The video is a walkthrough of the Retracted room from TryHackMe, which focuses on a ransomware case study. The ransomware addressed in this challenge quickly allowed the victim to restore access to her files. It was an interesting case study laid down by TryHackMe Retracted room. Additionally, the video demonstrates how to use Windows Event Viewer to analyze logs, track events, and piece together a timeline in a ransomware attack scenario. The focus is on using event IDs to trace actions such as process creation, network activity, and remote logins. By organizing events in a chronological order, the investigator is able to understand how the attack unfolded.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Wazuh SIEM Study Notes

OSCP Study Notes

Overview

The scenario revolves around a ransomware attack on a user’s computer, with the files encrypted and then mysteriously decrypted. The user’s son is tasked with uncovering the details of the attack.

Ransomware Investigation

Identifying the Program that Created the Ransomware Note:

  • The investigation starts by accessing Windows Event Viewer to examine Sysmon events, specifically process creation events (event ID 1). Filtering these logs for events containing the ransomware note’s name (e.g., “Sophie”) leads to discovering that Notepad was used to create the note.

Finding the Time of Execution for the Ransomware Note:

  • The next step is to find the exact timestamp of the Notepad process creation by filtering event ID 1 again. By examining logs that reference the ransomware note, the execution timestamp is identified.

Discovering the Installer Name:

  • By looking into the browser history or downloads folder, the name of the installer file responsible for the ransomware infection is found, which in this case was labeled “antivirus”.

Identifying the Download Location of the Installer:

  • The file path of the downloaded installer is obtained by right-clicking the file, selecting properties, and copying the download location.

File Extension Used by the Ransomware:

  • Returning to the Windows Event Viewer, investigators search for file creation events related to the ransomware installer and identify that the ransomware appends a “.dmp” extension to the encrypted files.

IP Address Contacted by the Installer:

  • By narrowing the search to network connection events (event ID 3), the IP address that the installer reached out to is uncovered.

Attacker’s Source IP via RDP:

  • After the installer download, the attacker logged in via RDP (Remote Desktop Protocol). Filtering RDP-related events in the logs reveals the source IP address of the attacker’s machine.

Finding When the Decryptor Was Run:

  • The attacker later used a decryptor to restore the encrypted files. By filtering logs for decryptor execution, the exact timestamp of when the file was run is determined.

Building a Timeline:

  • The final task involves organizing events in the correct chronological order:
    • The user downloads the ransomware installer.
    • The ransomware encrypts the system files.
    • The user reaches out to her son for help.
    • The attacker logs in via RDP.
    • The attacker decrypts the files and leaves a note.
    • The investigation into the ransomware begins.

Room Answers | TryHackMe Retracted

What is the full path of the text file containing the “message”?
C:\Users\Sophie\Desktop\SOPHIE.txt

What program was used to create the text file?

notepad.exe

What is the time of execution of the process that created the text file? Timezone UTC (Format YYYY-MM-DD hh:mm:ss)

2024-01-08 14:25:30

What is the filename of this “installer”? (Including the file extension)
antivirus.exe

What is the download location of this installer?
C:\Users\Sophie\download

The installer encrypts files and then adds a file extension to the end of the file name. What is this file extension?

.dmp

The installer reached out to an IP. What is this IP?

10.10.8.111
The threat actor logged in via RDP right after the “installer” was downloaded. What is the source IP?

10.11.27.46

This other person downloaded a file and ran it. When was this file run? Timezone UTC (Format YYYY-MM-DD hh:mm:ss)

2024-01-08 14:24:18


Sophie ran out and reached out to you for help.
3

Sophie downloaded the malware and ran it.

1

A note was created on the desktop telling Sophie to check her Bitcoin.
6

The intruder downloaded a decryptor and decrypted all the files.

5

The malware encrypted the files on the computer and showed a ransomware note.
2

Someone else logged into Sophie’s machine via RDP and started looking around.

4

We arrive on the scene to investigate.

7

Video Walkthrough | TryHackMe Retracted

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles