Jasper Alblas

 

TryHackMe: Retracted Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Retracted Room on TryHackMe. This is the final room in the Endpoint Security module, and it is aimed to test our newly gained knowledge. Let’s investigate the case of the missing ransomware.

Retracted Banner
Retracted Banner

Room URL:
https://tryhackme.com/room/retracted

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Table of Contents

Task 1: Introduction to Retracted

A Mother’s Plea

“Thanks for coming. I know you are busy with your new job, but I did not know who else to turn to.”

“So I downloaded and ran an installer for an antivirus program I needed. After a while, I noticed I could no longer open any of my files. And then I saw that my wallpaper was different and contained a terrifying message telling me to pay if I wanted to get my files back. I panicked and got out of the room to call you. But when I came back, everything was back to normal.”

“Except for one message telling me to check my Bitcoin wallet. But I don’t even know what a Bitcoin is!”

“Can you help me check if my computer is now fine?”

Connecting to the Machine

Start the virtual machine in split-screen view by clicking on the green “Start Machine” button on the upper right section of this task. If the VM is not visible, use the blue “Show Split View” button at the top-right of the page. Alternatively, you can connect to the VM using the credentials below via “Remote Desktop”.

Usernamesophie
Passwordfluffy1960
IPMACHINE_IP

“Oh, the password doesn’t work? Wait, I have it written somewhere. Uhmm… Try this:”

Usernamesophie
Passwordfluffy19601234!
IPMACHINE_IP

Questions

I’ll handle it,  Mom.

Answer: No answer needed

Task 2: The Message

“So, as soon as you finish logging in to the computer, you’ll see a file on the desktop addressed to me.”

“I have no idea why that message is there and what it means. Maybe you do?”

Questions

What is the full path of the text file containing the “message”?

Alright, let’s have some fun! I have a feeling this one is going to be a hell of a ride!

Make you sure you have started the machine, and let’s start look for the text file.
You are met by Sophie’s Desktop with a bunch of files.

Desktop
Desktop

There is a file called SOPHIE. Ransomware messages are often placed a place where the user can find them straight away.

The path to this file is C:\Users\Sophie\Desktop. Since the file is a TXT file the complete path is C:\Users\Sophie\Desktop\SOPHIE.txt.

Answer: C:\Users\Sophie\Desktop\SOPHIE.txt

What program was used to create the text file?

Alright, we need to do some digging. This is a Windows machine, so the obvious thing to look at there is the Event Viewer. Start it up.

I first tried looking for Sysmon Events with ID 11 (File created), but I could not find anything with the following query:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" `
  -FilterXPath "*[System[(EventID=11)] and EventData[Data[@Name='TargetFilename']='C:\Users\Sophie\Desktop\SOPHIE.txt']]"

Tough luck. We are more lucky by looking at the events with an event ID of 1.

Sysmon logs are stored in the Windows Event Log. Specifically, they are located within the Microsoft-Windows-Sysmon/Operational event log channel. If you filter on the Event ID of 1, and search for SOPHIE.txt you get the following result:

Text file creation found
Text file creation found

Go in the details and you will see the following CommandLine property:

 CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Sophie\Desktop\SOPHIE.txt

We can conclude that the file is created with Notepad.exe.

IMPORTANT!
Note that there is another copy of the same event on the day I took on this room. I think this is when the VM started up and prepared everything for me. So we should probably focus on the events from the 8th of January.

Anyway, the answer is Notepad.exe.

Answer: Notepad.exe

What is the time of execution of the process that created the text file? Timezone UTC (Format YYYY-MM-DD hh:mm:ss)

See the above screenshot.

Answer: 2024-01-08 14:25:30.749

Task 3: Something Wrong

“I swear something went wrong with my computer when I ran the installer. Suddenly, my files could not be opened, and the wallpaper changed, telling me to pay.”

“Wait, are you telling me that the file I downloaded is a virus? But I downloaded it from Google!”

Questions

What is the filename of this “installer”? (Including the file extension)

In the intro of the room it said the following:

“So I downloaded and ran an installer for an antivirus program I needed. After a while, I noticed I could no longer open any of my files. 

So we should be looking for some executable that is being run, and probably one that sounds like a Antivirus installer. We should again be looking for Event ID 1, as this is event logs every time a new process is created on the system. If Sophie ran an installer that is malware, it will generate an Event ID 1 entry when it starts, just like any other process.

We know this happened before the file created on the Desktop, as the Malware message can first be created after the malware was ran. So let’s look through the event before the earlier found timestamp.

Three events before the earlier timestamp, we see a suspicious executable being ran:

Decryptor
Decryptor

This one is suspicious, and it does sound like a tool in the context of ransomware attacks, where files are encrypted by malware, and a decryptor is used to restore access to the files.

This does sound like something the “hacker” was running, so we need to go back to before they got access. Let’s scroll down more.

I spend more time scrolling, but there are a LOT of events, so I needed to think outside of the box. But WAIT A MINUTE! Sophie did mention download from Google.

Open up the Browser and look at the History (Ctrl + H) and you will see that Sophie searched on “antivirus installer”.

Better yet, look at the Recent Downloads (Ctrl + J):

She downloaded a file called antivirus.exe, and we also see the decryptor file we saw earlier in the Events. Anyway, the answer must be antivirus.exe.

Answer: antivirus.exe

What is the download location of this installer?

Press “Show in Folder”, and you will end up where the file was saved at.

C:\Users\Sophie\download

Answer: C:\Users\Sophie\download

The installer encrypts files and then adds a file extension to the end of the file name. What is this file extension?

For completeness, the installer gets run at the following timestamp:

Running antivirus.exe
Running antivirus.exe

I choose to search on “antivirus.exe” in the Sysmon Event log. Roughly 10 minutes before the SOPHIE.txt file got created we find a event with event ID 11 (File created), where a excel file is being created, with file extension .dmp.

File created (dmp)
File created (dmp)

This is a memory dump file.

Answer: .dmp

The installer reached out to an IP. What is this IP?

Keep searching on antivirus.exe and one second after the previous event we see a TCP connection being established to a suspicious IP:

Destination IP
Destination IP

Answer: 10.10.8.111

Task 4: Back to Normal

“So what happened to the virus? It does seem to be gone since all my files are back.”

Questions

The threat actor logged in via RDP right after the “installer” was downloaded. What is the source IP?

Interesting scenario. What happened and why is everything normal?

Search for RDP and you will find the following RDP event:

Searching for RDP
Searching for RDP

Here we can see that the connection was made from source IP 10.11.27.46.

Answer: xp1$

This other person downloaded a file and ran it. When was this file run? Timezone UTC (Format YYYY-MM-DD hh:mm:ss)

Well, I did find the decryptor.exe file earlier! Search for it and you should be able to find this event where the file gets run:

Decryptor.exe
Decryptor.exe

Answer: 2024-01-08 14:24:19.573

Task 5: Doesn’t Make Sense

“So you’re telling me that someone accessed my computer and changed my files but later undid the changes?”

“That doesn’t make any sense. Why infect my machine and clean it afterwards?”

“Can you help me make sense of this?”

Arrange the following events in sequential order from 1 to 7, based on the timeline in which they occurred.

Questions

Alright, the story seems pretty clear so far. Let’s order the events.

After seeing the ransomware note, Sophie ran out and reached out to you for help.

Sophie saw the saved note and called for our help.

Answer: 3

Sophie downloaded the malware and ran it.

This is where it all started. Sophie downloaded the malware, thinking that it was an Antivirus installer.

Answer: 1

After all the files are restored, the intruder left the desktop telling Sophie to check her Bitcoin.

After all files were restored the intruder disconnected after leaving a message telling Sophie to check her Bitcoin. Perhaps the intruder donated money?

Answer: 6

The intruder realized he infected a charity organization. He then downloaded a decryptor and decrypted all the files.

The intruder showed remorse and downloaded a decryptor to decrypt all files.

Answer: 5

The downloaded malware encrypted the files on the computer and showed a ransomware note.

After the malware was ran, it started encrypting all files and showed a note on the Desktop.

Answer: 2

While Sophie was away, an intruder logged into Sophie’s machine via RDP and started looking around.

Sophie went away from the computer while waiting for help and the intruder logged in on the PC to start looking around.

Answer: 4

Sophie and I arrive on the scene to investigate. At this point, the intruder was gone.

This is where our work started.

Answer: 7

Task 6: Conclusion

“Adelle from Finance just called me. She says that someone just donated a huge amount of bitcoin to our charity’s account!”

“Could this be our intruder? His malware accidentally infected our systems, found the mistake, and retracted all the changes?”

“Maybe he had a change of heart?”

Questions

Yeah, possibly.

Answer: No answer needed.

Congratulations on completing Retracted!!!

Congratulations on completing Retracted
Congratulations on completing Retracted

Congratulations on completing the Retracted room!. While the previous challenge focused on Wazuh, I like that this room focused on a more hands-on practice with Event Viewer and some clear thinking.

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

TShark logo
TryHackMe: TShark Challenge 1: Teamwork Walkthrough (SOC Level 1) 
TShark logo
TryHackMe: TShark The Basics Walkthrough (SOC Level 1) 
TShark logo
TryHackMe: TShark Challenge 2: Directory Walkthrough (SOC Level 1) 
Endpoint Security Logo
TryHackMe: Intro to Endpoint Security Walkthrough (SOC Level 1)