15:31:30 UTC+0000
0xffff878690466080 chrome.exe 6628 2316 0 -------- 1 0 2020-06-26 15:31:56 UTC+0000 2020-06-26 15:33:21 UTC+0000
0xffff878691056580 HxOutlook.exe 4688 764 24 0 1 0 2020-06-26 15:32:47 UTC+0000
0xffff87868f10a080 backgroundTask 1276 764 0 -------- 1 0 2020-06-26 15:32:50 UTC+0000 2020-06-26 15:33:51 UTC+0000
0xffff87868f3804c0 svchost.exe 4804 648 9 0 0 0 2020-06-26 15:33:05 UTC+0000
0xffff87868f399080 chrome.exe 5872 2316 32 0 1 0 2020-06-26 15:34:25 UTC+0000
0xffff87868fb1f080 chrome.exe 7088 5872 9 0 1 0 2020-06-26 15:34:25 UTC+0000
0xffff878691535580 chrome.exe 4940 5872 10 0 1 0 2020-06-26 15:34:25 UTC+0000
0xffff8786914bb580 chrome.exe 5736 5872 13 0 1 0 2020-06-26 15:34:25 UTC+0000
0xffff8786916713c0 chrome.exe 7108 5872 13 0 1 0 2020-06-26 15:34:35 UTC+0000
0xffff87868ec71080 av-20200624193 6880 2316 0 -------- 1 1 2020-06-26 15:36:10 UTC+0000 2020-06-26 15:36:41 UTC+0000
0xffff878691456080 cmd.exe 3944 4448 0 -------- 0 0 2020-06-26 15:37:19 UTC+0000 2020-06-26 15:44:33 UTC+0000
0xffff87868fd63580 conhost.exe 5432 3944 4 0 0 0 2020-06-26 15:37:19 UTC+0000
0xffff87868f29d380 SkypeBackgroun 376 764 4 0 1 0 2020-06-26 15:38:06 UTC+0000
0xffff878691762080 explorer.exe 5448 3944 1 0 0 1 2020-06-26 15:43:14 UTC+0000
0xffff87868fa02580 wuauclt.exe 5288 60 7 0 0 0 2020-06-26 15:43:18 UTC+0000
0xffff8786914d2580 TrustedInstall 2572 648 5 0 0 0 2020-06-26 15:43:20 UTC+0000
0xffff878691219080 TiWorker.exe 2796 764 4 0 0 0 2020-06-26 15:43:20 UTC+0000
0xffff87868ec27080 cmd.exe 6844 4448 0 -------- 0 0 2020-06-26 15:44:35 UTC+0000 2020-06-26 15:46:20 UTC+0000
0xffff878691457580 cmd.exe 4424 4448 1 0 0 0 2020-06-26 15:46:51 UTC+0000
0xffff87868f998080 conhost.exe 6372 4424 3 0 0 0 2020-06-26 15:46:51 UTC+0000
0xffff87869038d580 taskhostw.exe 656 60 8 0 1 0 2020-06-26 15:48:06 UTC+0000
0xffff87868f773080 explorer.exe 3100 4424 5 0 0 1 2020-06-26 15:48:21 UTC+0000
0xffff87868f77b340 cmd.exe 4640 3100 1 0 0 1 2020-06-26 15:48:21 UTC+0000
0xffff87868fb16340 smartscreen.ex 1048 764 15 0 1 0 2020-06-26 15:48:37 UTC+0000
0xffff87868f81d080 cmd.exe 784 2316 1 0 1 0 2020-06-26 15:48:50 UTC+0000
0xffff878691422080 conhost.exe 3480 784 5 0 1 0 2020-06-26 15:48:50 UTC+0000
0xffff87868ed40580 svchost.exe 4976 648 3 0 0 0 2020-06-26 15:48:59 UTC+0000
0xffff878690744380 SearchProtocol 4396 4448 0 -------- 0 0 2020-06-26 15:50:01 UTC+0000 2020-06-26 15:51:50 UTC+0000
0xffff87868f082580 SearchFilterHo 4432 4448 4 0 0 0 2020-06-26 15:50:01 UTC+0000
0xffff8786913b7580 chrome.exe 3432 5872 13 0 1 0 2020-06-26 15:51:01 UTC+0000
0xffff87868faef580 chrome.exe 5876 5872 13 0 1 0 2020-06-26 15:51:03 UTC+0000
0xffff87868f26c580 chrome.exe 3140 5872 16 0 1 0 2020-06-26 15:51:03 UTC+0000
0xffff87869030e080 chrome.exe 4828 5872 11 0 1 0 2020-06-26 15:51:04 UTC+0000
0xffff87868f047080 chrome.exe 6044 5872 6 0 1 0 2020-06-26 15:51:05 UTC+0000
0xffff87868ebef080 chrome.exe 2512 5872 21 0 1 0 2020-06-26 15:51:06 UTC+0000
0xffff87868f2e1080 winpmem_v3.3.r 3348 784 5 0 1 1 2020-06-26 15:51:36 UTC+0000
WinPmem is a Memory Acquisition Tool, the PID was 3348, and our flag is flag{3348}