search

13Cubed Windows memory forensics

Richard at 13Cubed arrow-up-rightrecently released another memory forensics challenge; this time involving a compromised Windows host. Watch the video below for a summary of the incident.

Per the warning on the YouTube video;

⚠️ CAUTION ⚠️ This memory sample contains a simulated ransomware for educational purposes. Although safeguards have been implemented to prevent any harm, they are not foolproof. Please treat this sample as if it contains active malware. Ensure all necessary precautions are taken to mitigate potential risks.

WALK-THROUGH BELOW

This page is just a placeholder for the moment, it should be completed by mid-July.

hashtag
Files

You can download the sample here; https://cdn.13cubed.com/downloads/windows_challenge.ziparrow-up-right

hashtag
Scenario

Bob recently accepted a position at a new company. After hearing alarming scenarios about a ransomware attack, he decided to backup all his data to the cloud. Unfortunately, something went wrong during the process. We only have an image and a series of indicators. This scenario simulates a ransomware scenario using a custom binary.

hashtag
Analysis Environment

For this challenge, we're going to use MemProcFSarrow-up-right on a Windows machine.

We know that the sample is from a Windows machine, and we don't need to build our own kernel profiles from scratch like we do with Linux samples. We do, however, need internet connectivity to pull symbol tables from Microsoft's hosts (unless you have an airgapped repo setup).

Mount your memory image

From a command prompt, run the following;

The drive should appear as a mounted network drive, like below;

I personally like using WSL2 in combination with Explorer and other forensic tools, so I want to mount the network share inside the WSL terminal. To do that, run the following

hashtag
Challenge Questions

hashtag
Question 1: What is the hostname of this device?

MemProcFS provides a summary of common values in M:\sys, including computername, boot time, etc.

Validate this yourself by looking at the value stored in the following registry key;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName

Answer: RM-205B

hashtag
Question 2: What is the username of the primary user on this device?

Review M:\sys\users\users.txt

His name is Robert Paulson..

Validate this by reviewing the following registry path for users;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Only a single user here which matches with the above entry.

Answer: Robert Paulson

hashtag
Question 3: What is the IP address assigned to this device?

Review the current netstat output in the following location;

Review the following registry location for last known IP addresses;

HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces

This is parsed and presented here;

M:\registry\HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces

Each entry has a GUID, so navigate to each folder and verify interface name, IP, etc.

hashtag
Question 4: What was the full URL, including the file name, that the malicious program was downloaded from?

We saw connections above (PID 8240, specifically) connecting to a remote IP on port 8080. The associated process is msedge.exe (Microsoft Edge) so let's see if we can retrieve the user's browsing history.

One thing I like to do while I'm manually navigating files/folders, is run some basic strings/grep commands in the background. The above IP address looks suspicious (given the circumstances/scenario), so run;

One of the first hits is actually a Defender alert caught by the FindEvil module arrow-up-rightin MemProcFS;

Answer: hxxp://167.172.227[.]148:8080/backup.exe

hashtag
Question 5: According to this execution artifact that would not be found on servers, the first execution occurred within 10 seconds of what time?

There's a clear hint in the question here. Prefetch is not enabled by default on Windows server operating systems, however it's enabled on workstation versions. Read about Prefetch files here arrow-up-rightand herearrow-up-right

If the executable had never been executed on this system before, then a Prefetch file would not exist. We can review the Master File Table (MFT) which has been parsed for us automatically (created time first, modified time second)

We can also look at forensic\timeline\timeline_all.txt to see what was happening around that time

Answer: 2025-03-07 19:41:08 UTC

hashtag
Question 6: According to the malicious program's log file, how many files were encrypted?

Looking at events around the same timeframe, we can see the following entry in timeline_all.txt

If we try and open the file here M:\forensic\ntfs\1\Users\Robert Paulson\Desktop\encryption_log.txt we can see it's empty, but we can view its contents here;

M:\forensic\files\ROOT\Users\Robert Paulson\Desktop\ffffe00925170830-encryption_log.txt

Count the lines (minus the final line)

Answer: 9 files

hashtag
Question 7: What is the NTFS creation time for backup.exe?

Based on our MFT records we found in Q5;

Answer: 2025-03-07 19:40:36 UTC

hashtag
Question 8: What is the full path and name of the public key created by the malicious file?

We have the time marker from above (2025-03-07 19:41:08 UTC) when the encryption log was created.

Looking at surrounding activity, we see the following activity;

Reviewing tmp98p1q14j;

-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubL25JOIMo4yCstMlYOS KOnBgaH617AMy+BwTT6K3eLOZt9TiXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdb nkvsEnAS7zprWOx5n75VT39wY926vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1o dt6Egem8gOPddcqSZTUqdqqFDsn1xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS 7WN5jcX6r2IyCui+CEz+Ud2wQkPOAT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+ KC83uQwrllyvn6i8KvTtdmCD4H/2lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTu xwIDAQAB -----END PUBLIC KEY-----

hashtag
Question 9: What is the first line of key material from the TA's private key?

So now we have the public key and the path. How do we find the private key?

We know what a public key looks like, and we know the format of a private key, including a header which contains '-----BEGIN RSA PRIVATE KEY------'

Result;

But how can we be sure this matches the public key we found above? Save the above contents to a key file, 'priv1.key'

Save the public key to another file, pub.pem

Prove they match by generating a message, signing it with the public key, then decrypting it with the private key.

hashtag
Question 10: What is the last web search performed by the user?

We know the user was using Edge, so their History database should be in the usual spot;

AppData\local\Microsoft\Edge\User Data\Default\History

Looks like it's corrupt. Some quick mucking around with .dump and .recover didn't yield any results, so time to just use a simple hex editor. I opened ffffe00923455400-History in HxD and reviewed the most recent URL hits. (Most recent at the top, oldest at the bottom).

Answer: free backup utility for windows 11

hashtag
Bonus Question: What folder does the "Backup Software" landing page tell users to exclude?

In the same folder, navigate to Default/Cache/Cache_Data - we're looking for page hits relating to backup software.

Answer: C:/

Previous13Cubed Linux memory forensicsNextCompromised Windows Server 2022 (simulation)

Last updated