TryHackMe — Redline Endpoint Investigation Challenge Walkthrough
Endpoint Investigation with the FireEye Redline Security Tool
Introduction:
Hello! Thanks for joining me on this walkthrough. This week I am going through the Redline room on TryHackMe. FireEye Redline (not the info stealer malware) is an endpoint security memory analysis tool with file structure browsing capabilities, similar to Volatility (see my previous TryHackMe write-up), but with a nice GUI for navigation!
As always, this write up will serve as both a learning journal for me and a TryHackMe challenge walkthrough with some added context for anyone who stumbles on this post. To keep this focused, this walkthrough is only going to cover Task 7: Endpoint Investigation. In the spirit of learning, I will not be revealing the flags in this walkthrough but this is a FREE room so anyone can learn about Redline and perform the investigation along with me and find the answer on your own. Thanks for reading — hope it helps!
Challenge Link: https://tryhackme.com/room/btredlinejoxr3d
Task 7 : Endpoint Investigation
Challenge Scenario:
A Senior Accountant, Charles, is complaining that he cannot access the spreadsheets and other files he has been working on. He also mentioned that his wallpaper got changed with the saying that his files got encrypted. This is not good news!
Are you ready to perform the memory analysis of the compromised host? You have all the data you need to do some investigation on the victim’s machine. Let’s go hunting!
Question 1: Can you identify the product name of the machine?
Okay, let’s see if we can help Charles. Fortunately, the analysis session has already been created for this challenge, so we simply need to open the investigation (.mans) file in Redline.
Once it (finally) opens, we have quite a few options explore in our Analysis Data menu. Let’s start with a high-level view of the victim machine to better understand the environment at the time of the data collection. The System Information tab has some great information including information about the Machine, OS, and User.
If we read through the information, I think we can find the answer to Question 1…
Question 2: Can you find the name of the note left on the Desktop for the “Charles”?
Okay, now that we have a better idea of the environment we are analyzing, we need to look for a “note” left for Charles. Since Charles complained that there was a message that his files were encrypted, we’re probably looking for a ransom note?
There are a couple of ways I think we can find it. Let’s try the path of least resistance first. We can simply try navigating to Charles’ Desktop through the File System tab and seeing what we find:
Okay, this seems promising! We have a .txt file which is a standard plaintext document typically created by Notepad in a Windows environment. Let’s approach this another way and confirm that we have the correct file.
If we navigate to Processes on the Analysis Data panel, let’s look for Notepad. We can use the filter but in this case, it’s pretty easy to spot in the process list.
Let’s double click the NOTEPAD.EXE process and see what additional information we can get.
Okay, there we go! I think we found the answer we are looking for. It looks like some process spawned Notepad.exe to generate the note and drop it on Charles’ desktop.
Question 3: Find the Windows Defender service; what is the name of its service DLL?
Alright, moving right along. We need to locate a DLL for the Windows Defender service, so let’s go check out the Windows Services section of the analysis panel.
We have a couple of ways of locating this. We can filter all fields for Windows Defender or we can filter the Service DLL tab specifically.
This time around, let’s use the Service DLL column and filter for Windows Defender. This should get us the information we need.
Let’s submit the answer and confirm:
Question 4: The user manually downloaded a zip file from the web. Can you find the filename?
Moving along, let’s see if we can determine the source of the ransomware infection. Let’s start with something obvious, like supposing that the user downloaded a file.
We can approach this in a similar way to Question 2. We will start by manually evaluating the artifacts in Charles’ download folder and then use the File Download History tab in the Analysis Data pane to confirm.
Let’s use the File System tab and select the Downloads folder for Charles. If we quickly scan the folder we mostly see some forensic tools like FTK Imager, Wireshark, and Redline itself along with some incomplete downloads(the unconfirmed downloads), and Microsoft update files. There is one file that looks a little strange though…
Now, let’s utilize the File Download History tab. We can search by the file extension .zip to search for the file we found during our manual review of the Downloads folder.
Look at the first result. There is a manual download entry with an intriguing URL — Malware Bazaar. It appears Charles may have downloaded a malware sample.
According to the Malware Bazaar website:
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
Very interesting but for the purposes of this challenge, the file name column confirms our finding from the Downloads folder — we can go ahead and submit Question 4
Side Note: Before we move onto the next question, let’s try to add some context by checking out the timeline to get a better idea of the series of events leading up to the download of the malware sample. I had previously combed through the timeline and tagged relevant (the orange tag) events to get a focused view of the incident.
While this isn’t relevant for this challenge, this would be very interesting in a real world scenario. It’s possible that this sample was simply downloaded to create this challenge scenario but in the real world, we can’t rule out an insider threat since we have evidence of a Google search for a piece of malware under the user’s profile.
Question 5: Provide the filename of the malicious executable that got dropped on the user’s Desktop.
Let’s navigate back to Charles’ Desktop through the file system tree view where we found the ransom note. On the Desktop, we see two executable (.exe) files. One appears to be the Microsoft Office setup and the other seems a bit more suspicious…
In Question 6 we will do a bit more analysis on this executable but for now, let’s submit our answer:
Question 6: Provide the MD5 hash for the dropped malicious executable.
Now for the easy part! Simply double-click the file within the tree view to drill down into the Full Detailed Information for the file. Once the window loads, we will have some additional information about the file including a section for file hashes.
We can go ahead and submit the answer but keep that MD5 hash handy, as we will use it for some further IOC investigation in the next question.
Question 7: What is the name of the ransomware?
Okay, to fully determine the impact and remediate the incident, we need to identify exactly what malware we are investigating. Let’s start by taking the file hash of the malicious executable that we found in Question 6 and checking it against VirusTotal & Hybrid Analysis to see if we get any hits that can help us:
Fortunately, we have a lot of detection for this particular executable. If we look through the labels and the details tab on these two services, we see a frequent name which identifies this malware family. I have a suspicion that this is the correct name for the ransomware but we can do a bit of Google reconnaissance to see if we can find any technical reports to provide further intelligence and confirm our findings.
Once we do that, we have enough information to answer Question 7 and conclude this investigation!
Conclusion:
I think we now have enough information now to start the eradication and recovery phase for Charles! Great job!
Thank you to TryHackMe for hosting another awesome challenge and building out such a huge catalog of free rooms for the community. This room, while brief, was a thorough introduction to the Redline tool and gives you just enough hands-on time to understand it’s value in the DFIR process when comparing to Volatility for memory analysis. It never hurts to have some experience with a new tool to keep in your kit, after all!
Thank you so much for reading along and learning with me! I hope that you had as much fun as I did and learned something new, too. Stay curious!
Tools & References:
Redline: https://fireeye.market/apps/211364
TryHackMe: https://tryhackme.com/room/btredlinejoxr3d
Malware Bazaar: https://bazaar.abuse.ch/
Hybrid Analysis: https://www.hybrid-analysis.com/search?query=Fe1bc60a95b2c2d77cd5d232296a7fa4
VirusTotal: https://www.virustotal.com/gui/file/b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
