Hello guys, This is writeup for the room of tryhackme Dunkle Materie from the TryHackMe platform. This room is a medium room that lets users investigate the ransomware attack using an application called ProcDOT.
The firewall alerted the Security Operations Center that one of the machines at the Sales department, which stores all the customers' data, contacted the malicious domains over the network. When the Security Analysts looked closely, the data sent to the domains contained suspicious base64-encoded strings. The Analysts involved the Incident Response team in pulling the Process Monitor and network traffic data to determine if the host is infected. But once they got on the machine, they knew it was a ransomware attack by looking at the wallpaper and reading the ransomware note.
I place the logfile into the procmon as in the figure below.
It doesn't seem to work, so I added the traffic file to Windump.
1) Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)
Ans- 8644, 7128
2) Provide the full path where the ransomware initially got executed? (Include the full path in your answer)
We can see that the red box is the full path where the malware is initially executed, which is the second question.
(The path is redacted for the learning purposes of each user.)
Ans- c:\users\sales\appdata\local\temp\exploreer.exe
3) This ransomware transfers the information about the compromised system and the encryption results to two domains over HTTP POST. What are the two C2 domains? (no space in the answer)
On the second exploreer.exe, I also found one.
Ans- mojobiden.com,paymenthacks.com
4) What are the IPs of the malicious domains? (no space in the answer)
Ans- 146.112.61.108,206.188.197.206
5) Provide the user-agent used to transfer the encrypted data to the C2 channel.
For this question, it wanted us to identify the user-agent used to transfer the encrypted data to the C2 channel.
So, by right-clicking the site we found previously, we click on “Follow TCP Stream”.
Ans- Firefox/89.0
6) Provide the cloud security service that blocked the malicious domain.
Now, we require to identify the cloud security service that blocked the malicious domain.
So, at the same window, scroll down a bit more. And we can see the server name.
Ans- Cisco Umbrella
7) Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.
Ans- ley9kpi9r.bmp
8) Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim's machine.
Ans- 4892
9) The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.
For this part, we need to find the registry key path to the mounted drive, with the drive letter. So, I started with exploreer.exe. I look into each process in detail but failed to find the path.
This really cost me so much time. As I was looking into the registry process and back to exploreer.exe, without realizing that I did not turn off the “no path” option. I wasted like an hour until I realize it. So, after in a rabbit hole for an hour, I manage to find the path.
Ans- HKLM\SYSTEM\MountedDevices\DosDevices\Z:
10) Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)
This also takes me a lot of time to research. I do not have an idea on what keyword should I use to search for it.
I tried to search on “ransomware targeting mount drive” and other doesn't help at all. But suddenly I think about the site “hacker” used before. So, I try to use one of the websites and look at it on Google. And BAM! I got it!
Ans- Blackmatter Ransomware
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal