Category: Forensic
Points: 127
Description: Une victime de plus tombée sous le coup d’un rançongiciel. Le paiement de la rançon n’est pas envisagée vu le montant demandé. Vous êtes appelé pour essayer de restaurer les fichiers chiffrés. Une suite d’éléments est nécessaire pour avancer dans l’investigation et constituer le rapport d’incident. Pour commencer, quel est le nom du fichier exécutable de ce rançongiciel, son identifiant de processus et quel est devenu le nom du fichier flag.docx une fois chiffré ? Donnez le SHA1 de ce nom avec son extension. Note : l’image disque fait environ 440 Mo compressée et environ 1.4 Go décompressée. Réponse attendue au format ECSC{nom_du_rançongiciel.exe:PiD:sha1}.
Files: mem.dmp
To know what happened we look at the commands that were executed. This allows us to identify the information needed to reconstruct the flag.
First of all, we look at what type of file we are dealing with.
>_ file mem.dmp
mem.dmp: MS Windows 64bit crash dump, full dump, 344794 pages
We have a Windows memory dump. Let's go see in more detail with Volatility what it contains.
The first thing to do with Volatility is of course imageinfo.
>_ volatility -f mem.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
Suggested Profile(s) : Win10x64_17134, Win10x64_10240_17770, Win10x64_10586, Win10x64_14393, Win10x64, Win2016x64_14393, Win10x64_16299, Win10x64_15063 (Instantiated with Win10x64_15063)
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/lambdhack/ctf/ecsc/forensic/3615_incident/mem.dmp)
PAE type : No PAE
DTB : 0x1ab000L
KDBG : 0xf801f433ba60L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff801f4394000L
KPCR for CPU 1 : 0xffffd0012eb07000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-05-08 20:04:11 UTC+0000
Image local date and time : 2019-05-08 22:04:11 +0200
The Win10x64 profile seems the most suitable.
Now we look at the ongoing processes.
>_ volatility -f mem.dmp --profile=Win10x64 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe0000f65a040 -------------------- 4 0 30...6 0 ------ 0 2019-05-08 19:57:03 UTC+0000
0xffffe00010e4b040 ?t? 256 4 28...4 0 ------ 0 2019-05-08 19:57:03 UTC+0000
0xffffe00010ef2080 ??? 360 348 30...2 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011302080 ?/ 472 348 28...4 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011305180 ?@0 480 464 30...2 0 1 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011344080 ?4 544 464 30...2 0 1 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011399840 0?9 592 472 29...6 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe000113a2840 P?5 604 472 30...8 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe000113dd480 ?= 684 592 29...6 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe000113f2180 ?)? 740 592 29...8 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011739080 ??s 836 544 30...8 0 1 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011779840 ?v 944 592 27...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011789840 `"x 964 592 30...2 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0001178c840 p~x 972 592 30...6 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0001179c840 ox 1000 592 29...8 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe000117e0840 ?} 296 592 28...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe000117e1080 ??} 668 592 30...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0000f685840 慈ཨ... 1036 592 29...6 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0000f683840 m 1216 592 30...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011617840 d 1304 592 30...2 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011cc45c0 ? 1652 592 30...4 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011cf1840 ??? 1712 592 29...8 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011cff840 ??? 1732 592 30...2 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011d0a840 ??? 1760 592 30...6 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011d1b840 J? 1776 592 27...6 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe000115ae840 P?T 2244 684 30...4 0 0 0 2019-05-08 19:57:09 UTC+0000
0xffffe000115ac840 _\ 2308 592 26...0 0 0 0 2019-05-08 19:57:09 UTC+0000
0xffffe0000f823340 ??^ 2464 592 26...0 0 0 0 2019-05-08 19:57:10 UTC+0000
0xffffe0000f839840 ??? 2708 592 30...0 0 0 0 2019-05-08 19:57:10 UTC+0000
0xffffe00010aba840 -------------------- 2204 944 29...8 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00011fa8840 ?m? 2168 944 30...2 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00012023580 3092 684 27...2 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00012034080 -------------------- 3120 544 30...8 -------- 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe000116e3080 ?? 3184 3120 27...6 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00012077240 ?@ 3220 684 31...0 0 1 1 2019-05-08 19:57:14 UTC+0000
0xffffe0001225b840 -------------------- 3444 592 27...0 0 0 0 2019-05-08 19:57:15 UTC+0000
0xffffe00011f8f7c0 -------------------- 3576 684 30...6 0 1 0 2019-05-08 19:57:15 UTC+0000
0xffffe000122aa840 @N? 4452 592 30...8 0 1 0 2019-05-08 19:57:23 UTC+0000
0xffffe00012620080 ? 4812 3184 29...4 0 1 0 2019-05-08 19:57:27 UTC+0000
0xffffe000125fb840 Pi^ 4916 684 29...6 0 0 0 2019-05-08 19:57:28 UTC+0000
0xffffe00012774080 ??v 3080 3184 30...8 0 1 1 2019-05-08 19:57:29 UTC+0000
0xffffe000125a7840 ?;3 4040 3184 27...0 0 1 1 2019-05-08 19:59:06 UTC+0000
0xffffe000125f7840 ??- 4896 4040 31...8 0 1 1 2019-05-08 19:59:07 UTC+0000
0xffffe00010385080 @3 4736 4040 27...0 0 1 1 2019-05-08 19:59:08 UTC+0000
0xffffe00010347080 -------------------- 3744 4040 27...6 0 1 1 2019-05-08 19:59:09 UTC+0000
0xffffe00011196080 -------------------- 3256 4040 31...4 0 1 1 2019-05-08 19:59:11 UTC+0000
0xffffe00011f8b080 ?d 5060 3444 30...2 0 0 0 2019-05-08 19:59:31 UTC+0000
0xffffe000127446c0 -------------------- 5084 4040 30...6 -------- 1 1 2019-05-08 19:59:33 UTC+0000
0xffffe00012155200 ?? 1360 4040 30...0 0 1 1 2019-05-08 19:59:42 UTC+0000
0xffffe00012530080 ??E 3248 4932 28...4 0 0 0 2019-05-08 19:59:43 UTC+0000
0xffffe000125b8080 @TX 3888 684 27...2 0 1 0 2019-05-08 20:00:03 UTC+0000
0xffffe000126d3080 ??} 2624 964 29...8 0 0 0 2019-05-08 20:00:15 UTC+0000
0xffffe000106bb840 ? 5208 3184 29...0 0 1 1 2019-05-08 20:00:16 UTC+0000
0xffffe00010335080 ?l 5224 5208 26...8 0 1 0 2019-05-08 20:00:16 UTC+0000
0xffffe00012268100 0S? 5444 3184 30...0 0 1 0 2019-05-08 20:00:29 UTC+0000
0xffffe0001214e080 -------------------- 5496 3184 27...6 -------- 1 1 2019-05-08 20:00:33 UTC+0000
0xffffe00012910080 ??y 5792 592 27...6 0 0 0 2019-05-08 20:00:58 UTC+0000
0xffffe00012854840 ?|
5840 3184 30...4 0 1 0 2019-05-08 20:01:01 UTC+0000
0xffffe000126b7840 `?@ 6100 296 29...8 0 0 0 2019-05-08 20:01:27 UTC+0000
0xffffe0001287a840 ??N 5176 3184 27...8 0 1 1 2019-05-08 20:01:49 UTC+0000
0xffffe00010441600 ??n 3192 944 30...2 0 1 0 2019-05-08 20:02:15 UTC+0000
0xffffe000123e21c0 ?? 4320 3444 30...8 0 0 0 2019-05-08 20:02:52 UTC+0000
0xffffe0001051c840 ??X 5596 3184 27...8 0 1 0 2019-05-08 20:04:09 UTC+0000
0xffffe0001051b080 `?` 5364 5596 28...4 0 1 0 2019-05-08 20:04:09 UTC+0000
What are the names of the processes? They are normally readable.
It must probably be because of the ransomware.
As there is nothing to be gained from it, we will look at the commands entered in the terminal and see what the ransomware has done.
>_ volatility -f mem.dmp --profile=Win10x64 cmdline
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 4
************************************************************************
?t? pid: 256
Command line : \SystemRoot\System32\smss.exe
************************************************************************
??? pid: 360
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
?/ pid: 472
Command line : wininit.exe
************************************************************************
?@0 pid: 480
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
?4 pid: 544
Command line : winlogon.exe
************************************************************************
0?9 pid: 592
Command line : C:\Windows\system32\services.exe
************************************************************************
P?5 pid: 604
Command line : C:\Windows\system32\lsass.exe
************************************************************************
?= pid: 684
Command line : C:\Windows\system32\svchost.exe -k DcomLaunch
************************************************************************
?)? pid: 740
Command line : C:\Windows\system32\svchost.exe -k RPCSS
************************************************************************
??s pid: 836
Command line : "dwm.exe"
************************************************************************
?v pid: 944
Command line : C:\Windows\system32\svchost.exe -k netsvcs
************************************************************************
`"x pid: 964
Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
************************************************************************
p~x pid: 972
Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
************************************************************************
ox pid: 1000
Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
************************************************************************
?} pid: 296
Command line : C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
************************************************************************
??} pid: 668
Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
************************************************************************
慈ཨ pid: 1036
Command line : C:\Windows\system32\svchost.exe -k LocalService
************************************************************************
m pid: 1216
Command line : C:\Windows\system32\svchost.exe -k NetworkService
************************************************************************
d pid: 1304
Command line : C:\Windows\System32\spoolsv.exe
************************************************************************
? pid: 1652
Command line : C:\Windows\System32\svchost.exe -k utcsvc
************************************************************************
??? pid: 1712
Command line : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
************************************************************************
??? pid: 1732
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
************************************************************************
??? pid: 1760
Command line : C:\Windows\system32\svchost.exe -k appmodel
************************************************************************
J? pid: 1776
Command line : "C:\Program Files\Windows Defender\MsMpEng.exe"
************************************************************************
P?T pid: 2244
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
_\ pid: 2308
Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
************************************************************************
??^ pid: 2464
Command line : C:\Windows\System32\msdtc.exe
************************************************************************
??? pid: 2708
Command line : "C:\Program Files\Windows Defender\NisSrv.exe"
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 2204
Command line : sihost.exe
************************************************************************
?m? pid: 2168
Command line : taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
************************************************************************
pid: 3092
Command line : C:\Windows\System32\RuntimeBroker.exe -Embedding
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3120
************************************************************************
?? pid: 3184
Command line : C:\Windows\Explorer.EXE
************************************************************************
?@ pid: 3220
Command line :
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3444
Command line : C:\Windows\system32\SearchIndexer.exe /Embedding
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3576
************************************************************************
@N? pid: 4452
Command line : C:\Windows\System32\svchost.exe -k UnistackSvcGroup
************************************************************************
? pid: 4812
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
************************************************************************
Pi^ pid: 4916
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
??v pid: 3080
Command line :
************************************************************************
?;3 pid: 4040
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
************************************************************************
??- pid: 4896
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.0.814670744\1990131067" -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 1332 gpu
************************************************************************
@3 pid: 4736
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.6.134942365\347688373" -childID 1 -isForBrowser -prefsHandle 2124 -prefMapHandle 1892 -prefsLen 1 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 1980 tab
WARNING : volatility.debug : NoneObject as string: Buffer length 47200 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3744
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.13.1487111388\1473004279" -childID 2 -isForBrowser -prefsHandle 3132 -prefMapHandle 3136 -prefsLen 5418 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3148 tab
WARNING : volatility.debug : NoneObject as string: Buffer length 5136 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3256
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.20.172274201\1384691405" -childID 3 -isForBrowser -prefsHandle 3064 -prefMapHandle 3664 -prefsLen 6288 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3732 tab
************************************************************************
?d pid: 5060
Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
WARNING : volatility.debug : NoneObject as string: Buffer length 16096 for _UNICODE_STRING not within bounds
************************************************************************
pid: 5084
************************************************************************
?? pid: 1360
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.34.980828210\1605638851" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 4376 -prefsLen 6475 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5368 tab
************************************************************************
??E pid: 3248
Command line : "C:\Program Files\Windows Defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D107B503-2934-DB76-C339-E28DEE97615C -Reinvoke
************************************************************************
@TX pid: 3888
Command line : "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
************************************************************************
??} pid: 2624
Command line : C:\Windows\system32\AUDIODG.EXE 0xa94
************************************************************************
? pid: 5208
Command line : "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe"
************************************************************************
?l pid: 5224
Command line : \??\C:\Windows\system32\conhost.exe 0x4
************************************************************************
0S? pid: 5444
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré
WARNING : volatility.debug : NoneObject as string: Buffer length 16450 for _UNICODE_STRING not within bounds
************************************************************************
pid: 5496
************************************************************************
??y pid: 5792
Command line : C:\Windows\system32\svchost.exe -k SDRSVC
************************************************************************
?|
pid: 5840
Command line : "C:\Program Files\Windows Defender\msascui.exe"
************************************************************************
`?@ pid: 6100
Command line :
************************************************************************
??N pid: 5176
Command line : "C:\Program Files (x86)\Notepad++\notepad++.exe"
************************************************************************
??n pid: 3192
Command line : taskhostw.exe Logon
************************************************************************
?? pid: 4320
Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 620 624 632 8192 628
************************************************************************
??X pid: 5596
Command line : "C:\Users\TNKLSAI3TGT7O9\DumpIt.exe"
************************************************************************
`?` pid: 5364
Command line : \??\C:\Windows\system32\conhost.exe 0x4
What is interesting is this part:
************************************************************************
?? pid: 1360
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.34.980828210\1605638851" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 4376 -prefsLen 6475 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5368 tab
************************************************************************
??E pid: 3248
Command line : "C:\Program Files\Windows Defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D107B503-2934-DB76-C339-E28DEE97615C -Reinvoke
************************************************************************
@TX pid: 3888
Command line : "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
************************************************************************
??} pid: 2624
Command line : C:\Windows\system32\AUDIODG.EXE 0xa94
************************************************************************
? pid: 5208
Command line : "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe"
************************************************************************
?l pid: 5224
Command line : \??\C:\Windows\system32\conhost.exe 0x4
************************************************************************
0S? pid: 5444
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré
WARNING : volatility.debug : NoneObject as string: Buffer length 16450 for _UNICODE_STRING not within bounds
************************************************************************
We notice that firefox is running and that a file in "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe" is executed with pid 5208.
The user has probably downloaded the ransomware and executed it.
Then we notice that the file "C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré" is opened in notepad.
To reconstruct the flag we have our 3 parts:
The name of the ransomware: assistance.exe His PID: 5208 The name of the file once encrypted: ZmxhZy5kb2N4.chiffré
ECSC{assistance.exe:5208:c9a12b109a58361ff1381fceccdcdcade3ec595a}