OverView
You are involved in an incident response engagement and need to analyze an infected host using Redline.
| Follow @anir0y | |
| REvil Corp |  |
| REvil Corp [FREE ROOM] | REvil Corp |
Task 01: Investigating the Compromised Endpoint
Scenario: One of the employees at Lockman Group gave an IT department the call; the user is frustrated and mentioned that all of his files are renamed to a weird file extension that he has never seen before. After looking at the user’s workstation, the IT guy already knew what was going on and transferred the case to the Incident Response team for further investigation.
You are the incident responder. Let’s see if you can solve this challenge using the infamous Redline tool. Happy Hunting, my friend!
To start your investigation, open the Mandiant Analysis file in the Analysis File folder on the Desktop.
Answer the questions below
| Task | Question | Ans |
|---|---|---|
| 1 | What is the compromised employee’s full name? | employee name |
| 2 | What is the operating system of the compromised host? | windows host |
| 3 | What is the name of the malicious executable that the user opened? | malware |
| 4 | What is the full URL that the user visited to download the malicious binary? (include the binary as well) | File download Url |
| 5 | What is the MD5 hash of the binary? | hash |
| 6 | What is the size of the binary in kilobytes? | binary size |
| 7 | What is the extension to which the user’s files got renamed? | renamed files |
| 8 | What is the number of files that got renamed and changed to that extension? | number of files renamed |
| 9 | What is the full path to the wallpaper that got changed by an attacker, including the image name? | hacker wallpaper |
| 10 | The attacker left a note for the user on the Desktop; provide the name of the note with the extension. | hacker notes |
| 11 | The attacker created a folder “Links for United States” under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file. | hacker links |
| 12 | There is a hidden file that was created on the user’s Desktop that has 0 bytes. Provide the name of the hidden file. | size zero |
| 13 | The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file. | decrypt.exe |
| 14 | In the ransomware note, the attacker provided a URL that is accessible through the normal browser in order to decrypt one of the encrypted files for free. The user attempted to visit it. Provide the full URL path. | history |
| 15 | What are some three names associated with the malware which infected this host? (enter the names in alphabetical order) | OTX |
compromised employee
What is the operating system of the compromised host?
find the info on system informaiton page
malicious executable
- user might have been downloaded
malicious executableusing web/email. let’s check download history to find the ans.
full URL
ref to task 3 we can copy and paste the URL
MD5 hash of the binary
- click on
timeline - search for the
malicious [executable](#malicious-executable) - click on
result - search for
next - eventually you’ll see hash either on
right side of resultor you can click onshow detailfor better copy/paste!
size of binary
files got renamed
- click on
file system - select folders form
user - you’ll notice a not common extention name for few files.
- that’s the answer!
What is the number of files that got renamed and changed to that extension?
- goto
timeline - in
timeline configcheck onlychanged&modified - search for the
ext - you have the ans!!
full path to the wallpaper that got changed by an attacker
- goto
timeline - search for
.bmpext - you have the ans!!!
attacker left a note for the user on the Desktop
- goto
file system - select
user's desktop - you’ll see the notes with
.txtext
Links for United States
- goto
file system - select
user's favorites - you’ll see a file under
United Statesfolder
hidden file that was created on the user’s Desktop
- goto
file system - select
user's desktop - you’ll see the file with
0 bytes
decryptor hoping to decrypt
- goto
file system - select
user's desktop - find the
decryptor.exe - click on
show detailsor you can see the hash of that file inright pane
Free Decyptor
- Click on
URL history - search for
decrypt; quick findings - paste the
full URLas answer
three names associated with the malware
ref to OTX
