Closed tuttimann closed 1 year ago
Which PowerShell version are you using? It seems that the cmdlet "New-Guid" is not existing.
Get-Command New-Guid
I am using Powershell version 7.3.1 and "New-Guid" seems to be installed (screenshots attached). It also doesn't work with Windows Powershell, however there aren't these error message I attached above.
You need PowerShell 5.1.
Are you using a public memory dump or can you share your memory dump for inspection?
I have Powershell 5.1.19041.2364. Unfortunately it seems to happen with any memory dump I am analyzing. I.e. "2020 CTF - Windows Memory.zip" from Magnet: https://digitalcorpora.s3.amazonaws.com/corpora/scenarios/magnet/2020%20CTF%20-%20Windows%20Memory.zip
MemProcFS-Analyzer v0.8 - Automated Forensic Analysis of Windows Memory Dumps for DFIR (c) 2021-2023 Martin Willing at Lethal-Forensics (https://lethal-forensics.com/)
Analysis date: 2023-01-23 20:18:54 UTC
[Info] Mounting the Physical Memory Dump file as X: ...
[Info] Physical Memory Dump File Size: 5,00 GB
[Info] MemProcFS Forensic Analysis initiated ...
[Info] Processing F:\Memory-Samples\memdump-001.mem [approx. 1-10 min] ...
[Info] Host Name: WIN-9H6J4FBP8F7
[Info] OS: Windows 7 Enterprise (x64), Service Pack 1 (6.1.7601.24384)
[Info] InstallDate: 2020-02-14 02:10:21 UTC
[Info] RegisteredOrganization: --
[Info] RegisteredOwner: Windows User
[Info] Timezone Information: Eastern Standard Time (UTC-04:00)
[Info] Last Written Time: 2020-03-08 07:00:00 UTC
[Info] Last Logged On User: Warren
[Info] Last Boot: 2020-04-20 22:44:50 UTC
[Info] Memory Acquisition Time: 2020-04-20 23:23:26 UTC
[Info] Collecting Evidence Files ...
[Info] Your Operating System is NOT supported by FindEvil.
Note: FindEvil is only available on 64-bit Windows 11, 10 and 8.1.
[Info] 65 Certificates found (65)
[Info] 0 IPv4 addresses found (3)
[Info] 0 IPv6 addresses found (2)
[Alert] TCP on Source Port 3389 detected - May indicates incoming Remote Desktop Protocol (RDP) activity (2)
[Info] Processing 65 Processes ...
[Info] Launching Process Tree (TreeView) ...
[Alert] Unusual Parent-Child Relationship found: csrss.exe (2)
[Alert] Unusual Parent-Child Relationship found: wininit.exe (1)
[Alert] Unusual Parent-Child Relationship found: winlogon.exe (1)
[Info] Checking for Process Path Masquerading ...
[Info] Checking Damerau–Levenshtein Distance of common System Processes ...
[Info] Checking for Processes w/ Unusual User Context ...
[Info] Checking for Processes Spawned From Suspicious Folder Locations ...
[Alert] Process spawned from a suspicious folder location: C:\Users*\Downloads* (1)
[Info] Checking for Suspicious Process Lineage ...
[Info] Checking for Processes with Suspicious Command Line Arguments ...
[Info] Checking for Suspicious Processes without any Command Line Arguments ...
[Info] Processing 419 Services (Running Services: 192) ...
[Alert] Service running from a suspicious folder location: C:\Users*\AppData\Local\Temp* (1)
[Info] Processing Web History Information (Records: 0) ...
[Info] Creating Forensic Timeline ...
[Info] File Size (CSV): 88,74 MB
[Info] Total Lines (CSV): 519.709
[Info] Extracting Prefetch File Information from Forensic Timeline ...
[Info] File Size (CSV): 23,46 KB
[Info] Total Lines (CSV): 187
[Info] Collecting Windows Event Logs (EVTX) ...
[Info] Processing 48 EVTX Files (33,50 MB) ...
[Info] Updating Event Log Maps ...
[Info] 423 Event Log Maps will be initiated by EvtxECmd ...
[Info] File Size (CSV): 1,71 MB
[Info] Updating SIGMA Rulesets ...
[Info] No newer rulesets found
[Info] Processing Windows Event Logs w/ Zircolite ...
[Info] Creating JSON output and ZircoGui package ...
[Info] Executed ruleset - 2.046 rules
[Info] File Size (JSON): 4,00 Bytes
[Info] 0 Detections found
[Info] Parsing Event Record Information from JSON Files ...
[Info] Collecting Registry Hives ...
[Info] 13 Registry Hives (102,11 MB) found
[Info] Analyzing Application Compatibility Cache aka ShimCache ...
[Info] Found 0 cache entries for Windows7x64_Windows2008R2 in ControlSet001 Found 0 cache entries for Windows7x64_Windows2008R2 in ControlSet002
[Info] Analyzing Syscache Hive ...
[Info] Found 48.540 key/value pairs across 1 file
[Info] 3.669 SHA1 hash value(s) of executables found
[Info] Analyzing UserAssist Artifacts ...
[Info] Found 156 key/value pairs across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000)
[Info] Analyzing MUICache Artifacts ...
[Info] Found 3 key/value pairs across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000)
[Info] 1 GUI-based executable(s) found (1)
[Info] Analyzing ShellBags Artifacts ...
[Info] Total ShellBags found: 61
[Info] Extracting Auto-Start Extensibility Points (ASEPs) ...
[Info] Found 221 key/value pairs across 4 files
[Info] SQLite Database: C:\Users\evild3ad\AppData\Local\Temp\vmm.sqlite3
[Info] Collecting SQLite Database ...
[Info] File Size (SQLite3): 454,00 MB
[Info] Collecting pypykatz ...
[Info] Collecting regsecrets ...
[Info] Checking for ClamAV Updates ...
[Info] Updating ClamAV Virus Databases (CVD) ...
[Info] Engine Version: ClamAV 1.0.0 (#26790)
[Info] Custom scan w/ ClamAV is running (X:\name) ...
[Info] Directory Scan Mode enabled [time-consuming task] ...
[Info] Starting ClamAV Daemon ...
[Info] ClamAV Daemon is running ...
[Alert] 15 infected file(s) found (15)
[Info] Analyzing RecentDocs Artifacts ...
[Info] Found 78 key/value pairs across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000)
[Info] Analyzing Trusted Documents Artifacts ...
[Info] Found 0 key/value pairs across 1 file (S-1-5-20)
[Info] Found 0 key/value pairs across 1 file (S-1-5-19)
[Info] Found 1 key/value pair across 1 file (S-1-5-21-4288132831-552422005-3632184702-1000)
[Info] Analyzing Registry Hives w/ RECmd (Kroll Batch) ...
[Info] Found 2.781 key/value pairs across 8 files
[Info] Analyzing Reconstructed Process Modules ...
[Info] 64 Reconstructed Process Modules found (67)
[Alert] Missing Internal Name, Original FileName, File Description, and Company Name detected [Modules] (Count: 7)
[Alert] Missing File Description and/or Company Name detected [Modules] (Count: 7)
[Alert] Missing Internal Name and/or Original FileName detected [Modules] (Count: 7)
[Alert] Mismatch on Original FileName detected [Modules] (Count: 8)
[Info] Preparing Secure Archive Container ...
[Info] Archive Size: 162,44 MB
[Info] Shutting Down (Unmount) ...
FINISHED! Overall analysis duration: 0 h 32 min 30 sec
I used PowerShell ISE. Worked smoothly.
Now it's working, don't know what happened before. Thanks for your help.
Only a few amount of all processes are shown in process tree and there are many error messages shown in the logs.