TryHackMe: REvil Corp
Overview: This is a medium-difficulty challenge hosted by TryHackMe. The challenge involves using Redline to investigate a compromised machine. The machine was reported to have exhibited ransomware-like behavior.
Scenario: One of the employees at Lockman Group gave an IT department the call; the user is frustrated and mentioned that all of his files are renamed to a weird file extension that he has never seen before. After looking at the user’s workstation, the IT guy already knew what was going on and transferred the case to the Incident Response team for further investigation.
Q1
What is the compromised employee’s full name?
After Redline loads the memory analysis file, we’ll take a look at the System Information page.
From there we can see the logged-in user was John Coleman.
Of course, we could also find the user under the Users screen.
Answer: John Coleman
Q2
What is the operating system of the compromised host?
We can refer back to the System Information we found previously.
Answer: Windows 7 Home Premium 7601 Service Pack 1
Q3
What is the name of the malicious executable that the user opened?
We’ll start by checking for any downloads that occurred.
We can see two downloads in the memory dump, one for WinRAR and another for the TOR browser.
The WinRAR download came from an IP address, which is rather abnormal and should be investigated further.
Answer: WinRAR2021.exe
Q4
What is the full URL that the user visited to download the malicious binary? (include the binary as well)
We noted the suspicious IP in Q3.
Answer: http://192.168.75.129:4748/Documents/WinRAR2021.exe
Q5
What is the MD5 hash of the binary?
We can use the File System screen within Redline to get the hash. To make the hash easier to view, toggle Show Details at the bottom of the screen.
Note: Along with the WinRAR executable, there are other suspicious entries in the file system. Some of the entries have an unusual file extension as noted in the scenario.
Answer: 890a58f200dfff23165df9e1b088e58f
Q6
What is the size of the binary in kilobytes?
We can find this information in the details pane that we opened in the previous step.
Answer: 164
Q7
What is the extension to which the user’s files got renamed?
We also took note of the odd extension in Q5.
Answer: .t48s39la
Q8
What is the number of files that got renamed and changed to that extension?
Although Event Logs seems like a logical first place to start looking for this information, it doesn’t appear to be relevant to this question. So let’s try the Timeline.
This information looks like it might be what we’re looking for. We can see the file download is logged here, as well as registry modifications and process creation.
So let’s try to filter out all the events we don’t need, such as registry changes and processes.
With the only filters set to Modified and Changed, we can search for the suspicious file extension, returning 48 matches.
Note: Although 48 is the correct answer, the entries seem to be duplicated. If you only toggle one of the filters (Changed / Modified) there are 24 results. The filenames and timestamps match on the duplicated files, suggesting there are only 24 files changed. You can see an example of the duplicated entries in the screenshot above.
Answer: 48
Q9
What is the full path to the wallpaper that got changed by an attacker, including the image name?
Windows saves wallpapers as bitmap files (.bmp) so perhaps we can use the timeline to track down the wallpaper. Searching for events with .bmp returns over 300 results.
Checking the timestamps, we can see the time for the first result for a .bmp file was only 26 seconds after the file extensions were changed. With that, it is safe to say we’ve got the path of the wallpaper.
Answer: C:\Users\John Coleman\AppData\Local\Temp\hk8.bmp
Q10
The attacker left a note for the user on the Desktop; provide the name of the note with the extension.
We can examine the files on the user’s Desktop by navigating to the File System pane and limiting our selection to the Desktop directory.
There is a file with a name that includes the suspicious extension and is created at the exact time that other files had their extensions changed.
Answer: t48s39la-readme.txt
Q11
The attacker created a folder “Links for United States” under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file.
We’ll adjust our selected directory to only include the Favorites folder.
There are a few files in the directory with no clear indicator of which one is the answer. The hint on TryHackMe says the filename includes a Spanish term. With that clue, we can use Google to confirm our suspicion.
Answer: GobiernoUSA.gov.url.t48s39la
Q12
There is a hidden file that was created on the user’s Desktop that has 0 bytes. Provide the name of the hidden file.
We’ll adjust the File System directory selection to only display the Desktop and filter for files with a size of 0 bytes.
There is only one result, and we can confirm that it is a hidden file by checking the attributes in the details pane.
Answer: d60dff40.lock
Q13
The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file.
One of the files on the desktop had an odd name that spelled out decryptor, so let’s grab its hash.
Answer: f617af8c0d276682fdf528bb3e72560b
Q14
In the ransomware note, the attacker provided a URL that is accessible through the normal browser in order to decrypt one of the encrypted files for free. The user attempted to visit it. Provide the full URL path.
We’ll use the Browser URL History for this task. We’ll start by sorting the events by time so that the newest events are at the top of the list. Since there is a lot of activity with Bing.com, we’ll filter this out by clicking the filter icon under the URL column header.
Answer: http://decryptor.top/644E7C8EFA02FBB7
Q15
What are some three names associated with the malware which infected this host? (enter the names in alphabetical order)
We’ve gathered multiple IOCs throughout the investigation. Among them, we have a hash of the decryptor, a hash of the executable, URL, file extension, and file names. We’ll run the executable’s hash through virus total.
Note: Because there was a match, VirusTotal switched the query to the SHA256 hash.
We see users have tagged the malware as sodinokibi and revil, so after searching these terms we can see they are indeed different names for the same ransomware. A little more searching reveals the third name.
Of course, the challenge name was a dead giveaway, too.
Answer: REvil,Sodin,Sodinokibi
Conclusion: This was an interesting challenge. Redline made it rather easy to filter down the various fields to find relevant information. We were able to gather key IOCs quickly and in various forms, including hashes and URLs.