The SOC detected malware on a host, but antivirus already quarantined it... can you still make sense of what it does?
The task description mentioned that the file had been quarantined, so I assumed it was likely done by Windows Defender. First, I found a script to restore the file. Upon restoring, I found that it was an executable created in .NET.
Then, I decompiled the program using dotPeek. In the main code, I found two encoded values and a decoding operation. I copied the code and had ChatGPT convert it into Python. Running the modified script revealed the flag.
import sys
import codecs
defload(hex_string): length =len(hex_string) num_array =bytearray(length //2)for start_index inrange(0, length,2): num_array[start_index //2]=int(hex_string[start_index:start_index +2],16)return num_array
defotp(data1, data2):returnbytearray(a ^ b for a, b inzip(data1, data2))data1 = load("15b279d8c0fdbd7d4a8eea255876a0fd189f4fafd4f4124dafae47cb20a447308e3f77995d3c")data2 = load("73de18bfbb99db4f7cbed3156d40959e7aac7d96b29071759c9b70fb18947000be5d41ab6c41")result = otp(data1, data2)print(codecs.decode(result,'utf-8'))
