TryHackMe | REvil Corp Walkthrough
You are involved in an incident response engagement and need to analyze an infected host using Redline.
Link-https://tryhackme.com/room/revilcorp
Upload the analysis file in Redline
What is the compromised employee’s full name?
John Coleman
What is the operating system of the compromised host?
Windows 7 Home Premium 7601 Service Pack 1
What is the name of the malicious executable that the user opened?
WinRAR2021.exe
What is the full URL that the user visited to download the malicious binary? (include the binary as well)
http://192.168.75.129:4748/Documents/WinRAR2021.exe
What is the MD5 hash of the binary?
890a58f200dfff23165df9e1b088e58f
What is the size of the binary in kilobytes?
164
What is the extension to which the user’s files got renamed?
.t48s39la
What is the number of files that got renamed and changed to that extension?
48
What is the full path to the wallpaper that got changed by an attacker, including the image name?
C:\Users\John Coleman\AppData\Local\Temp\hk8.bmp
The attacker left a note for the user on the Desktop; provide the name of the note with the extension.
t48s39la-readme.txt
The attacker created a folder “Links for United States” under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file.
GobiernoUSA.gov.url.t48s39la
There is a hidden file that was created on the user’s Desktop that has 0 bytes. Provide the name of the hidden file.
d60dff40.lock
The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file.
f617af8c0d276682fdf528bb3e72560b
In the ransomware note, the attacker provided a URL that is accessible through the normal browser in order to decrypt one of the encrypted files for free. The user attempted to visit it. Provide the full URL path.
http://decryptor.top/644E7C8EFA02FBB7
What are some three names associated with the malware which infected this host? (enter the names in alphabetical order)
REvil,Sodin,Sodinokibi
That’s it! See you in the next Room :)
Comments
Post a Comment