REvil Corp

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Investigating the Compromised Endpoint

Scenario: One of the employees at Lockman Group gave an IT department the call; the user is frustrated and mentioned that all of his files are renamed to a weird file extension that he has never seen before. After looking at the user's workstation, the IT guy already knew what was going on and transferred the case to the Incident Response team for further investigation.

You are the incident responder. Let's see if you can solve this challenge using the infamous Redline tool. Happy Hunting, my friend!

To start your investigation, open the Mandiant Analysis file in the Analysis File folder on the Desktop.

Note: Loading the Mandiant Analysis file may take 2-3 minutes.

Deploy the machine attached to this task; it will be visible in the split-screen view once it is ready.

If you don't see a virtual machine load then click the Show Split View button.

If you wish to access the virtual machine via Remmina, use the credentials below.

Machine IP: MACHINE_IP

User: administrator

Password: letmein123!

Accept the Certificate when prompted, and you should be logged into the remote system now.

Note: The virtual machine may take up to 3 minutes to load.

Answer the questions below

What is the compromised employee's full name?

What is the operating system of the compromised host?

What is the name of the malicious executable that the user opened?

What is the full URL that the user visited to download the malicious binary? (include the binary as well)

What is the MD5 hash of the binary?

What is the size of the binary in kilobytes?

What is the extension to which the user's files got renamed?

What is the number of files that got renamed and changed to that extension?

What is the full path to the wallpaper that got changed by an attacker, including the image name?

The attacker left a note for the user on the Desktop; provide the name of the note with the extension.

The attacker created a folder "Links for United States" under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file.

There is a hidden file that was created on the user's Desktop that has 0 bytes. Provide the name of the hidden file.

The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file.

In the ransomware note, the attacker provided a URL that is accessible through the normal browser in order to decrypt one of the encrypted files for free. The user attempted to visit it. Provide the full URL path.

What are some three names associated with the malware which infected this host? (enter the names in alphabetical order)

Created by

tryhackme

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

4,958

Created

1367 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in