13Cubed Windows memory forensics

Richard at 13Cubed recently released another memory forensics challenge; this time involving a compromised Windows host. Watch the video below for a summary of the incident.

Per the warning on the YouTube video;

⚠️ CAUTION ⚠️ This memory sample contains a simulated ransomware for educational purposes. Although safeguards have been implemented to prevent any harm, they are not foolproof. Please treat this sample as if it contains active malware. Ensure all necessary precautions are taken to mitigate potential risks.

WALK-THROUGH BELOW

This page is just a placeholder for the moment, it should be completed by mid-July.

Files

You can download the sample here; https://cdn.13cubed.com/downloads/windows_challenge.zip

Scenario

Bob recently accepted a position at a new company. After hearing alarming scenarios about a ransomware attack, he decided to backup all his data to the cloud. Unfortunately, something went wrong during the process. We only have an image and a series of indicators. This scenario simulates a ransomware scenario using a custom binary.

Analysis Environment

For this challenge, we're going to use MemProcFS on a Windows machine.

We know that the sample is from a Windows machine, and we don't need to build our own kernel profiles from scratch like we do with Linux samples. We do, however, need internet connectivity to pull symbol tables from Microsoft's hosts (unless you have an airgapped repo setup).

Mount your memory image

From a command prompt, run the following;

C:\Tools\memprocfs\5.15>MemProcFS.exe -device D:\13Cubed\windows_challenge\memory.dmp -forensic 1

The drive should appear as a mounted network drive, like below;

I personally like using WSL2 in combination with Explorer and other forensic tools, so I want to mount the network share inside the WSL terminal. To do that, run the following

$ sudo mkdir /mnt/m
$ sudo mount -t drvfs M: /mnt/m
$ ls /mnt/m
conf  forensic  memory.dmp  memory.pmem  misc  name  pid  py  registry  sys  vm

Challenge Questions

Question 1: What is the hostname of this device?

MemProcFS provides a summary of common values in M:\sys, including computername, boot time, etc.

$ cat /mnt/m/sys/computername.txt
RM-205B

Validate this yourself by looking at the value stored in the following registry key;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName

Answer: RM-205B

Question 2: What is the username of the primary user on this device?

Review M:\sys\users\users.txt

$ cat /mnt/m/sys/users/users.txt
   # Username                         SID
-----------------------------------------
0000 Robert Paulson                   S-1-5-21-2126657629-3337008557-1579520640-1001

His name is Robert Paulson..

Validate this by reviewing the following registry path for users;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Only a single user here which matches with the above entry.

Answer: Robert Paulson

Question 3: What is the IP address assigned to this device?

Review the current netstat output in the following location;

$ cat /mnt/m/sys/net/netstat.txt
[snip]
001c   8240 TCPv4  CLOSED       10.0.2.152:49907              204.79.197.203:443           msedge.exe
001d   8240 TCPv4  ESTABLISHED  10.0.2.152:50021              23.39.228.14:443             msedge.exe
001e   8240 TCPv4  CLOSED       10.0.2.152:50041              204.79.197.239:443           msedge.exe
001f   8240 TCPv4  CLOSED       10.0.2.152:50045              13.107.246.41:443            msedge.exe
0020   8240 TCPv4  ESTABLISHED  10.0.2.152:50066              52.228.161.161:443           msedge.exe
0021   8240 TCPv4  CLOSED       10.0.2.152:50070              167.172.227.148:8080         msedge.exe
0022   8240 TCPv4  CLOSED       10.0.2.152:50071              167.172.227.148:8080         msedge.exe
0023   8240 TCPv4  ESTABLISHED  10.0.2.152:50073              204.79.197.239:443           msedge.exe
0024   8240 TCPv4  ESTABLISHED  10.0.2.152:50076              204.79.197.239:443           msedge.exe
0025   8976 TCPv6  LISTENING    [::]:7680                     ***                          svchost.exe

Review the following registry location for last known IP addresses;

HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces

This is parsed and presented here;

M:\registry\HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces

Each entry has a GUID, so navigate to each folder and verify interface name, IP, etc.

$ cat /mnt/m/registry/HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/\{119c075f-3343-4c1b-8a7b-b68c7869c5ba\}/DhcpIPAddress.txt
ffff8485822be000:00b44cf8
REG_SZ
10.0.2.152

Question 4: What was the full URL, including the file name, that the malicious program was downloaded from?

We saw connections above (PID 8240, specifically) connecting to a remote IP on port 8080. The associated process is msedge.exe (Microsoft Edge) so let's see if we can retrieve the user's browsing history.

One thing I like to do while I'm manually navigating files/folders, is run some basic strings/grep commands in the background. The above IP address looks suspicious (given the circumstances/scenario), so run;

$ cd /mnt/m/forensic
$ grep -iR '167.172.227.148' .

One of the first hits is actually a Defender alert caught by the FindEvil module in MemProcFS;

./findevil/findevil.txt:0002      0 ---            AV_DETECT       0000000000000000 AV:[Windows Defender] EVENT:[2025-03-07T19:37:27.387Z DETECTIONEVENT MPSOURCE_IOAV Trojan:Win32/Wacatac.B!ml file:C:\Users\Robert Paulson\Downloads\backup.exe;webfile:C:\Users\Robert Paulson\Downloads\backup.exe|http://167.172.227.148:8080/backup.exe|pid:1452,ProcessStart:133858498434468576;]

Answer: hxxp://167.172.227[.]148:8080/backup.exe

Question 5: According to this execution artifact that would not be found on servers, the first execution occurred within 10 seconds of what time?

There's a clear hint in the question here. Prefetch is not enabled by default on Windows server operating systems, however it's enabled on workstation versions. Read about Prefetch files here and here

If the executable had never been executed on this system before, then a Prefetch file would not exist. We can review the Master File Table (MFT) which has been parsed for us automatically (created time first, modified time second)

$ cat ntfs/ntfs_files.txt | grep -i backup.exe
  447f    77d06400    7199     343 2025-03-07 19:40:36 UTC : 2025-03-07 19:41:04 UTC       b49ae6 A    \1\Users\Robert Paulson\Downloads\backup.exe
  4480    77d06400    7199     343 2025-03-07 19:40:36 UTC : 2025-03-07 19:41:04 UTC            7 ARS  \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
  4bb5    5efbc400    721d   1a33b 2025-03-07 19:41:08 UTC : 2025-03-07 19:41:09 UTC            0 A    \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pf

We can also look at forensic\timeline\timeline_all.txt to see what was happening around that time

	Line    224: 2025-03-07 19:41:11 UTC  REG    MOD         0         0                0 \Root\InventoryApplicationFile\backup.exe|87931ab5a15fc7f5
	Line    259: 2025-03-07 19:41:09 UTC  NTFS   MOD         0         0         5efbc400 \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pf
	Line    270: 2025-03-07 19:41:08 UTC  NTFS   CRE         0         0         5efbc400 \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pf
	Line   1488: 2025-03-07 19:41:04 UTC  NTFS   RD          0  11836134         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
	Line   1489: 2025-03-07 19:41:04 UTC  NTFS   RD          0         7         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
	Line   1490: 2025-03-07 19:41:04 UTC  NTFS   MOD         0  11836134         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
	Line   1491: 2025-03-07 19:41:04 UTC  NTFS   MOD         0         7         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
	Line   1940: 2025-03-07 19:40:36 UTC  NTFS   CRE         0  11836134         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
	Line   1941: 2025-03-07 19:40:36 UTC  NTFS   CRE         0         7         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen

Answer: 2025-03-07 19:41:08 UTC

Question 6: According to the malicious program's log file, how many files were encrypted?

Looking at events around the same timeframe, we can see the following entry in timeline_all.txt

2025-03-07 19:41:09 UTC  NTFS   RD          0         0         5efbc000 \1\Users\Robert Paulson\Desktop\encryption_log.txt

If we try and open the file here M:\forensic\ntfs\1\Users\Robert Paulson\Desktop\encryption_log.txt we can see it's empty, but we can view its contents here;

M:\forensic\files\ROOT\Users\Robert Paulson\Desktop\ffffe00925170830-encryption_log.txt

Count the lines (minus the final line)

Answer: 9 files

Question 7: What is the NTFS creation time for backup.exe?

Based on our MFT records we found in Q5;

	Line   1940: 2025-03-07 19:40:36 UTC  NTFS   CRE         0  11836134         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
	Line   1941: 2025-03-07 19:40:36 UTC  NTFS   CRE         0         7         77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen

Answer: 2025-03-07 19:40:36 UTC

Question 8: What is the full path and name of the public key created by the malicious file?

We have the time marker from above (2025-03-07 19:41:08 UTC) when the encryption log was created.

Looking at surrounding activity, we see the following activity;

2025-03-07 19:41:08 UTC  Net    CRE         0         0 ffffe00922cb69f0 TCPv4  CLOSED       10.0.2.152:50079              167.172.227.148:80          
2025-03-07 19:41:08 UTC  NTFS   CRE         0       451         5efbc800 \1\Users\Robert Paulson\AppData\Local\Temp\tmp98p1q14j
2025-03-07 19:41:08 UTC  NTFS   CRE         0         0         5efbc000 \1\Users\Robert Paulson\Desktop\encryption_log.txt

Reviewing tmp98p1q14j;

-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubL25JOIMo4yCstMlYOS KOnBgaH617AMy+BwTT6K3eLOZt9TiXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdb nkvsEnAS7zprWOx5n75VT39wY926vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1o dt6Egem8gOPddcqSZTUqdqqFDsn1xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS 7WN5jcX6r2IyCui+CEz+Ud2wQkPOAT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+ KC83uQwrllyvn6i8KvTtdmCD4H/2lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTu xwIDAQAB -----END PUBLIC KEY-----

Question 9: What is the first line of key material from the TA's private key?

So now we have the public key and the path. How do we find the private key?

We know what a public key looks like, and we know the format of a private key, including a header which contains '-----BEGIN RSA PRIVATE KEY------'

$ grep 'BEGIN RSA PRIVATE KEY' memory.dmp -A 50 -B1 -a

Result;

But how can we be sure this matches the public key we found above? Save the above contents to a key file, 'priv1.key'

$ openssl rsa -in priv1.key -check
RSA key ok
writing RSA key

Save the public key to another file, pub.pem

$ file priv1.key
priv1.key: PEM RSA private key
$ file pub.pem
pub.pem: ASCII text
$ cat pub.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubL25JOIMo4yCstMlYOS
KOnBgaH617AMy+BwTT6K3eLOZt9TiXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdb
nkvsEnAS7zprWOx5n75VT39wY926vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1o
dt6Egem8gOPddcqSZTUqdqqFDsn1xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS
7WN5jcX6r2IyCui+CEz+Ud2wQkPOAT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+
KC83uQwrllyvn6i8KvTtdmCD4H/2lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTu
xwIDAQAB
-----END PUBLIC KEY-----

Prove they match by generating a message, signing it with the public key, then decrypting it with the private key.

$ cat message.txt
13Cubed
$ openssl dgst -sha256 -sign priv1.key -out signature.bin message.txt
$ openssl dgst -sha256 -verify pub.pem -signature signature.bin message.txt
Verified OK

Question 10: What is the last web search performed by the user?

We know the user was using Edge, so their History database should be in the usual spot;

AppData\local\Microsoft\Edge\User Data\Default\History

Looks like it's corrupt. Some quick mucking around with .dump and .recover didn't yield any results, so time to just use a simple hex editor. I opened ffffe00923455400-History in HxD and reviewed the most recent URL hits. (Most recent at the top, oldest at the bottom).

Answer: free backup utility for windows 11

Bonus Question: What folder does the "Backup Software" landing page tell users to exclude?

In the same folder, navigate to Default/Cache/Cache_Data - we're looking for page hits relating to backup software.

$ grep -ai 'Backup' *
ffffe00923431690-data_2:    <title>Backup Pro - Secure Your Files</title>
ffffe00923431690-data_2:        <h1>Backup Pro - Secure Your Files</h1>
ffffe00923431690-data_2:        <p>Protect your important files with **military-grade encryption** and **seamless backup solutions**.</p>
ffffe00923431690-data_2:            <li>✅ <strong>Seamless Backup & Restore</strong> - Encrypt and decrypt with ease.</li>
ffffe00923431690-data_2:        <a class="download" href="backup.exe" download>Download Backup Pro</a>
ffffe00923431690-data_2:            <p>© 2025 Backup Pro. All Rights Reserved.</p>
ffffe0092343fdd0-data_1:�Ȉ���(H��

$ strings ffffe00923431690-data_2

Answer: C:/

Previous13Cubed Linux memory forensics NextCompromised Windows Server 2022 (simulation)

Last updated 10 months ago