13Cubed Windows memory forensics
Richard at 13Cubed recently released another memory forensics challenge; this time involving a compromised Windows host. Watch the video below for a summary of the incident.
Per the warning on the YouTube video;
⚠️ CAUTION ⚠️ This memory sample contains a simulated ransomware for educational purposes. Although safeguards have been implemented to prevent any harm, they are not foolproof. Please treat this sample as if it contains active malware. Ensure all necessary precautions are taken to mitigate potential risks.
WALK-THROUGH BELOW
This page is just a placeholder for the moment, it should be completed by mid-July.
Files
You can download the sample here; https://cdn.13cubed.com/downloads/windows_challenge.zip
Scenario
Bob recently accepted a position at a new company. After hearing alarming scenarios about a ransomware attack, he decided to backup all his data to the cloud. Unfortunately, something went wrong during the process. We only have an image and a series of indicators. This scenario simulates a ransomware scenario using a custom binary.
Analysis Environment
For this challenge, we're going to use MemProcFS on a Windows machine.
We know that the sample is from a Windows machine, and we don't need to build our own kernel profiles from scratch like we do with Linux samples. We do, however, need internet connectivity to pull symbol tables from Microsoft's hosts (unless you have an airgapped repo setup).
Mount your memory image
From a command prompt, run the following;
The drive should appear as a mounted network drive, like below;
I personally like using WSL2 in combination with Explorer and other forensic tools, so I want to mount the network share inside the WSL terminal. To do that, run the following
Challenge Questions
Question 1: What is the hostname of this device?
MemProcFS provides a summary of common values in M:\sys, including computername, boot time, etc.
Validate this yourself by looking at the value stored in the following registry key;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName
Answer: RM-205B
Question 2: What is the username of the primary user on this device?
Review M:\sys\users\users.txt
His name is Robert Paulson..
Validate this by reviewing the following registry path for users;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Only a single user here which matches with the above entry.
Answer: Robert Paulson
Question 3: What is the IP address assigned to this device?
Review the current netstat output in the following location;
Review the following registry location for last known IP addresses;
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
This is parsed and presented here;
M:\registry\HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
Each entry has a GUID, so navigate to each folder and verify interface name, IP, etc.
Question 4: What was the full URL, including the file name, that the malicious program was downloaded from?
We saw connections above (PID 8240, specifically) connecting to a remote IP on port 8080. The associated process is msedge.exe (Microsoft Edge) so let's see if we can retrieve the user's browsing history.
One thing I like to do while I'm manually navigating files/folders, is run some basic strings/grep commands in the background. The above IP address looks suspicious (given the circumstances/scenario), so run;
One of the first hits is actually a Defender alert caught by the FindEvil module in MemProcFS;
Answer: hxxp://167.172.227[.]148:8080/backup.exe
Question 5: According to this execution artifact that would not be found on servers, the first execution occurred within 10 seconds of what time?
There's a clear hint in the question here. Prefetch is not enabled by default on Windows server operating systems, however it's enabled on workstation versions. Read about Prefetch files here and here
If the executable had never been executed on this system before, then a Prefetch file would not exist. We can review the Master File Table (MFT) which has been parsed for us automatically (created time first, modified time second)
We can also look at forensic\timeline\timeline_all.txt to see what was happening around that time
Answer: 2025-03-07 19:41:08 UTC
Question 6:
According to the malicious program's log file, how many files were encrypted?
Looking at events around the same timeframe, we can see the following entry in timeline_all.txt
If we try and open the file here M:\forensic\ntfs\1\Users\Robert Paulson\Desktop\encryption_log.txt we can see it's empty, but we can view its contents here;
M:\forensic\files\ROOT\Users\Robert Paulson\Desktop\ffffe00925170830-encryption_log.txt
Count the lines (minus the final line)
Answer: 9 files
Question 7:
What is the NTFS creation time for backup.exe?
Based on our MFT records we found in Q5;
Answer: 2025-03-07 19:40:36 UTC
Question 8:
What is the full path and name of the public key created by the malicious file?
We have the time marker from above (2025-03-07 19:41:08 UTC) when the encryption log was created.
Looking at surrounding activity, we see the following activity;
Reviewing tmp98p1q14j;
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubL25JOIMo4yCstMlYOS KOnBgaH617AMy+BwTT6K3eLOZt9TiXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdb nkvsEnAS7zprWOx5n75VT39wY926vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1o dt6Egem8gOPddcqSZTUqdqqFDsn1xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS 7WN5jcX6r2IyCui+CEz+Ud2wQkPOAT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+ KC83uQwrllyvn6i8KvTtdmCD4H/2lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTu xwIDAQAB -----END PUBLIC KEY-----
Question 9:
What is the first line of key material from the TA's private key?
So now we have the public key and the path. How do we find the private key?
We know what a public key looks like, and we know the format of a private key, including a header which contains '-----BEGIN RSA PRIVATE KEY------'
Result;
But how can we be sure this matches the public key we found above? Save the above contents to a key file, 'priv1.key'
Save the public key to another file, pub.pem
Prove they match by generating a message, signing it with the public key, then decrypting it with the private key.
Question 10:
What is the last web search performed by the user?
We know the user was using Edge, so their History database should be in the usual spot;
AppData\local\Microsoft\Edge\User Data\Default\History
Looks like it's corrupt. Some quick mucking around with .dump and .recover didn't yield any results, so time to just use a simple hex editor. I opened ffffe00923455400-History in HxD and reviewed the most recent URL hits. (Most recent at the top, oldest at the bottom).
Answer: free backup utility for windows 11
Bonus Question:
What folder does the "Backup Software" landing page tell users to exclude?
In the same folder, navigate to Default/Cache/Cache_Data - we're looking for page hits relating to backup software.
Answer: C:/
Last updated