-->

  • TryHackMe Dunkle Materie

     

     

    TryHackMe Dunkle Materie

     


    Hello guys, This is writeup for the room of tryhackme Dunkle Materie from the TryHackMe platform. This room is a medium room that lets users investigate the ransomware attack using an application called ProcDOT.

     

     

    TryHackMe Dunkle Materie

     

     

     

    The firewall alerted the Security Operations Center that one of the machines at the Sales department, which stores all the customers' data, contacted the malicious domains over the network. When the Security Analysts looked closely, the data sent to the domains contained suspicious base64-encoded strings. The Analysts involved the Incident Response team in pulling the Process Monitor and network traffic data to determine if the host is infected. But once they got on the machine, they knew it was a ransomware attack by looking at the wallpaper and reading the ransomware note.



    TryHackMe Dunkle Materie



    I place the logfile into the procmon as in the figure below.



    TryHackMe Dunkle Materie



    It doesn't seem to work, so I added the traffic file to Windump.


     

     

    TryHackMe Dunkle Materie

     

     

     

    1) Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)

     

     

    TryHackMe Dunkle Materie

     

     

    Ans- 8644, 7128

     




    2) Provide the full path where the ransomware initially got executed? (Include the full path in your answer)

     

     

    TryHackMe Dunkle Materie

     

     

    We can see that the red box is the full path where the malware is initially executed, which is the second question.

    (The path is redacted for the learning purposes of each user.)

     


     

    TryHackMe Dunkle Materie

     

     

     

     

    Ans- c:\users\sales\appdata\local\temp\exploreer.exe




     

    3) This ransomware transfers the information about the compromised system and the encryption results to two domains over HTTP POST. What are the two C2 domains? (no space in the answer)

     

     

    TryHackMe Dunkle Materie


     

     

    TryHackMe Dunkle Materie

     

     

     

    TryHackMe Dunkle Materie

     

     

     
     
     
     
     
     
    After reading the third question, I looked into the first exploreer.exe found. I found a suspicious site that might be used by the “hackers”.
     
     

    On the second exploreer.exe, I also found one.



    TryHackMe Dunkle Materie

     


     

    Ans- mojobiden.com,paymenthacks.com



    4) What are the IPs of the malicious domains? (no space in the answer)
     

    Ans- 146.112.61.108,206.188.197.206





    5) Provide the user-agent used to transfer the encrypted data to the C2 channel.

     

    For this question, it wanted us to identify the user-agent used to transfer the encrypted data to the C2 channel.

    So, by right-clicking the site we found previously, we click on “Follow TCP Stream”.

     

     

    TryHackMe Dunkle Materie

     

     

    Ans- Firefox/89.0










    6) Provide the cloud security service that blocked the malicious domain.

     

     

    TryHackMe Dunkle Materie

     

    Now, we require to identify the cloud security service that blocked the malicious domain.

    So, at the same window, scroll down a bit more. And we can see the server name.

     

    Ans- Cisco Umbrella







    7) Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.

     

    TryHackMe Dunkle Materie

     

     

    Ans- ley9kpi9r.bmp







    8) Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim's machine.

     

     

     

    TryHackMe Dunkle Materie


     

    Ans- 4892







    9) The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.

     

    For this part, we need to find the registry key path to the mounted drive, with the drive letter. So, I started with exploreer.exe. I look into each process in detail but failed to find the path.

    This really cost me so much time. As I was looking into the registry process and back to exploreer.exe, without realizing that I did not turn off the “no path” option. I wasted like an hour until I realize it. So, after in a rabbit hole for an hour, I manage to find the path.

     

     

    TryHackMe Dunkle Materie

     

     

    Ans- HKLM\SYSTEM\MountedDevices\DosDevices\Z:




    10) Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)

     

    This also takes me a lot of time to research. I do not have an idea on what keyword should I use to search for it.

    I tried to search on “ransomware targeting mount drive” and other doesn't help at all. But suddenly I think about the site “hacker” used before. So, I try to use one of the websites and look at it on Google. And BAM! I got it!

     

    Ans- Blackmatter Ransomware





    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal


  • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.