You are a Digital Forensics and Incident Response (DFIR) analyst tasked with investigating a ransomware attack that has affected a company’s system. The attack has resulted in file encryption, and the attackers are demanding payment for the decryption of the affected files. You have been given a memory dump of the affected system to analyze and provide answers to specific questions related to the attack.
This challenge LockBit on LetsDefend is rated easy and was created by MMOX. For his challenge, you are provided Lockbit.zip which extracts to Lockbit.vmem, a virtualbox memory dump. To solve this challenge, I needed volatility, which is not installed by default on the provided virtual machine as seen below. Using imageinfo, volatility was able to determine this memory dump came from a Win7SP1x64 machine.
Using raw2dmp I was able to convert Lockbit.vmem into windows.raw a windows crash dump for further analysis.
Next I used psscan which provided me the PID of mal.exe, and the answer to the first question of this challenge.
Question 1: Can you determine the date and time that the device was infected with the malware? (UTC, format: YYYY-MM-DD hh:mm:ss)
Answer: 2023-04-13 10:06:45
After installing volatility3, I used procdump to dump the file associated with the PID from the results of psscan. Searching VirusTotal confirmed this to be lockbit (as if the name of the challenge didn’t give it away) and answer the remaining questions.
Question 2: What is the name of the ransomware family responsible for the attack?
Answer: lockbit
Question 3: What file extension is appended to the encrypted files by the ransomware?
Answer: .lockbit
Question 4: What is the TLSH (Trend Micro Locality Sensitive Hash) of the ransomware?
Answer: T119E3163DB459E165C8CF04B57E2516BAD671F83C037989F3EBD38C299420EE86626B07
Question 5: Which MITRE ATT&CK technique ID was used by the ransomware to perform privilege escalation?
Answer: T1543
Question 6 : What is the SHA256 hash of the ransom note dropped by the malware?
Answer: 67c6784a5296658ac4d633f4e8c0914ecc783b1cf2f6431818c4e2f3cdcce91f
Question 7 : What is the name of the registry key edited by the ransomware during the attack to apply persistence on the infected system?
Answer: XO1XADpO01
