New Hire Old Artifacts
TryHackMe Challenge Walkthrough
Challenge Overview
You are a SOC Analyst for an MSSP (managed Security Service Provider) company called TryNotHackMe.
A newly acquired customer (Widget LLC) was recently onboarded with the managed Splunk service. The sensor is live, and all the endpoint events are now visible on TryNotHackMe’s end. Widget LLC has some concerns with the endpoints in the Finance Dept, especially an endpoint for a recently hired Financial Analyst. The concern is that there was a period (December 2021) when the endpoint security product was turned off, but an official investigation was never conducted.
Your manager has tasked you to sift through the events of Widget LLC’s Splunk instance to see if there is anything that the customer needs to be alerted on.
Happy Hunting!
Threat Analysis Summary
Analyst Summary Report
Incident Title
Unauthorized Use of Credential-Dumping and Evasion Tools on Finance Workstation
Category
Threat Hunting, Endpoint Compromise, Windows Defender Tampering
Detection Source
Sysmon logs via Splunk
Impact
Multiple credential dumping tools executed, outbound connections to malicious IP, registry tampering to weaken defenses
Investigation Workflow
- 1. Identified a suspicious binary (11111.exe) linked to a web browser password viewer.
2. Found it was created by **NirSoft** and executed from the Temp folder.
3. Discovered a second binary (IonicLarge.exe) with PalitExplorer.exe as its original filename.
4. Traced outbound connections from this binary to a malicious IP.
5. Confirmed it modified a Windows Defender registry policy.
6. Observed two other binaries being forcefully terminated and deleted.
7. Tracked a series of PowerShell commands altering Defender’s threat response settings.
8. Located a new malicious binary (EasyCalc.exe) in the Roaming AppData folder.
9. Identified 3 suspicious DLLs loaded by the ransomware-like payload.
Recommendations
Audit application execution policies
Block execution from user-writable directories like AppData\Temp and AppData\Roaming.
Harden Microsoft Defender settings
Prevent unauthorized registry changes and enforce tamper protection for Defender.
Implement PowerShell logging and alerts
Enable module and script block logging; alert on use of Set-MpPreference, WMIC, and taskkill.
Monitor for NirSoft and similar dual-use tools
Flag execution of known credential-dumping binaries (e.g., 11111.exe, mimikatz.exe variants).
Review network traffic for rare destinations
Investigate outbound traffic to rare or uncategorized IPs like 2.56.59.42.
Perform periodic threat hunts
Include DLL loading from non-standard directories and unauthorized use of scheduled tasks or registry changes.
Tools Used
- Splunk – log search and filtering
- CyberChef – defanging malicious IP
- VirusTotal – (optional, could be used to check hash reputation)
Key Evidences
- C:\Users\FINANC~1\AppData\Local\Temp\11111.exe identified as a NirSoft password viewer
- IonicLarge.exe making outbound connections to 2[.]56[.]59[.]42
- Registry change: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
- Deleted binaries: WvmIOrcfsuILdX6SNwIRmGOJ.exe, phcIAmLJMAIMSa9j9MpgJo1m.exe
- PowerShell command altering Defender behavior with ThreatIDDefaultAction_Ids
- Additional payload: C:\Users\Finance01\AppData\Roaming\EasyCalc\EasyCalc.exe
- DLLs loaded by EasyCalc: ffmpeg.dll, nw.dll, nw_elf.dll
Chain Attack Overview
Initial Access
User or attacker executed malicious binaries from AppData\Local\Temp
Execution
Multiple binaries executed (11111.exe, IonicLarge.exe, EasyCalc.exe)
Persistence
Binary dropped in AppData\Roaming\EasyCalc to survive reboots
Privilege Escalation
Not observed
Defense Evasion
Modified Windows Defender registry keys and threat responses via PowerShell
Discovery
Not observed
Credential Access
Web browser credential dumper (NirSoft) and registry key manipulation
Exfiltration
Not observed
Command & Control
Outbound connections to known-malicious IP
Impact
Defender was suppressed, suspicious payloads and DLLs deployed
MITRE ATT&CK Mapping
Phase
ID
Technique
Description
Initial Access
T1059.001
Powershell
Executed Defender tampering and commands via encoded PS script
Execution
T1105
Ingress Tool Transfer
Binaries downloaded into Temp and Roaming folders
Defense Evasion
T1562.001
Disable or Modify System Protection
Modified Defender settings via registry and commands
Defense Evasion
T1218.005
Signed Binary Proxy Execution: WMIC
WMIC used via PS to set ThreatID actions
Credential Access
T1555.003
Credentials from Web Browsers
NirSoft password viewer (11111.exe)
C2
T1071.001
Application Layer Protocol: Web
Outbound connection to 2[.]56[.]59[.]42
Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )
Q & A
Q1 A Web Browser Password Viewer executed on the infected machine. What is the name of the binary? Enter the full path.
To kick things off, I looked at Sysmon Event ID 1 for process creation events. This helps surface suspicious binaries that ran on the system.
I ran a simple Splunk query to list unique process images:
Splunk Query:
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 | table Image | dedup Image
Among the results, one entry stood out: 11111.exe
Viewing the full event revealed it was associated with a **web browser password recovery tool** — a red flag, especially on a corporate endpoint.
Answer
C:\Users\FINANC~1\AppData\Local\Temp\11111.exe
Q2 What is listed as the company name?
I opened the same process event from Q1 in Splunk and reviewed the metadata fields that are typically embedded in executables. The **CompanyName** field revealed the binary’s origin.
Not surprisingly, the tool came from **NirSoft**, a well-known provider of password recovery utilities — useful for red teamers, but a clear threat in this case.
Answer
NirSoft
Q3 Another suspicious binary running from the same folder was executed on the workstation. What was the name of the binary? What is listed as its original filename? (format: file.xyz,file.xyz)
Since the previous suspicious binary was in the Temp folder, I pivoted by filtering for other .exe files executed from the same path.
note: FINANC~1 is the tilde substitution convention for FINANCE01
Using the Image and OriginalFileName fields, I found another executable of interest:
– Binary name: IonicLarge.exe
– Original filename: PalitExplorer.exe
The naming is clearly designed to look non-threatening, but combined with its origin and behavior, it’s suspicious.
Answer
IonicLarge.exe,PalitExplorer.exe
Q4 The binary from the previous question made two outbound connections to a malicious IP address. What was the IP address? Enter the answer in a defang format.
Since we already knew IonicLarge.exe was suspicious, I searched for any events associated with it and focused on the DestinationIp field to find network activity.
Splunk Query:
Image=C:\\Users\\Finance01\\AppData\\Local\\Temp\\IonicLarge.exe | table DestinationIp | dedup DestinationIp
One of the IPs appeared multiple times and clearly didn’t belong to a known safe domain. Since the question mentions _two_ outbound connections, this confirmed the behavior.
After running it through CyberChef to defang, the malicious IP was:
Answer
2[.]56[.]59[.]42
Q5 The same binary made some change to a registry key. What was the key path?
Registry modifications are logged in Sysmon using Event IDs 12, 13, and 14. These can indicate persistence mechanisms or tampering with security settings.
Since we were already tracking IonicLarge.exe, I checked its related registry activity and focused on the TargetObject field.
The modified key turned out to be a familiar one — often abused to disable Microsoft Defender:
Answer
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Q6 Some processes were killed and the associated binaries were deleted. What were the names of the two binaries? (**format: file.xyz,file.xyz**)
the hint says to look at taskkill /im
To track this activity, I looked at PowerShell command lines containing taskkill /im, which often indicates manual process termination.
Then I pivoted into Sysmon Event ID 1 and filtered for any PowerShell commands that referenced file deletion or process killing.
Splunk Query:
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 | table CommandLine | dedup CommandLine
The attacker used taskkill to terminate two processes and immediately followed it with a command to delete the associated files:
– WvmIOrcfsuILdX6SNwIRmGOJ.exe
– phcIAmLJMAIMSa9j9MpgJo1m.exe
Answer
WvmIOrcfsuILdX6SNwIRmGOJ.exe,phcIAmLJMAIMSa9j9MpgJo1m.exe
Q7 The attacker ran several commands within a PowerShell session to change the behaviour of Windows Defender. What was the last command executed in the series of similar commands?
To investigate Defender tampering, I filtered PowerShell-related events in Sysmon and focused on CommandLine values for Defender-related keywords and WMIC calls.
Splunk Query:
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" powershell | table _time CommandLine | dedup CommandLine
The attacker repeatedly set custom ThreatIDDefaultAction entries using PowerShell and WMIC. The last command in that sequence was:
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
This effectively tells Defender how to handle a specific threat ID — in this case, likely setting it to ignore or allow.
Answer
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
Q8 Based on the previous answer, what were the four IDs set by the attacker? Enter the answer in order of execution. (format: 1st,2nd,3rd,4th)
Looking back at the PowerShell commands from the previous search, I extracted the **ThreatIDDefaultAction_Ids** values in the order they were executed.
These IDs represent threat signatures Defender was instructed to allow or ignore — effectively neutering its detection capabilities.
From top to bottom in the timeline:
1. 2147737007
2. 2147737010
3. 2147735503
4. 2147737394
Answer
2147737007,2147737010,2147735503,2147737394
Q9 Another malicious binary was executed on the infected workstation from another AppData location. What was the full path to the binary?
We already checked suspicious binaries in AppData\Local\Temp, so next I searched for executables launched from anywhere inside the broader AppData structure, focusing on Sysmon Event ID 1.
Splunk Query:
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\\Users\\FINANCE01\\AppData\\*.exe" | table Image | dedup Image
One unfamiliar binary stood out.
This location and filename combination is a common tactic for persistence or hiding in plain sight.
Answer
C:\Users\Finance01\AppData\Roaming\EasyCalc\EasyCalc.exe
Q10 What were the DLLs that were loaded from the binary from the previous question? Enter the answers in alphabetical order. (format: file1.dll,file2.dll,file3.dll)
To determine which libraries the binary loaded, I filtered for Sysmon Event ID 7, which logs DLL loads, and scoped it to the EasyCalc binary.
Splunk Query:
To determine which libraries the binary loaded, I filtered for **Sysmon Event ID 7**, which logs DLL loads, and scoped it to the EasyCalc binary.
The results showed the following suspicious DLLs, likely used to support or disguise malicious behavior:
– ffmpeg.dll
– nw.dll
– nw_elf.dll
Sorted alphabetically as requested:
Answer
ffmpeg.dll,nw.dll,nw_elf.dll
Conclusion
Turns out letting random executables party in Temp and Roaming folders isn’t great for endpoint hygiene.
Who knew?
Between killing processes, disabling Defender like it’s a feature, and casually sideloading DLLs with something called EasyCalc.exe (which, spoiler: does not help with math), this attacker went full “make yourself at home.”
We might not know exactly what they stole, but it’s safe to say Finance won’t be trusting EasyCalc again anytime soon.