Start interactive tutorial

← Back to Projects

Malware Analysis: Suspicious

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

  • windows

    • cybersecurity

    blue-team

  • reverse-engineering

  • malware-analysis

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Malware Analysis: Suspicious
🌱 How to start this lab
📄 Instructions
  • Your tasks:

Malware Analysis: Suspicious

In this lab, you will take on the role of a cybersecurity analyst tasked with examining a suspicious .exe file. Your job is to decompile the file, identify malicious behavior, and sanitize the binary. Only if the fix is successful will you obtain the validation flag.

In this lab you will learn:

  • Static analysis of .NET executables
  • Identification of simple malicious patterns
  • Removal of sabotage or persistence logic
  • Restoration of legitimate flows in modified binaries

🌱 How to start this lab

👉 This challenge is solved inside a preconfigured Windows virtual machine.

  1. Download the virtual machine from this link:
We are sorry, you don't have enough privileges to access this block of content, please signup or upgrade your plan to access it.
1https://storage.googleapis.com/cybersecurity-machines/metadata-investigation-lab.ova

  1. Import the machine into VirtualBox.

  2. Log in as the user student:4geeks-lab. The machine comes preinstalled with tools such as:

    • dnSpyEx (decompiler and binary editor)
    • .NET SDK
    • Notepad, PowerShell, and File Explorer

📄 Instructions

The executable appears to be designed to perform a malicious action before allowing its execution to complete. However, there is an opportunity: if you can correctly identify and remove this unauthorized activity, the program will behave legitimately and display a technical result that allows you to validate the challenge. The executable is currently on the desktop, named Suspicious.exe.

Your tasks:

  1. Open the executable in dnSpyEx and analyze the Main() method.

  2. Identify the section of code that performs a malicious action. This could be unauthorized writing, analysis evasion, or environment manipulation.

  3. Remove that malicious logic.

  4. Pass the protected execution conditions. The executable contains an environment validation based on a file.

  5. Recompile the corrected executable as Suspicious_FIXED.exe.

  6. Run the fixed binary. If everything was corrected successfully, the program will print a diagnostic result containing the flag.

This lab is not about searching for a hidden flag. It is about restoring a system that was tampered with. Only if you precisely remove the malicious logic will the program reveal the validation message.

Are you ready to think like a real reverse engineering analyst?

Good luck, Analyst!

Sign up and get access to solution files and videos for free

We will use it to give you access to your account.
Already have an account? Login here.

By signing up, you agree to the Terms and conditions and Privacy policy.

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Sign up and get access to solution files and videos for free

We will use it to give you access to your account.
Already have an account? Login here.

By signing up, you agree to the Terms and conditions and Privacy policy.

Difficulty

  • intermediate

Average duration

1 hrs

Technologies

Difficulty

  • intermediate

Average duration

1 hrs

Technologies