Brave Lab

CyberDefenders Memory Forensic Lab

Scenario

A memory image was acquired from a suspected compromised Windows workstation. The system belonged to a user flagged for potentially malicious activities, including unauthorized access attempts and unusual browsing patterns. The security team observed network activity to external IPs associated with encrypted communication services.

Your task is to analyze the provided memory dump to uncover details about the processes involved, identify active connections at the time of the compromise, and trace the usage patterns of specific applications.

Question 1

What time was the RAM image acquired according to the suspect system?

Answer 1

Running the image through Volatility 3 using the following command, I was able to determine a tone of information about the machine the memory dump was from.

┌──(zero㉿kali)-[~/Documents/volatility3]
└─$ ./vol.py -r pretty -f dump/dump.mem windows.info

Giving me the following answer: 2021–04–30 17:52:19

Question 2

What is the SHA256 hash value of the RAM image?

Answer 2

A simple SHA256 command in the terminal gave me this:

9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d206ebf2aa0ea172

Question 3

What is the process ID of brave.exe?

Answer 3

With a combination of grep and windows.pslist I was able to quickly determine the answer:

┌──(zero㉿kali)-[~/Documents/volatility3]
└─$ ./vol.py -r pretty -f dump/dump.mem windows.pslist | grep brave.exe
Formatting...0.00               PDB scanning finished                        
* | 4856 | 1872 |      brave.exe | 0xbf0f6ca782c0 |       0 |       - |         1 | False | 2021-04-30 17:48:45.000000 UTC | 2021-04-30 17:50:56.000000 UTC |    Disabled

Question 4

How many established network connections were there at the time of acquisition?

Answer 4

Using the same method, but this time using netscan along with grep I found the answer to be 10 established connections.

┌──(zero㉿kali)-[~/Documents/volatility3]
└─$ ./vol.py -r pretty -f dump/dump.mem windows.netscan | grep ESTABLISHED
Formatting...0.00               PDB scanning finished                        
* | 0xbf0f6a53ca20 | TCPv4 |                 10.0.2.15 |     49833 |   52.230.222.68 |         443 | ESTABLISHED | 2812 |    svchost.exe | 2021-04-30 17:50:07.000000 UTC
* | 0xbf0f6ad16050 | TCPv4 |                 10.0.2.15 |     49829 | 142.250.191.208 |         443 | ESTABLISHED | 5624 |    svchost.exe | 2021-04-30 17:49:58.000000 UTC
* | 0xbf0f6ad1fad0 | TCPv4 |                 10.0.2.15 |     49847 |   52.230.222.68 |         443 | ESTABLISHED | 2812 |    svchost.exe | 2021-04-30 17:52:17.000000 UTC
* | 0xbf0f6c6352b0 | TCPv4 |                 10.0.2.15 |     49842 |  52.113.196.254 |         443 | ESTABLISHED | 5104 |  SearchApp.exe | 2021-04-30 17:51:25.000000 UTC
* | 0xbf0f6c7104d0 | TCPv4 |                 10.0.2.15 |     49778 |   185.70.41.130 |         443 | ESTABLISHED | 1840 |     chrome.exe | 2021-04-30 17:45:00.000000 UTC
* | 0xbf0f6cd4fa20 | TCPv4 |                 10.0.2.15 |     49837 |  204.79.197.200 |         443 | ESTABLISHED | 5104 |  SearchApp.exe | 2021-04-30 17:51:18.000000 UTC
* | 0xbf0f6d0c64a0 | TCPv4 |                 10.0.2.15 |     49843 |  204.79.197.222 |         443 | ESTABLISHED | 5104 |  SearchApp.exe | 2021-04-30 17:51:26.000000 UTC
* | 0xbf0f6d51c4a0 | TCPv4 |                 10.0.2.15 |     49838 |    13.107.3.254 |         443 | ESTABLISHED | 5104 |  SearchApp.exe | 2021-04-30 17:51:23.000000 UTC
* | 0xbf0f6d525a20 | TCPv4 |                 10.0.2.15 |     49845 |  23.101.202.202 |         443 | ESTABLISHED | 1156 |    MsMpEng.exe | 2021-04-30 17:51:36.000000 UTC
* | 0xe80000193a20 | TCPv4 |                 10.0.2.15 |     49845 |  23.101.202.202 |         443 | ESTABLISHED | 1156 |    MsMpEng.exe | 2021-04-30 17:51:36.000000 UTC

Question 5

Which domain name does Chrome have an established network connection with?

Answer 5

Looking into the established connections that chrome.exe was making, reveled only 1. An IP address, 185.70.41.130, linked to protonmail.ch.

* | 0xbf0f6c7104d0 | TCPv4 | 10.0.2.15 | 49778 | 185.70.41.130 | 443 | ESTABLISHED | 1840 | chrome.exe

Press enter or click to view image in full size

Question 6

What is the MD5 hash value of the process executable for PID 6988?

Answer 6

Looking through the process output revealed the executable file with the PID 6988 was named OneDrive.exe. I however first went about this the wrong way, I first tried to dump all the files to get the OneDrive.exe. However when I grabbed that versions MD5 hash value, it was coming back as incorrect.

The alternative method, is to grab the file straight from the process list using the following:

└─$ ./vol.py -f dump/dump.mem windows.pslist.PsList --pid 6988 --dump

This dumps the exe straight from the process list itself, giving me the correct answer when I ran an MD5sum command on it.

└─$ md5sum dump/6988.OneDrive.exe.0x1c0000.dmp
0b493d8e26f03ccd2060e0be85f430af  dump/6988.OneDrive.exe.0x1c0000.dmp

Question 7

Can you identify the word that begins at offset 0x45BE876 and is 6 bytes long?

Answer 7

Using the tool HxD you can go to a specific offset by pressing CTRL+G. Then from there I entered the offset 45BE876 and found following:

Question 8

What is the creation date and time of the parent process of powershell.exe?

Answer 8

Using the process tree command back on my Kali box, I got the following output:

**    | 4296 |  668 |   userinit.exe | 0xbf0f6ca8f080 |       0 |       - |         1 | False | 2021-04-30 17:39:48.000000 UTC | 2021-04-30 17:40:12.000000 UTC |
***   | 4352 | 4296 |   explorer.exe | 0xbf0f6ca662c0 |      82 |       - |         1 | False | 2021-04-30 17:39:48.000000 UTC |                            N/A |
****  | 6884 | 4352 |   VBoxTray.exe | 0xbf0f6d186080 |      11 |       - |         1 | False | 2021-04-30 17:40:01.000000 UTC |                            N/A |
****  | 5096 | 4352 | powershell.exe | 0xbf0f6d97f2c0 |      12 |       - |         1 | False | 2021-04-30 17:51:19.000000 UTC |

userinit.exe is the parent process in this situation.

Question 9

What is the full path and name of the last file opened in notepad?

Answer 9

Using the process tree I can get an idea of what notepad.exe was doing at the time of the capture. The following is the results:

\Device\HarddiskVolume2\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNum |

Question 10

How long did the suspect use Brave browser? (In Hours)

Answer 10

Using the windows.registry.userassist plugin for Volatility gave me a clear answer of 4 hours.

** | 0xa80333cda000 | \??\C:\Users\John Doe\ntuser.dat | ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count | 2021-04-30 17:52:18.000000 UTC | Value |                                                                                                  %ProgramFiles%\BraveSoftware\Temp\GUM20E0.tmp\BraveUpdate.exe | N/A |     0 |           0 | 0:00:03.531000 |                            N/A |                                                                 
** | 0xa80333cda000 | \??\C:\Users\John Doe\ntuser.dat | ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count | 2021-04-30 17:52:18.000000 UTC | Value |                                                                                                            %ProgramFiles%\BraveSoftware\Update\BraveUpdate.exe | N/A |     0 |           1 | 0:00:24.797000 |                            N/A |                                                                 
** | 0xa80333cda000 | \??\C:\Users\John Doe\ntuser.dat | ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count | 2021-04-30 17:52:18.000000 UTC | Value |                                                                                                                                                          Brave | N/A |     9 |          22 | 4:01:54.328000 | 2021-04-30 17:48:45.000000 UTC |

Lab Complete!