Capture The Flag

Tryhackme - Dunkle Materie Writeup

L0WK3Y
· 5 min read
Send by email

Intro

This blog is a brief writeup of the TryHackMe room Dunkle Materie and how to solve each question. This room revolves around using the tool ProcDot to investigate a ransomware attack. Let's begin!

Scenario

The firewall alerted the Security Operations Center that one of the machines at the Sales department, which stores all the customers' data, contacted the malicious domains over the network. When the Security Analysts looked closely, the data sent to the domains contained suspicious base64-encoded strings. The Analysts involved the Incident Response team in pulling the Process Monitor and network traffic data to determine if the host is infected. But once they got on the machine, they knew it was a ransomware attack by looking at the wallpaper and reading the ransomware note. Can you find more evidence of compromise on the host and what ransomware was involved in the attack?

Questions

Q1. Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)

The first question can be found after uploading the Logfile.CSV and traffic.pcap files from the Analysis Files to ProcDot and selecting the Launcher button to select a process from the list. After doing so a list of processes that were active while procmon was monitoring while be shown. After looking through the list I was able tell these two PIDs (8644,7128) were spawned from the malicious executable exploreer.exe. It's safe to assume it was given this name so that it could be easily overlooked and would be confused for the actual explorer.exe.


Q2. Provide the full path where the ransomware initially got executed?(Include the full path in your answer)

Once ProcDot graphs all active processes and network activity, after looking through the data we can see the file path where exloreer.exe was initially executed. c:\users\sales\appdata\local\temp\exploreer.exe.


Q3. This ransomware transfers the information about the compromised system and the encryption results to two domains over HTTP POST. What are the two C2 domains? (no space in the answer)

Q4. What are the IPs of the malicious domains? (no space in the answer)

To answer this question you will need to head over to the second instance of the malicious process 7128 after scrolling through the captured data, you'll find a segment where exploreer.exe is sending and receiving a stream of TCP traffic from cisco[.]com, mojobiden[.]com IP: 146.112.61.108 and, paymenthacks[.]com IP: 206.188.197.206. Based on the flow of the traffic exploreer.exe seems to be sending and receiving data from mojobiden[.]com it's safe to assume that this is how the threat actor sends commands to the malware and receives data from the victims system. Paymenthacks[.]com must be where all the data that was collected from the victims system is being sent to based on the flow of the traffic, there is only outgoing traffic being sent to that domain. img


Q5. Provide the user-agent used to transfer the encrypted data to the C2 channel.

If you right click on the mojobiden server and click Follow TCP Stream you can scroll down until you come across information in red text, here you will find the User-Agent information which is Firefox/89.0.
img


Q6. Provide the cloud security service that blocked the malicious domain.

Going back to the network traffic from question 3&4 there was data being sent to and from a Cisco server with the address 23.204.14.115. If you right click on the Cisco Server bubble you will find Cisco Umbrella being mentioned in the data. You can read more about Cisco Umbrella here. img


Q7. Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.

Q8. Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim's machine.

If you follow the thread 4892 created by 7128 you will see that there is a value set in the register path HKCU\Control Panel\Desktop\Wallpaper the value is c:\programdata\ ley9kpi9r.bmp.


Q9. The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.

You can find the answer to this question by following the thread 4892 and you will see the registry path for the mounted device. HKLM\SYSTEM\MountedDevices\DosDevices\Z:.


Q10. Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)

For this question you can look up the C2 servers on threat intel sites like VirusTotal and AlienVault. On VirusTotal enter the C2 address in the VirusTotal search bar and head to the community tab. This concludes the Dunkle Materie room and I hope you enjoyed this room as much as I did. Happy Hacking!

img