Sysmon - Retracted

Sysmon logs Investigation

By Ren Sie
Posted on September 29, 2024

Refer to Retracted for the challenge room on TryHackMe

A Mother's Plea

"Thanks for coming. I know you are busy with your new job, but I did not know who else to turn to."
"So I downloaded and ran an installer for an antivirus program I needed. After a while, I noticed I could no longer open any of my files. And then I saw that my wallpaper was different and contained a terrifying message telling me to pay if I wanted to get my files back. I panicked and got out of the room to call you. But when I came back, everything was back to normal."
"Except for one message telling me to check my Bitcoin wallet. But I don't even know what a Bitcoin is!"
"Can you help me check if my computer is now fine?"

The Message

"As soon as you log in to the computer, you'll see a file on the desktop that's meant for me."
"I don't know why that message is there or what it means. Do you have any idea?"

What is the full path of the text file containing the "message"?

Right-click on SOPHIE.txt and select "Properties." By adding the file name (SOPHIE.txt) to its location, we can determine its full path.

What program was used to create the text file?

To identify the program used to create the file, we need to examine the Sysmon log. We will focus on processes created between 2024-01-08 14:24:00 and 2024-01-08 14:26:00, based on the file creation timestamp (2024-01-08 14:25:16) shown in the file’s properties.

Open Event Viewer and navigate to Application and Services -> Microsoft -> Windows -> Sysmon -> Operational. Apply a filter for Event ID 1 (Process Create). The log shows that SOPHIE.txt was created using Notepad.exe at 14:25:30.

What is the time of execution of the process that created the text file? Timezone UTC

the time of execution of the process was indicated in the previous screenshot,

Something Wrong

"I think something went wrong with my computer when I ran the installer. Now, I can't open my files, and my wallpaper changed to a message asking for payment."
"Are you saying the file I downloaded is a virus? But I got it from Google!"

What is the filename of this "installer"? (Including the file extension)

After determining that the malicious executable was downloaded from the Internet, I applied a filter for Event ID 1 (Process Creation). Then search for logs related to file downloads between 2024-01-08 14:00 and 15:00.

What is the download location of this installer?

The download location was also indicated in the previous screenshot.

The installer encrypts files and then adds a file extension to the end of the file name. What is this file extension?

Without applying any filters, the following 18 logs (Event ID 11) display actions taken on objects by the malicious attacker, with all target files having a .dmp file extension.

The installer reached out to an IP. What is this IP?

The question notes that the installer contacted an IP address. I observed a network connection (Event ID 3) initiated by antivirus.exe.

Back to Normal

"So what happened to the virus? It looks like it's gone because all my files are back."

The threat actor logged in via RDP right after the “installer” was downloaded. What is the source IP?

The question indicates that a connection was established via RDP (Port 3389). I observed a network connection (Event ID 3) established after 2024-01-08 14:15:00.

This other person downloaded a file and ran it. When was this file run? Timezone UTC

After reviewing the logs following the attacker’s access to SOPHIE’s machine, I found a process creation log for another downloaded file, decryptor.exe.

Doesn't Make Sense

"So you're saying someone accessed my computer, messed with my files, and then reversed the changes?"              
"That doesn’t make sense. Why would they infect my computer and then fix it?"
"Can you help me understand what’s going on?"

Arrange the following events in order from 1 to 7, based on the occurrence timeline.

3.) Sophie ran out and reached out to you for help.
According to A Mother’s Plea, "I panicked and got out of the room to call you. But when I came back, everything was back to normal."

1.) Sophie downloaded the malware and ran it.
2024-01-08 14:15:00.688

6.) A note was created on the desktop telling Sophie to check her Bitcoin.
2024-01-08 14:25:30.749

5.) The intruder downloaded a decryptor and decrypted all the files.
2024-01-08 14:24:18.804

1.) The malware encrypted the files on the computer and showed a ransomware note.
2024-01-08 14:15:00.885

4.) Someone else logged into Sophie's machine via RDP and started looking around.
2024-01-08 14:19:20.300

7.) We arrive on the scene to investigate.

Conclusion

"Adelle from Finance just called me. She says that someone just donated a huge amount of bitcoin to our charity's account!"
"Could this be our intruder? His malware accidentally infected our systems, found the mistake, and retracted all the changes?"
"Maybe he had a change of heart?"

Share: X (Twitter) Facebook LinkedIn