We are provided with a Windows 7 memory dump. Let us begin our initial level of analysis.

Let’s start with the running processes.

Initial Analysis

$ volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 pslist

pslist output
pslist output

As we can WinRAR.exe is running, that imply that the user might opened a RAR archive. So lets check for a RAR file in the whole memory.

$ volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan | grep rar

Rar

As we can see that there is a rar archive present in the memory. So lets dump it and check it.

dumpfiles

We have dumped the rar. Let us check extracting it and check the contents present in it.

extract rar
As we can see that, it is asking for the password. And the description says that You'll get the stage 2 flag only when you have the stage 1 flag. So let us find the first flag.

Flag 1

As we seen the pslist output, we can’t find any suspicious process running. So lets check the explorer history. For this we will use iehistory plugin.

$ volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 iehistory

iehistory

We can see a bmp file being accessed. And file name seem to be suspicious and its a base64 string. So lets decode it.

After decoding it we got the flag: flag{!!w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3!!}

Flag 2

So let’s use the flag that we got as the password for the rar archive.

Unrar using stage 1 password

Hoorah! We got it extracted.

Flag

That’s how you finish this MemLabs, Lab – 5.

If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi