Harpocrat3s

My ethical hacking journey

revil corp banner tryhackme

TryHackMe – REvil Corp writeup

In Blue team, THM

Another Redline room, with a more in-depth investigation than the previous one. It was great to have some more practice with Redline, I’m appreciating this tool and I’m looking forward to use it in the future in a real-life investigation.

Table of Contents

Scenario

One of the employees at Lockman Group gave an IT department the call: the user is frustrated and mentioned that all of his files are renamed to a weird file extension that he has never seen before. After looking at the user’s workstation, the IT guy already knew what was going on and transferred the case to the Incident Response team for further investigation.
You are the incident responder.

Investigation

  • What is the compromised employee’s full name?
  • What is the operating system of the compromised host?

Both these questions could be answered by looking in the “System Information” section:


John Coleman was the only user on this machine, but in case there were multiple user accounts, one could confirm if the files were encrypted by looking at the user’s files:

  • What is the name of the malicious executable that the user opened?

After looking at the user’s files (like in the above screenshot) I wrote down the time when the encrypted files were created/modified.
Then, thanks to the Timeline feature, I looked around that time to see the actions this user performed and found that he opened a Winrar executable that he had just downloaded (from a very suspicious URL):

  • What is the full URL that the user visited to download the malicious binary? (include the binary as well)

This information could be found either in the Timeline section (I’ve marked the event in the above screenshot too), or directly in the “File Download History” that Redline conveniently makes available in the left panel. Inside that section, there’s the answer:

  • What is the MD5 hash of the binary?

  • What is the size of the binary in kilobytes?

These details were available in the File System section, looking at the actual file and scrolling horizontally through its details to find the column with the MD5 hash (not shown in the screenshot) and Size:

  • What is the extension to which the user’s files got renamed?

This information is in several of the previous screenshots, it’s just a matter of looking at the user’s files.

 

  • What is the number of files that got renamed and changed to that extension?

This answer could be found using the Keyword Search in the Timeline section, making sure to flag only the modified and changed files:

  • What is the full path to the wallpaper that got changed by an attacker, including the image name?

This information was a bit harder to find, the registry didn’t have the key/value I used to find the wallpaper path in a previous investigation. So I had to look into the modified/changed files searching for some common images extensions using the keyword search (similar to the previous answer), and a “.bmp” extension pointed me to the right answer.

 

  • The attacker left a note for the user on the Desktop; provide the name of the note with the extension.

  • There is a hidden file that was created on the user’s Desktop that has 0 bytes. Provide the name of the hidden file. 

The answer is similar to many previous ones, I just needed to look into the user’s desktop folder (these particular files can be seen in the second screenshot I posted above).

 

  • The attacker created a folder “Links for United States” under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file.

  • The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file.

  • In the ransomware note, the attacker provided a URL that is accessible through the normal browser in order to decrypt one of the encrypted files for free. The user attempted to visit it. Provide the full URL path.

I forgot to take a screenshot of this answer, but it wasn’t hard to find, Redline has a section called Browser URL History, and by looking at that part, after the time that the user opened the readme file (opened files still appear in that history section, starting with file:///). At some point there was a suspicious URL starting with http://, and that was the needed URL.

  • What are some three names associated with the malware which infected this host? (enter the names in alphabetical order)

The answer is found by looking online at resources like VirusTotal (using the infected .exe file’s hash) and the Mitre website:

So the answer was REvil, Sodin and Sodinokibi.

 

# # # # # # # # # # # # #

Related Posts

TryHackMe – Warzone 1 writeup

TryHackme – Mr. Robot writeup

TryHackMe – RootMe writeup

TryHackMe – Investigating Windows 3.x writeup