https://blueteamlabs.online/home/challenge/1
The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!
We're provided with one .vmen
file. REMnux (the distro I use for my malware analysis) has two versions of Volatility installed - version 3 (vol3
) and version 2 (vol.py
). The versions are quite different, and from my understanding version 2 is still the most common, so I will be using that. Plus, the instructions for this challenge say to use version 3.
You can see all the differences here: https://volatility3.readthedocs.io/en/latest/vol2to3.html
Do as we're told and we're provided with a big table:
Looking through the different process names, there are a couple strange ones
@WanaDecryptor
From the table headings in the first image, we can see both @WanaDecryptor
processes have a PPID (parent PID) or 2732.
2732