REvil Corp

Task 1 - Investigating the Compromised Endpoint

What is the compromised employee's full name?

John Coleman

What is the operating system of the compromised host?

Windows 7 Home Premium 7601 Service Pack 1

What is the name of the malicious executable that the user opened?

# Go to "File Download History", you will find this answer
winrar2021.exe

What is the full URL that the user visited to download the malicious binary? (include the binary as well)

http://192.168.75.129:4748/Documents/WinRAR2021.exe

What is the MD5 hash of the binary?

890a58f200dfff23165df9e1b088e58f

What is the size of the binary in kilobytes?

164

What is the extension to which the user's files got renamed?

.t48s39la

What is the number of files that got renamed and changed to that extension?

48

What is the full path to the wallpaper that got changed by an attacker, including the image name?

C:\Users\John Coleman\AppData\Local\Temp\hk8.bmp

The attacker left a note for the user on the Desktop; provide the name of the note with the extension.

t48s39la-readme.txt

The attacker created a folder "Links for United States" under C:\Users\John Coleman\Favorites\ and left a file there. Provide the name of the file.

GobiernoUSA.gov.url.t48s39la

There is a hidden file that was created on the user's Desktop that has 0 bytes. Provide the name of the hidden file.

d60dff40.lock

The user downloaded a decryptor hoping to decrypt all the files, but he failed. Provide the MD5 hash of the decryptor file.

f617af8c0d276682fdf528bb3e72560b

In the ransomware note, the attacker provided a URL that is accessible through the normal browser in order to decrypt one of the encrypted files for free. The user attempted to visit it. Provide the full URL path.

http://decryptor.top/644E7C8EFA02FBB7

What are some three names associated with the malware which infected this host? (enter the names in alphabetical order)

# https://www.joesandbox.com/analysis/366350/0/html
REvil,Sodin,Sodinokibi