https://blueteamlabs.online/home/challenge/1

Table of Contents

Introduction

The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!

We're provided with one .vmen file. REMnux (the distro I use for my malware analysis) has two versions of Volatility installed - version 3 (vol3) and version 2 (vol.py). The versions are quite different, and from my understanding version 2 is still the most common, so I will be using that. Plus, the instructions for this challenge say to use version 3.

You can see all the differences here: https://volatility3.readthedocs.io/en/latest/vol2to3.html

Questions

Run “vol.py -f infected.vmem --profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?

Do as we're told and we're provided with a big table:

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/17c97bcd-aacc-4acf-8e94-18d02f899fd4/Untitled.png

Looking through the different process names, there are a couple strange ones

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a4eaa0a0-e940-4e25-ae1d-e14cc975c562/Untitled.png

@WanaDecryptor

What is the parent process ID for the suspicious process?

From the table headings in the first image, we can see both @WanaDecryptor processes have a PPID (parent PID) or 2732.

2732

What is the initial malicious executable that created this process?