Table of Contents
Investigating the Compromised Endpoint Link to Investigating the Compromised Endpoint
Scenario: One of the employees at Lockman Group contacted the IT department, frustrated that all his files had been renamed with an unfamiliar file extension. The IT team quickly identified the issue as a potential ransomware attack and escalated the case to the Incident Response team for further investigation.
As the incident responder, your task is to analyze the compromised host using Redline, a powerful memory analysis tool. Let’s dive into the investigation!
Question 1: What is the compromised employee’s full name? Link to
To begin, load the saved memory analysis located in the Desktop/analysis folder. In Redline, click on Open Previous Analysis under the Analyze Data section, as shown below:
To answer Question 1, navigate to System Information in Redline. Here, you’ll find the currently logged-on user:
View Answer
Question 2: What is the operating system of the compromised host? Link to
From the same System Information section, you can identify the operating system of the compromised host.
View Answer
Question 3: What is the name of the malicious executable that the user opened? Link to
Navigate to File Download History in Redline. Here, you’ll find the malicious file that the user downloaded:
View Answer
Question 4: What is the full URL that the user visited to download the malicious binary? (include the binary as well) Link to
From the same File Download History section, you can see the full URL used to download the malicious file.
Question 5: What is the MD5 hash of the binary? Link to
To find the MD5 hash of the malicious binary, navigate to the user’s Downloads folder in Redline. In the File System section, go to Users > John Coleman > Downloads. Search for the executable file (WinRAR2021.exe) in the search bar:
Once you locate the file, double-click it to view its details. The MD5 hash will be displayed in the file information:
View Answer
Question 6: What is the size of the binary in kilobytes? Link to
From the same file details window, you can see the size of the binary in kilobytes.
View Answer
Question 7: What is the extension to which the user’s files got renamed? Link to
The hint suggests checking the user’s Desktop for a readme file. Navigate to File System > Users > John Coleman > Desktop and look for files with modified dates. You’ll notice password.txt... was modified:
View Answer
Question 8: What is the number of files that got renamed and changed to that extension? Link to
Use the Timeline feature in Redline to count the number of files with the .t48s39la extension. Enable the Modified and Changed filters and search for the extension:
View Answer
Question 9: What is the full path to the wallpaper that got changed by an attacker, including the image name? Link to
The hint suggests looking for .bmp files in the Timeline. Search for .bmp and enable the Modified and Changed filters:
View Answer
Question 10: The attacker left a note for the user on the Desktop; provide the name of the note with the extension. Link to
On the user’s Desktop, you’ll find a file named t48s39la-readme.txt:
View Answer
Question 11: The attacker created a folder “Links for United States” under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file. Link to
Navigate to File System > Users > John Coleman > Favorites > Links for United States. You’ll find a file with a Spanish term in its name:
View Answer
Question 12: There is a hidden file that was created on the user’s Desktop that has 0 bytes. Provide the name of the hidden file. Link to
Search for .lock files on the Desktop. You’ll find a hidden file with 0 bytes:
View Answer
Question 13: The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file. Link to
On the user’s Desktop, locate the file named d.e.c.r.yp.to.r.exe. Double-click it to view its details, including the MD5 hash:
View Answer
Question 14: What is the full URL from which the decryptor was downloaded? Link to
In Redline, navigate to Browser URL History and search for decr. You’ll find the URL used to download the decryptor:
View Answer
Question 15: What are some three names associated with the malware which infected this host? (enter the names in alphabetical order) Link to
Perform external research using the MD5 hash from Question 5. A quick search reveals that the malware is associated with the REvil ransomware family:
View Answer
This concludes the walkthrough for the REvil Corp incident response challenge. Happy hunting!
REvil Corp
© EveSunMaple | CC BY-SA 4.0