TryHackMe: Dunkle Materie Room Write-Up

Hi, this is my write-up for the room Dunkle Materie from the TryHackMe platform. This room is a medium room that lets users investigate the ransomware attack using an application called ProcDOT.

This room is created by tryhackme, heavenraiza, and RussianPanda.

Without further ado, let’s begin!

Link to TryHackMe Dunkle Materie room:

################## REMINDER ##################

I answer questions based on what I found and could solve first. The Question Arrangement will not be in sequence.

I am also new to ProcDOT application. Sorry for any mistakes or any wrong steps done in my write-up.

##############################################

Starting

I started the attack box on TryHackMe and run Procdot.

I am new to this application, so I'm just in trial and error mode.

I place the logfile into the procmon as in the figure below.

It doesn't seem to work, so I added the traffic file to Windump.

And it seems to appear a new thing now.

After that, I realize that I should press the launcher. I simply choose one to look for.

Then tick on “no path” and “compressed”. Click on the refresh button. (The thingy in the Launcher box can be ignored now.)

After the loading, a flow chart is generated.

By double-clicking on it, it will be zoomed in.

Question 2

We can see that the red box is the full path where the malware is initially executed, which is the second question.

(The path is redacted for the learning purposes of each user.)

Question 1

Now, it's time for Question 1. Go to the Launcher tab and choose exploreer.exe. As I know where should I start after getting the path from the second question.

And now, I choose the first exploreer.exe I found.

Question 3

After reading the third question, I looked into the first exploreer.exe found. I found a suspicious site that might be used by the “hackers”.

On the second exploreer.exe, I also found one.

And both are correct. (Shorter in front, longer at the back.)

YES!

Question 4

The IP addresses are redacted too from the previous figure.

Question 5

For this question, it wanted us to identify the user-agent used to transfer the encrypted data to the C2 channel.

So, by right-clicking the site we found previously, we click on “Follow TCP Stream”.

Scroll down a bit and we can see the User-Agent.

And it's done for question 5.

Question 6

Now, we require to identify the cloud security service that blocked the malicious domain.

So, at the same window, scroll down a bit more. And we can see the server name.

Yes, it is correct.

Question 7

Now, we are required to provide the name of the bitmap. But, this is the first time I heard about bitmap. So I Googled what is bitmap and I go to Wikipedia.

So, after getting a bit of hint on what is a bitmap. So, I tried to search for it in the notepad. I use the “Find” function to search for “.bmp” files. And, surprisingly, I FOUND IT!

And the response from TryHackMe proves me right!

Question 8

For the process ID, we can look inside the notepad too. It can be found after scrolling to the right.

Yes, It's correct.

Question 9

For this part, we need to find the registry key path to the mounted drive, with the drive letter. So, I started with exploreer.exe. I look into each process in detail but failed to find the path.

This really cost me so much time. As I was looking into the registry process and back to exploreer.exe, without realizing that I did not turn off the “no path” option. I wasted like an hour until I realize it. So, after in a rabbit hole for an hour, I manage to find the path.

Finally, it is correct.

Last Question

What is the name of the ransomware?

This also takes me a lot of time to research. I do not have an idea on what keyword should I use to search for it.

I tried to search on “ransomware targeting mount drive” and other doesn't help at all. But suddenly I think about the site “hacker” used before. So, I try to use one of the websites and look at it on Google. And BAM! I got it!

Yes, Finally All DONE!

At last, we are all done with this room! And thank you for reading my write-up.

This room is pretty awesome as it giving users the experience to learn how to identify ransomware and it also provides users a chance to learn a new application. ProcDOT is a new application for me but throughout this room, it provides us a good hands-on experience on this appliation.

I learn many new things after completing this room. Well done creators!

############################################

############################################

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cursemagic

Cursemagic

Just learning, together we are strong.