TryHackMe: REvil Corp

Sean Dixon
6 min readJun 14, 2023

Overview: This is a medium-difficulty challenge hosted by TryHackMe. The challenge involves using Redline to investigate a compromised machine. The machine was reported to have exhibited ransomware-like behavior.

Scenario: One of the employees at Lockman Group gave an IT department the call; the user is frustrated and mentioned that all of his files are renamed to a weird file extension that he has never seen before. After looking at the user’s workstation, the IT guy already knew what was going on and transferred the case to the Incident Response team for further investigation.

Q1

What is the compromised employee’s full name?

After Redline loads the memory analysis file, we’ll take a look at the System Information page.

System Information

From there we can see the logged-in user was John Coleman.

Of course, we could also find the user under the Users screen.

Users list

Answer: John Coleman

Q2

What is the operating system of the compromised host?

We can refer back to the System Information we found previously.

Answer: Windows 7 Home Premium 7601 Service Pack 1

Q3

What is the name of the malicious executable that the user opened?

We’ll start by checking for any downloads that occurred.

File Download History

We can see two downloads in the memory dump, one for WinRAR and another for the TOR browser.

The WinRAR download came from an IP address, which is rather abnormal and should be investigated further.

Answer: WinRAR2021.exe

Q4

What is the full URL that the user visited to download the malicious binary? (include the binary as well)

We noted the suspicious IP in Q3.

Answer: http://192.168.75.129:4748/Documents/WinRAR2021.exe

Q5

What is the MD5 hash of the binary?

We can use the File System screen within Redline to get the hash. To make the hash easier to view, toggle Show Details at the bottom of the screen.

Show Details button
MD5 hash in the Show Details pane

Note: Along with the WinRAR executable, there are other suspicious entries in the file system. Some of the entries have an unusual file extension as noted in the scenario.

Answer: 890a58f200dfff23165df9e1b088e58f

Q6

What is the size of the binary in kilobytes?

We can find this information in the details pane that we opened in the previous step.

Answer: 164

Q7

What is the extension to which the user’s files got renamed?

We also took note of the odd extension in Q5.

Suspicious file extensions

Answer: .t48s39la

Q8

What is the number of files that got renamed and changed to that extension?

Although Event Logs seems like a logical first place to start looking for this information, it doesn’t appear to be relevant to this question. So let’s try the Timeline.

Timeline

This information looks like it might be what we’re looking for. We can see the file download is logged here, as well as registry modifications and process creation.

So let’s try to filter out all the events we don’t need, such as registry changes and processes.

files with names changed

With the only filters set to Modified and Changed, we can search for the suspicious file extension, returning 48 matches.

Note: Although 48 is the correct answer, the entries seem to be duplicated. If you only toggle one of the filters (Changed / Modified) there are 24 results. The filenames and timestamps match on the duplicated files, suggesting there are only 24 files changed. You can see an example of the duplicated entries in the screenshot above.

Answer: 48

Q9

What is the full path to the wallpaper that got changed by an attacker, including the image name?

Windows saves wallpapers as bitmap files (.bmp) so perhaps we can use the timeline to track down the wallpaper. Searching for events with .bmp returns over 300 results.

Checking the timestamps, we can see the time for the first result for a .bmp file was only 26 seconds after the file extensions were changed. With that, it is safe to say we’ve got the path of the wallpaper.

.bmp file listed in the timeline

Answer: C:\Users\John Coleman\AppData\Local\Temp\hk8.bmp

Q10

The attacker left a note for the user on the Desktop; provide the name of the note with the extension.

We can examine the files on the user’s Desktop by navigating to the File System pane and limiting our selection to the Desktop directory.

There is a file with a name that includes the suspicious extension and is created at the exact time that other files had their extensions changed.

Desktop files and timestamps

Answer: t48s39la-readme.txt

Q11

The attacker created a folder “Links for United States” under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file.

We’ll adjust our selected directory to only include the Favorites folder.

Files within the “Links for United States” directory

There are a few files in the directory with no clear indicator of which one is the answer. The hint on TryHackMe says the filename includes a Spanish term. With that clue, we can use Google to confirm our suspicion.

Answer: GobiernoUSA.gov.url.t48s39la

Q12

There is a hidden file that was created on the user’s Desktop that has 0 bytes. Provide the name of the hidden file.

We’ll adjust the File System directory selection to only display the Desktop and filter for files with a size of 0 bytes.

Files with a size of 0 bytes in the Desktop directory

There is only one result, and we can confirm that it is a hidden file by checking the attributes in the details pane.

Answer: d60dff40.lock

Q13

The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file.

One of the files on the desktop had an odd name that spelled out decryptor, so let’s grab its hash.

Desktop files and details pane for the decryptor

Answer: f617af8c0d276682fdf528bb3e72560b

Q14

In the ransomware note, the attacker provided a URL that is accessible through the normal browser in order to decrypt one of the encrypted files for free. The user attempted to visit it. Provide the full URL path.

We’ll use the Browser URL History for this task. We’ll start by sorting the events by time so that the newest events are at the top of the list. Since there is a lot of activity with Bing.com, we’ll filter this out by clicking the filter icon under the URL column header.

Browser URL History, sorted by time and filtered to remove URLs containing bing.com

Answer: http://decryptor.top/644E7C8EFA02FBB7

Q15

What are some three names associated with the malware which infected this host? (enter the names in alphabetical order)

We’ve gathered multiple IOCs throughout the investigation. Among them, we have a hash of the decryptor, a hash of the executable, URL, file extension, and file names. We’ll run the executable’s hash through virus total.

Community page for the VirusTotal result

Note: Because there was a match, VirusTotal switched the query to the SHA256 hash.

We see users have tagged the malware as sodinokibi and revil, so after searching these terms we can see they are indeed different names for the same ransomware. A little more searching reveals the third name.

Of course, the challenge name was a dead giveaway, too.

Answer: REvil,Sodin,Sodinokibi

Conclusion: This was an interesting challenge. Redline made it rather easy to filter down the various fields to find relevant information. We were able to gather key IOCs quickly and in various forms, including hashes and URLs.

--

--