This is a write-up for the LetsDefend Challende - REvil Ransomware, where we’re tasked with investigating a memory dump of a compromised machine to find evidence of the ransomware attack the system has suffered.
In this challenge we’ll be using a Windows 10 VM with Redline installed, combined with some OSINT digging, so let’s get started.
What is the Operating System which the Redline image is being collected on?
This one is rather straightfoward as you might imagine: open up the AnalysisSession1.mans in Redline, select System Information and scroll down to Operating System Information to find the Operating System.
What is the Logged in User while the Redline image is being collected?
Next we’ll check Users to see the user accounts on this host, and we can see that the one user that sticks out is called SecurityNinja. Since we’re asked for the active user, and the rest of the users are Disabled, we know this is the one we’re looking for.
What is the location of the ransomware on the filesystem?
Since we know the user that was logged in during the incident we should start looking for the ransomware file in their Documents directory, and right off the bat the file bad day.exe pops up. The answer to this question is the full file path.
What is the MD5 of the ransomware?
With Redline this one is a breeze, as we just need to double click the file to open up the details pane and check under File Hashes > MD5 to find our answer: 94d087166651c0020a9e6cc2fdacdc0c
With this hash we can also start gearing up for the OSINT portion of this Challenge scenario, so note it down for further use.
Reading the readme
We’re supplied with the 993ixjlb-readme.txt file as part of the room files, and few following questions can be asked just up reading through the file, but I’ll note the answers down anyway.
What is the extension for the encrypted file on the filesystem?
993ixjlb
What is the onion website for paying the ransom?
hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4FE49B3286F992CB (without the link-breaking hxxp, of course)
What is the secondary website for paying the ransom?
hxxp://decoder.re/4FE49B3286F992CB (you don’t want to break the link here either)
What is the Child Command Line Process being executed after the ransomware being executed?
Closing up the readme we can move on, and at this point it’s time to switch to OSINT to get the rest of the challenge in the bag. Since we know the MD5 we can start digging in VirusTotal or JoeSandbox, and glancing at the following questions I think the latter makes finding the correct answers a bit easier/faster.
We canfind a corresponding analysis report at https://www.joesandbox.com/analysis/443860/0/html, and looking there we’ll see the Process Tree which tells us that the anser to this question is netsh advfirewall firewall set rule group=’Network Discovery’ new enable=Yes. Just need to change the parentheses to single quotes as requested by LetsDefend.
What is the Mitre ATT&CK Technique ID of this ransomware impact stage?
Reading further down the report we can find the Mitre Att&ck Matrix, and since we’re being asked about the Impact stage the somewhat obvious answer will be T1486: Data Encrypted for Impact, as we are working with ransomware infection.
What is the name of the Ransomware?
I’ll leave you to figure this one out :)
Closing thoughts
All in all this one was a fun challenge, and while it was pretty straightforward from the get-go, to me at least it really speaks volumes as to how much I have learned with my time on LetsDefend. Where Redline once was almost painfully messy with its “outdated” UI and OSINT wasn’t exactly my strong suit either, now these two work really nicely in unison, allowing me to figure out complicated tasks such as this one.