13Cubed Windows memory forensics
Richard at 13Cubed recently released another memory forensics challenge; this time involving a compromised Windows host. Watch the video below for a summary of the incident.
Per the warning on the YouTube video;
⚠️ CAUTION ⚠️ This memory sample contains a simulated ransomware for educational purposes. Although safeguards have been implemented to prevent any harm, they are not foolproof. Please treat this sample as if it contains active malware. Ensure all necessary precautions are taken to mitigate potential risks.
WALK-THROUGH BELOW
This page is just a placeholder for the moment, it should be completed by mid-July.
Files
You can download the sample here; https://cdn.13cubed.com/downloads/windows_challenge.zip
Scenario
Bob recently accepted a position at a new company. After hearing alarming scenarios about a ransomware attack, he decided to backup all his data to the cloud. Unfortunately, something went wrong during the process. We only have an image and a series of indicators. This scenario simulates a ransomware scenario using a custom binary.
Analysis Environment
For this challenge, we're going to use MemProcFS on a Windows machine.
We know that the sample is from a Windows machine, and we don't need to build our own kernel profiles from scratch like we do with Linux samples. We do, however, need internet connectivity to pull symbol tables from Microsoft's hosts (unless you have an airgapped repo setup).
Mount your memory image
From a command prompt, run the following;
C:\Tools\memprocfs\5.15>MemProcFS.exe -device D:\13Cubed\windows_challenge\memory.dmp -forensic 1The drive should appear as a mounted network drive, like below;
I personally like using WSL2 in combination with Explorer and other forensic tools, so I want to mount the network share inside the WSL terminal. To do that, run the following
$ sudo mkdir /mnt/m
$ sudo mount -t drvfs M: /mnt/m
$ ls /mnt/m
conf forensic memory.dmp memory.pmem misc name pid py registry sys vmChallenge Questions
Question 1: What is the hostname of this device?
MemProcFS provides a summary of common values in M:\sys, including computername, boot time, etc.
$ cat /mnt/m/sys/computername.txt
RM-205BValidate this yourself by looking at the value stored in the following registry key;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName
Answer: RM-205B
Question 2: What is the username of the primary user on this device?
Review M:\sys\users\users.txt
$ cat /mnt/m/sys/users/users.txt
# Username SID
-----------------------------------------
0000 Robert Paulson S-1-5-21-2126657629-3337008557-1579520640-1001His name is Robert Paulson..
Validate this by reviewing the following registry path for users;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Only a single user here which matches with the above entry.
Answer: Robert Paulson
Question 3: What is the IP address assigned to this device?
Review the current netstat output in the following location;
$ cat /mnt/m/sys/net/netstat.txt
[snip]
001c 8240 TCPv4 CLOSED 10.0.2.152:49907 204.79.197.203:443 msedge.exe
001d 8240 TCPv4 ESTABLISHED 10.0.2.152:50021 23.39.228.14:443 msedge.exe
001e 8240 TCPv4 CLOSED 10.0.2.152:50041 204.79.197.239:443 msedge.exe
001f 8240 TCPv4 CLOSED 10.0.2.152:50045 13.107.246.41:443 msedge.exe
0020 8240 TCPv4 ESTABLISHED 10.0.2.152:50066 52.228.161.161:443 msedge.exe
0021 8240 TCPv4 CLOSED 10.0.2.152:50070 167.172.227.148:8080 msedge.exe
0022 8240 TCPv4 CLOSED 10.0.2.152:50071 167.172.227.148:8080 msedge.exe
0023 8240 TCPv4 ESTABLISHED 10.0.2.152:50073 204.79.197.239:443 msedge.exe
0024 8240 TCPv4 ESTABLISHED 10.0.2.152:50076 204.79.197.239:443 msedge.exe
0025 8976 TCPv6 LISTENING [::]:7680 *** svchost.exeReview the following registry location for last known IP addresses;
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
This is parsed and presented here;
M:\registry\HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
Each entry has a GUID, so navigate to each folder and verify interface name, IP, etc.
$ cat /mnt/m/registry/HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/\{119c075f-3343-4c1b-8a7b-b68c7869c5ba\}/DhcpIPAddress.txt
ffff8485822be000:00b44cf8
REG_SZ
10.0.2.152Question 4: What was the full URL, including the file name, that the malicious program was downloaded from?
We saw connections above (PID 8240, specifically) connecting to a remote IP on port 8080. The associated process is msedge.exe (Microsoft Edge) so let's see if we can retrieve the user's browsing history.
One thing I like to do while I'm manually navigating files/folders, is run some basic strings/grep commands in the background. The above IP address looks suspicious (given the circumstances/scenario), so run;
$ cd /mnt/m/forensic
$ grep -iR '167.172.227.148' .One of the first hits is actually a Defender alert caught by the FindEvil module in MemProcFS;
./findevil/findevil.txt:0002 0 --- AV_DETECT 0000000000000000 AV:[Windows Defender] EVENT:[2025-03-07T19:37:27.387Z DETECTIONEVENT MPSOURCE_IOAV Trojan:Win32/Wacatac.B!ml file:C:\Users\Robert Paulson\Downloads\backup.exe;webfile:C:\Users\Robert Paulson\Downloads\backup.exe|http://167.172.227.148:8080/backup.exe|pid:1452,ProcessStart:133858498434468576;]Answer: hxxp://167.172.227[.]148:8080/backup.exe
Question 5: According to this execution artifact that would not be found on servers, the first execution occurred within 10 seconds of what time?
There's a clear hint in the question here. Prefetch is not enabled by default on Windows server operating systems, however it's enabled on workstation versions. Read about Prefetch files here and here
If the executable had never been executed on this system before, then a Prefetch file would not exist. We can review the Master File Table (MFT) which has been parsed for us automatically (created time first, modified time second)
$ cat ntfs/ntfs_files.txt | grep -i backup.exe
447f 77d06400 7199 343 2025-03-07 19:40:36 UTC : 2025-03-07 19:41:04 UTC b49ae6 A \1\Users\Robert Paulson\Downloads\backup.exe
4480 77d06400 7199 343 2025-03-07 19:40:36 UTC : 2025-03-07 19:41:04 UTC 7 ARS \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
4bb5 5efbc400 721d 1a33b 2025-03-07 19:41:08 UTC : 2025-03-07 19:41:09 UTC 0 A \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pfWe can also look at forensic\timeline\timeline_all.txt to see what was happening around that time
Line 224: 2025-03-07 19:41:11 UTC REG MOD 0 0 0 \Root\InventoryApplicationFile\backup.exe|87931ab5a15fc7f5
Line 259: 2025-03-07 19:41:09 UTC NTFS MOD 0 0 5efbc400 \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pf
Line 270: 2025-03-07 19:41:08 UTC NTFS CRE 0 0 5efbc400 \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pf
Line 1488: 2025-03-07 19:41:04 UTC NTFS RD 0 11836134 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
Line 1489: 2025-03-07 19:41:04 UTC NTFS RD 0 7 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
Line 1490: 2025-03-07 19:41:04 UTC NTFS MOD 0 11836134 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
Line 1491: 2025-03-07 19:41:04 UTC NTFS MOD 0 7 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
Line 1940: 2025-03-07 19:40:36 UTC NTFS CRE 0 11836134 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
Line 1941: 2025-03-07 19:40:36 UTC NTFS CRE 0 7 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreenAnswer: 2025-03-07 19:41:08 UTC
Question 6:
According to the malicious program's log file, how many files were encrypted?
Looking at events around the same timeframe, we can see the following entry in timeline_all.txt
2025-03-07 19:41:09 UTC NTFS RD 0 0 5efbc000 \1\Users\Robert Paulson\Desktop\encryption_log.txtIf we try and open the file here M:\forensic\ntfs\1\Users\Robert Paulson\Desktop\encryption_log.txt we can see it's empty, but we can view its contents here;
M:\forensic\files\ROOT\Users\Robert Paulson\Desktop\ffffe00925170830-encryption_log.txt
Count the lines (minus the final line)
Answer: 9 files
Question 7:
What is the NTFS creation time for backup.exe?
Based on our MFT records we found in Q5;
Line 1940: 2025-03-07 19:40:36 UTC NTFS CRE 0 11836134 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
Line 1941: 2025-03-07 19:40:36 UTC NTFS CRE 0 7 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreenAnswer: 2025-03-07 19:40:36 UTC
Question 8:
What is the full path and name of the public key created by the malicious file?
We have the time marker from above (2025-03-07 19:41:08 UTC) when the encryption log was created.
Looking at surrounding activity, we see the following activity;
2025-03-07 19:41:08 UTC Net CRE 0 0 ffffe00922cb69f0 TCPv4 CLOSED 10.0.2.152:50079 167.172.227.148:80
2025-03-07 19:41:08 UTC NTFS CRE 0 451 5efbc800 \1\Users\Robert Paulson\AppData\Local\Temp\tmp98p1q14j
2025-03-07 19:41:08 UTC NTFS CRE 0 0 5efbc000 \1\Users\Robert Paulson\Desktop\encryption_log.txtReviewing tmp98p1q14j;
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubL25JOIMo4yCstMlYOS KOnBgaH617AMy+BwTT6K3eLOZt9TiXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdb nkvsEnAS7zprWOx5n75VT39wY926vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1o dt6Egem8gOPddcqSZTUqdqqFDsn1xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS 7WN5jcX6r2IyCui+CEz+Ud2wQkPOAT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+ KC83uQwrllyvn6i8KvTtdmCD4H/2lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTu xwIDAQAB -----END PUBLIC KEY-----
Question 9:
What is the first line of key material from the TA's private key?
So now we have the public key and the path. How do we find the private key?
We know what a public key looks like, and we know the format of a private key, including a header which contains '-----BEGIN RSA PRIVATE KEY------'
$ grep 'BEGIN RSA PRIVATE KEY' memory.dmp -A 50 -B1 -aResult;
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAubL25JOIMo4yCstMlYOSKOnBgaH617AMy+BwTT6K3eLOZt9T
iXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdbnkvsEnAS7zprWOx5n75VT39wY926
vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1odt6Egem8gOPddcqSZTUqdqqFDsn1
xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS7WN5jcX6r2IyCui+CEz+Ud2wQkPO
AT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+KC83uQwrllyvn6i8KvTtdmCD4H/2
lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTuxwIDAQABAoIBABUjTf9O294FWaTo
51rNk0Gc+i3rZkZO/+XlMmNYjy4atyv2l+e6gIlLUHy/iKerVatdOFNNJwBRRJLh
PUsOpBsswT6IC1+34qhIor+QRt25v+1eO/eSF6AB1hsxWcJu4hdnzi7dmwLERyIp
+RlxLwb45VR0asSxK3BREsD6gE7pgAh4h0h/kftyLc0sbZ1nimz8571svm2QcsL+
WvFQ/Ps/NSDID8e+BZAP5r5SDa8vTel/qcYOtijJ80RLrYGT5taibPmS2mMJeiyR
mXZyuGpt8koV4D984d0bpB3SgV9VGzPGYit/RpXPWaHLSowAChaUuoid+gOMuXXG
Q8Qn68ECgYEA+iSW94M3gaCcnPkSFFmM7WgIFd/sgVXLjkSONjLZ9Y3amSsV01I6
Y2ggJ6IZq74qdSykIG2885sAfvR6F6+o9lpsjPDTe3/Xy/921UpkYPE1Kv5eesJN
aaQsawx56N8ofvXDcCRi+BA1t2fwq36hTcttPWsdkYLBliy+lxChsc8CgYEAvgwV
oHgJQLcQN07pgCIbKKadcUFGhFoOkfZp0J8ut4xp+pqDqRYgn+TlLgBSe01i5JRn
Jk+K/zocCT8+IbmzCx5TW2EGhZbhgVUjdGPWpD6VIo2mVelvLO6H8UHxOyjFujbd
Q87r0zN0gjQWBJfO3Po6jNl5etrgnzH3/KqLiYkCgYBJgRsDnIFhDAs5bU9Mv4vT
73AAzY436zgnlCmd749wwsBrpeeB83XI5D4ep1mXyAe96uJHzTdq9i9NHxYJg8rI
qYWgXNwoPEbzYRxQTM32Vqri+WBV/ma1FlMfGclxDrJdrGZDu82BS3IddOOZ4VoQ
/CgbljBYI+4y7O8MgQyirQKBgESaxCvbaSutafMtT2lr5nX0P52kvLoGcIAMfgJL
lGe6Dn/iy2h8jmZqELlccGoGc46ka+AOktSzu28zH1C5YoK+/cRc8CfFYb54Z4Ya
jF9aICgLDmKxE+saaISVE2oRu98O8y0JQ2RIjOR7vP8HdiubQQubbhkFblTJiwXw
4tJRAoGBAMIf1Rlrfttqu5qT3bBqf55EXQYSzXMwtU9LHiSJmeR36S3KNvXt7WRd
qrlAEmJb8pXEHbg0dsIIrsUxH8rqydKuiYuCeropqpSrsfrmFhQ3amp0e/dr01cc
HDjUf9RLEKMzE5Wpse6bwJ4Bp8Fd9Wk3out0hZ/jsiyMtdjwe0H5
-----END RSA PRIVATE KEY-----But how can we be sure this matches the public key we found above? Save the above contents to a key file, 'priv1.key'
$ openssl rsa -in priv1.key -check
RSA key ok
writing RSA keySave the public key to another file, pub.pem
$ file priv1.key
priv1.key: PEM RSA private key
$ file pub.pem
pub.pem: ASCII text
$ cat pub.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubL25JOIMo4yCstMlYOS
KOnBgaH617AMy+BwTT6K3eLOZt9TiXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdb
nkvsEnAS7zprWOx5n75VT39wY926vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1o
dt6Egem8gOPddcqSZTUqdqqFDsn1xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS
7WN5jcX6r2IyCui+CEz+Ud2wQkPOAT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+
KC83uQwrllyvn6i8KvTtdmCD4H/2lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTu
xwIDAQAB
-----END PUBLIC KEY-----Prove they match by generating a message, signing it with the public key, then decrypting it with the private key.
$ cat message.txt
13Cubed
$ openssl dgst -sha256 -sign priv1.key -out signature.bin message.txt
$ openssl dgst -sha256 -verify pub.pem -signature signature.bin message.txt
Verified OKQuestion 10:
What is the last web search performed by the user?
We know the user was using Edge, so their History database should be in the usual spot;
AppData\local\Microsoft\Edge\User Data\Default\History
Looks like it's corrupt. Some quick mucking around with .dump and .recover didn't yield any results, so time to just use a simple hex editor. I opened ffffe00923455400-History in HxD and reviewed the most recent URL hits. (Most recent at the top, oldest at the bottom).
Answer: free backup utility for windows 11
Bonus Question:
What folder does the "Backup Software" landing page tell users to exclude?
In the same folder, navigate to Default/Cache/Cache_Data - we're looking for page hits relating to backup software.
$ grep -ai 'Backup' *
ffffe00923431690-data_2: <title>Backup Pro - Secure Your Files</title>
ffffe00923431690-data_2: <h1>Backup Pro - Secure Your Files</h1>
ffffe00923431690-data_2: <p>Protect your important files with **military-grade encryption** and **seamless backup solutions**.</p>
ffffe00923431690-data_2: <li>✅ <strong>Seamless Backup & Restore</strong> - Encrypt and decrypt with ease.</li>
ffffe00923431690-data_2: <a class="download" href="backup.exe" download>Download Backup Pro</a>
ffffe00923431690-data_2: <p>© 2025 Backup Pro. All Rights Reserved.</p>
ffffe0092343fdd0-data_1:�Ȉ���(H��$ strings ffffe00923431690-data_2
Answer: C:/
Last updated
Was this helpful?