REvil

Scenario

Lab Link: revil

You are a Threat Hunter working for a cybersecurity consulting firm. One of your clients has been recently affected by a ransomware attack that caused the encryption of multiple of their employees' machines. The affected users have reported encountering a ransom note on their desktop and a changed desktop background. You are tasked with using Splunk SIEM containing Sysmon event logs of one of the encrypted machines to extract as much information as possible.

Reconnaissance

| eventcount summarize=false index=* 
| dedup index 
| fields index

Ouput:

cim_modactions
history
main
revil
summary

to get all the sources:

index=* | stats values(source)

Ouput:

winlog.ndjson

lets scan all hosts

index=* 
| stats count by host

Ouput:

Windows

lets get all the events code:

index=* host="windows"
| stats count by event.code
| sort event.code

Output:

event.code  count
1   282
3   18
5   1
6   3
7   34
8   1
10  2
11  745
12  22
13  40
17  1
22  3
26  1

This lab investigates a ransomware incident using Sysmon logs ingested into Splunk. Data originates from an ELK-style Beats pipeline that forwards Windows event data in NDJSON format, which Splunk indexes and normalizes for hunting, correlation, and event analysis.

So the queries are trash in Splunk so better solving with ELK, but I'll go to Splunk acting as a ELK xd

Starting

Q1

To begin your investigation, can you identify the filename of the note that the ransomware left behind?

Answer Format: **********-******.***

so its ransomware note so the ransomware create a file and the event code of the event file is 11 so we can use the target file name and event code with the host windows to get all the file created Note: adding a winlog.event_data. before any field query:

index=* event.code=11
| search winlog.event_data.TargetFilename="*.txt"
| table winlog.event_data.TargetFilename

Output:

C:\Users\Default\Saved Games\5uizv5660t-readme.txt
C:\Users\Default\Pictures\5uizv5660t-readme.txt
C:\Users\Default\Music\5uizv5660t-readme.txt
C:\Users\Default\Links\5uizv5660t-readme.txt
C:\Users\Default\Favorites\5uizv5660t-readme.txt
C:\Users\Default\Downloads\5uizv5660t-readme.txt
C:\Users\Default\Documents\5uizv5660t-readme.txt
C:\Users\Default\Desktop\5uizv5660t-readme.txt
C:\Users\Administrator\Downloads\5uizv5660t-readme.txt
C:\Users\Administrator\Desktop\5uizv5660t-readme.txt
C:\Users\Public\5uizv5660t-readme.txt
C:\Users\Default\5uizv5660t-readme.txt
C:\Users\Public\Videos\5uizv5660t-readme.txt
C:\Users\Public\Pictures\5uizv5660t-readme.txt
C:\Users\Public\Music\5uizv5660t-readme.txt
C:\Users\Public\Libraries\5uizv5660t-readme.txt
C:\Users\Public\Downloads\5uizv5660t-readme.txt
C:\Users\Public\Documents\5uizv5660t-readme.txt
C:\Users\Public\Desktop\5uizv5660t-readme.txt
C:\Users\Public\AccountPictures\5uizv5660t-readme.txt
C:\Users\Default\Videos\5uizv5660t-readme.txt

ransomware copied the file to all directories

Answer:

5uizv5660t-readme.txt

Q2

After identifying the ransom note, the next step is to pinpoint the source. What's the process ID of the ransomware that's likely involved

Answer Format: ****

we got the txt file so now we need to get the image and the pid of the image that created the txt note

index=* event.code=11
| search winlog.event_data.TargetFilename="*5uizv5660t-readme.txt"
| table winlog.event_data.ProcessId, winlog.event_data.Image, winlog.event_data.TargetFilename
| dedup winlog.event_data.ProcessId

dedup It removes duplicate values

5348    
C:\Users\Administrator\Downloads\facebook assistant.exe 
C:\Users\Default\Saved Games\5uizv5660t-readme.txt

we got the exe file that created the txt file image and we got the PID of the image

Answer:

Q3

Having determined the ransomware's process ID, the next logical step is to locate its origin. Where can we find the ransomware's executable file?

Answer Format: *:\*****\*************\*********\******** *********.***

we already have it from the Q2

Answer:

C:\Users\Administrator\Downloads\facebook assistant.exe

Q4

Now that you've pinpointed the ransomware's executable location, let's dig deeper. It's a common tactic for ransomware to disrupt system recovery methods. Can you identify the command that was used for this purpose?

Answer Format: ***-********* *****_********** | *******-****** {*_.******();}

To find the anti‑recovery command executed by the ransomware process (PID 5348)

index=* event.code=1 winlog.event_data.ProcessId=5348
| table _time, winlog.event_data.Image, winlog.event_data.CommandLine

2023-09-07 16:09:50.836 
C:\Users\Administrator\Downloads\facebook assistant.exe "C:\Users\Administrator\Downloads\facebook assistant.exe" 

---

2023-09-07 16:09:24.171 
C:\Windows\System32\wevtutil.exe    
wevtutil.exe  cl "Microsoft-Windows-User Control Panel/Diagnostic"

we didn’t hit the right event yet Ransomware disabling system recovery usually triggers Event Code 4104 (PowerShell) or Event Code 1 (process creation) from child processes of your ransomware PID.

so we will use event code 1:

index=* event.code=1 winlog.event_data.ParentProcessId=5348
| table winlog.event_data.Image, winlog.event_data.CommandLine

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe   

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

We got, now lets decode it use any website for it i used this emn178.github.io

RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

Q5

As we trace the ransomware's steps, a deeper verification is needed. Can you provide the sha256 hash of the ransomware's executable to cross-check with known malicious signatures?

Answer Format: ****************************************************************

we have the image so we can get the hash of the image by:

index=* event.code=1 
| search winlog.event_data.Image="*facebook assistant.exe"
| table winlog.event_data.Image, winlog.event_data.Hashes

Answer:

C:\Users\Administrator\Downloads\facebook assistant.exe 

SHA1=E5D8D5EECF7957996485CBC1CDBEAD9221672A1A,MD5=4D84641B65D8BB6C3EF03BF59434242D,SHA256=B8D7FB4488C0556385498271AB9FFFDF0EB38BB2A330265D9852E3A6288092AA,IMPHASH=C686E5B9F7A178EB79F1CF16460B6A18

Q6

One crucial piece remains: identifying the attacker's communication channel. Can you leverage threat intelligence and known Indicators of Compromise (IoCs) to pinpoint the ransomware author's onion domain?

Answer Format: ********************************************************.*****

we have the hash so we can use anyrun

nav to report you can find the domain at the DNS requests

Answer:

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/

All Content

Doom

The organization suddenly discovered that critical files across system devices were encrypted, with ransom notes found on affected machines, indicating a ransomware attack. The encryption impacted the Domain Controller, file servers, and multiple workstations simultaneously across the entire domain.

Threat Hunting

Qays Sarayra Artifacts

REvil

Scenario

Reconnaissance

Starting

Q1

Q2

Q3

Q4

Q5

Q6

All Content

Doom

Double Dragon

GoldenSpray

Ignoble Scorpius

Latrodectus LunarSpider

Nitrogen

RansomHub

ShadowRoast