TryHackMe | Dunkle Materie Walkthrough
Dunkle Materie Writeup
Investigate the ransomware attack using ProcDot
Link- https://tryhackme.com/room/dunklematerieptxc9
Once you have connected to the machine, launch Procdoct which is present in the Taskbar with a Red Dot symbol.
Load the files from "Analysis Files" folder present in the Desktop into Procdot. Click the ... button. The most suspicious process in the list appears to be exploreer.exe (PID 7128). We will double click on that and then click Refresh button.
The chart loads and we are now ready for investigating...
Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)
Click the ... button. The 2 PIDs that appear to be malicious are 8644 and 7128
Provide the full path where the ransomware initially got executed? (Include the full path in your answer)
Open the "LogFile.csv" file in notepad and search for exploreer.exe. You will find the full path as "c:\users\sales\appdata\local\temp\exploreer.exe"
From the chart it is clearly visible that it connects to mojobiden(.)com and paymenthacks(.)com
What are the IPs of the malicious domains? (no space in the answer)
The IPs are present in the chart 146(.)112(.)61(.)108,206(.)188(.)197(.)206
Provide the user-agent used to transfer the encrypted data to the C2 channel.
Open the file "traffic" in Wireshark and search for "http". Find the url mojobiden(.)com. Right click and "Follow TCP stream". User agent is visible "Firefox/89.0"
Provide the cloud security service that blocked the malicious domain.
This is also present from previous results "Cisco Umbrella"
Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.
Search for ".bmp" in the file "LogFile.csv" using notepad and you will find the bmp file "ley9kpi9r.bmp"
Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim's machine.
Go back to the chart and you will find that PID 4892 changed background wallpaper.
The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.
From the chart you will find mounteddevices. HKLM\SYSTEM\MountedDevices\DosDevices\Z:
Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)
A simple google search for the IPs and Domains found will let you know that this is "Blackmatter Ransomware"
That's it . See you in the next room :)
Comments
Post a Comment