13cubed windows memory forensics challenge
👉 Memory Sample
✏️ Challenge Questions
Question 1: What is the hostname of this device?
To solve this (and the following questions), MemProcFS can be used to mount the memory image from the challenge. By utilizing the -forensic 4 option and the ability to integrate YARA rules, you can quickly gain an overview of the situation. The initial questions can be answered by examining specifically generated files or by reviewing the general sysinfo.txt file.
PS M:\ > Get-Content "M:\sys\computername.txt"
RM-205B
Question 2: What is the username of the primary user on this device?
The same applies to the second question: here too, the specifically generated file for users overview can be used, or alternatively, the complete system overview (see Task 03) can be referenced to find the users(s) name and SIDs.
PS M:\ > Get-Content "M:\sys\users\users.txt"
# Username SID
-----------------------------------------
0000 Robert Paulson S-1-5-21-2126657629-3337008557-1579520640-1001
Question 3: What is the IP address assigned to this device?
For the third question, the output of the previously mentioned sysinfo.txt (showing Interface #2 data) is suggested as a possible solution. Other options would include various network-specific files and logs.
PS M:\ > Get-Content "M:\sys\sysinfo\sysinfo.txt"
Windows Information:
Computer Name: RM-205B
Current Time: 2025-03-07 19:41:25 UTC
Boot Time: 2025-03-07 19:35:01 UTC
Time Zone: Pacific Standard Time : UTC-8:00
Version: 10.0 (build 26100)
Hardware Information:
Architecture: X64
Physical Memory: 4 GB
Max Address: 0x13fffffff
CPU: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz
MB Vendor: Intel Corporation
MB Product: 440BX Desktop Reference Platform
BIOS Vendor: VMware, Inc.
System Vendor: VMware, Inc.
Users:
Robert Paulson (S-1-5-21-2126657629-3337008557-1579520640-1001)
Process Information:
Active: 158
Inactive: 3
Network Interfaces:
Interface #2:
DhcpSubnetMaskOpt: 255.255.255.0
DhcpDefaultGateway: 10.0.2.1
DhcpNameServer: 10.0.2.1
DhcpDomain: nullsec.link
DhcpServer: 10.0.2.1
DhcpSubnetMask: 255.255.255.0
DhcpIPAddress: 10.0.2.152
MemProcFS Information:
Version: 5.14.12 (build 202)
Parse Time: 2025-07-14 15:54:54 UTC
Memory Source: Read-only, Static
Unique Tag: 26100_852e07b1
Forensic Mode: Enabled
VM Parsing: Enabled
Question 4: What was the full URL, including file name, that the malicious program was downloaded from?
For a quick check for malicious content, it is advisable to review the findevil directory. FindEvil identifies signs of malware by analyzing selected indicators of malicious activity. It quickly detects certain code injection techniques commonly used by malware, although it may not yet recognize other, not-yet-implemented indicators. In this case, various Defender logs are output for a detection event (classified AV_DETECT), which also include the location of the download.
PS M:\ > Get-Content "M:\forensic\findevil\findevil.txt"
# PID Process Type Address Description
-----------------------------------------------------------------------
0000 0 --- AV_DETECT 0000000000000000 AV:[Windows Defender] EVENT:[2025-03-07T19:37:27.396Z DETECTION_ADD#2 Trojan:Win32/Wacatac.B!ml webfile:C:\Users\Robert Paulson\Downloads\backup.exe|http://167.172.227.148:8080/backup.exe|pid:1452,ProcessStart:133858498434468576 PropBag [length: 0, data: (null)]]
0001 0 --- AV_DETECT 0000000000000000 AV:[Windows Defender] EVENT:[2025-03-07T19:37:27.396Z DETECTION_ADD#2 Trojan:Win32/Wacatac.B!ml file:C:\Users\Robert Paulson\Downloads\backup.exe PropBag [length: 0, data: (null)]]
0002 0 --- AV_DETECT 0000000000000000 AV:[Windows Defender] EVENT:[2025-03-07T19:37:27.387Z DETECTIONEVENT MPSOURCE_IOAV Trojan:Win32/Wacatac.B!ml file:C:\Users\Robert Paulson\Downloads\backup.exe;webfile:C:\Users\Robert Paulson\Downloads\backup.exe|http://167.172.227.148:8080/backup.exe|pid:1452,ProcessStart:133858498434468576;]
[...]
Question 5: According to this execution artifact that would not be found on servers, the first execution occurred within 10 seconds of what time?
The question itself provides the first hint: the Prefetch artifact, which is not enabled by default for executions on servers, can be used to find the answer. Since the Prefetcher monitors only the first ten (max) seconds of a launch, the timestamp of the file is only accurate to within this timespan. To examine the timeline and search for the relevant filename within the Prefetch folder, note that the filenames always consist of the original filename followed by eight additional characters, which are generated using a specific hashing function.
PS M:\ > Select-String -Path "M:\forensic\timeline\timeline_all.txt" -Pattern "Prefetch\\BACKUP.EXE" | Where-Object { $_.Line -match "CRE" }
forensic\timeline\timeline_all.txt:270:2025-03-07 19:41:08 UTC NTFS CRE 0 0 5efbc400 \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pf
Question 6: According to the malicious program’s log file, how many files were encrypted?
Apparently, the malicious executable created a log file. Checking for files created at 2025-03-07 19:41:08, with an additional filter for CRE (for CREATE) reveals a file with a corresponding name. Additionally, this allows for collecting and counting the newly created encrypted files.
PS M:\ > Select-String -Path "M:\forensic\timeline\timeline_ntfs.txt" -Pattern "2025-03-07 19:41:08" | Where-Object { $_.Line -match "CRE" }
forensic\timeline\timeline_ntfs.txt:118:2025-03-07 19:41:08 UTC NTFS CRE 0 0 5efbc400 \1\Windows\Prefetch\BACKUP.EXE-AB6C9DDF.pf
forensic\timeline\timeline_ntfs.txt:119:2025-03-07 19:41:08 UTC NTFS CRE 0 0 3ce68c00 \1\Users\Robert Paulson\Downloads\Performance.docx.enc
forensic\timeline\timeline_ntfs.txt:127:2025-03-07 19:41:08 UTC NTFS CRE 0 0 3ce68800 \1\Users\Robert Paulson\Downloads\handbook.docx.enc
forensic\timeline\timeline_ntfs.txt:129:2025-03-07 19:41:08 UTC NTFS CRE 0 0 3ce68400 \1\Users\Robert Paulson\Downloads\Cybersecurity_Best_Practices.pptx.enc
forensic\timeline\timeline_ntfs.txt:131:2025-03-07 19:41:08 UTC NTFS CRE 0 0 3ce68000 \1\Users\Robert Paulson\Documents\Resume.docx.enc
forensic\timeline\timeline_ntfs.txt:135:2025-03-07 19:41:08 UTC NTFS CRE 0 0 2bf6e800 \1\Users\Robert Paulson\Documents\email (1).docx.enc
forensic\timeline\timeline_ntfs.txt:136:2025-03-07 19:41:08 UTC NTFS CRE 0 0 2bf6ec00 \1\Users\Robert Paulson\Documents\Expansion Proposal.docx.enc
forensic\timeline\timeline_ntfs.txt:139:2025-03-07 19:41:08 UTC NTFS CRE 0 0 2bf6e400 \1\Users\Robert Paulson\Desktop\Q1 Minutes.docx.enc
forensic\timeline\timeline_ntfs.txt:141:2025-03-07 19:41:08 UTC NTFS CRE 0 0 5efbcc00 \1\Users\Robert Paulson\Desktop\Integra_Financial_Documents.xlsx.enc
forensic\timeline\timeline_ntfs.txt:142:2025-03-07 19:41:08 UTC NTFS CRE 0 0 2bf6e000 \1\Users\Robert Paulson\Desktop\Memo.docx.enc
[...]
forensic\timeline\timeline_ntfs.txt:1216:2025-03-07 19:41:08 UTC NTFS CRE 0 451 5efbc800 \1\Users\Robert Paulson\AppData\Local\Temp\tmp98p1q14j
forensic\timeline\timeline_ntfs.txt:1217:2025-03-07 19:41:08 UTC NTFS CRE 0 0 5efbc000 \1\Users\Robert Paulson\Desktop\encryption_log.txt
Noticeable in this list, and matching the sought-after file, is the filename encryption_log.txt. An examination of this file, which can be read from the forensically reconstructed filesystem, also reveals the list of encrypted files in the log.
Get-Content "M:\forensic\files\ROOT\Users\Robert Paulson\Desktop\ffffe00925170830-encryption_log.txt"
2025-03-07 11:41:08,946 - INFO - Encrypted: C:\Users\Robert Paulson\Desktop\Integra_Financial_Documents.xlsx -> C:\Users\Robert Paulson\Desktop\Integra_Financial_Documents.xlsx.enc
2025-03-07 11:41:08,947 - INFO - Encrypted: C:\Users\Robert Paulson\Desktop\Memo.docx -> C:\Users\Robert Paulson\Desktop\Memo.docx.enc
2025-03-07 11:41:08,948 - INFO - Encrypted: C:\Users\Robert Paulson\Desktop\Q1 Minutes.docx -> C:\Users\Robert Paulson\Desktop\Q1 Minutes.docx.enc
2025-03-07 11:41:08,950 - INFO - Encrypted: C:\Users\Robert Paulson\Documents\email (1).docx -> C:\Users\Robert Paulson\Documents\email (1).docx.enc
2025-03-07 11:41:08,952 - INFO - Encrypted: C:\Users\Robert Paulson\Documents\Expansion Proposal.docx -> C:\Users\Robert Paulson\Documents\Expansion Proposal.docx.enc
2025-03-07 11:41:08,954 - INFO - Encrypted: C:\Users\Robert Paulson\Documents\Resume.docx -> C:\Users\Robert Paulson\Documents\Resume.docx.enc
2025-03-07 11:41:08,957 - INFO - Encrypted: C:\Users\Robert Paulson\Downloads\Cybersecurity_Best_Practices.pptx -> C:\Users\Robert Paulson\Downloads\Cybersecurity_Best_Practices.pptx.enc
2025-03-07 11:41:08,959 - INFO - Encrypted: C:\Users\Robert Paulson\Downloads\handbook.docx -> C:\Users\Robert Paulson\Downloads\handbook.docx.enc
2025-03-07 11:41:08,960 - INFO - Encrypted: C:\Users\Robert Paulson\Downloads\Performance.docx -> C:\Users\Robert Paulson\Downloads\Performance.docx.enc
2025-03-07 11:41:08,962 - INFO - All your files have been encrypted! Contact 167.172.227.148 if you ever want to see them again!
Question 7: What is the NTFS creation time for backup.exe?
To get a simple overview of the NTFS events on the affected system, the timeline_ntfs.txt file can be parsed again to find all events related to the known malicious filename and its location. This way, the CRE timestamp for this specific file can also be found.
PS M:\ > Select-String -Path "M:\forensic\timeline\timeline_ntfs.txt" -Pattern "Downloads\\backup.exe"
forensic\timeline\timeline_ntfs.txt:1316:2025-03-07 19:41:04 UTC NTFS RD 0 11836134 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
forensic\timeline\timeline_ntfs.txt:1317:2025-03-07 19:41:04 UTC NTFS RD 0 7 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
forensic\timeline\timeline_ntfs.txt:1318:2025-03-07 19:41:04 UTC NTFS MOD 0 11836134 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
forensic\timeline\timeline_ntfs.txt:1319:2025-03-07 19:41:04 UTC NTFS MOD 0 7 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
forensic\timeline\timeline_ntfs.txt:1611:2025-03-07 19:40:36 UTC NTFS CRE 0 11836134 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe
forensic\timeline\timeline_ntfs.txt:1612:2025-03-07 19:40:36 UTC NTFS CRE 0 7 77d06400 \1\Users\Robert Paulson\Downloads\backup.exe:SmartScreen
Question 8: What is the full path and name of the public key created by the malicious file?
There are several ways to read or locate this file. One approach is to inspect the corresponding malicious binary, which can be exported, for possible static keys or information about key generation and determine where a public key file is created. A quick analysis of the file reveals that it was built using PyInstaller, meaning the underlying source code is Python. The executable can be retrieved from the file system at M:\forensic\files\ROOT\Users\Robert Paulson\Downloads\ffffe009230b6180-backup.exe. Afterward, the python bytecode can be extracted using tools such as pyinstxtractor with the appropriate Python version.
python.exe pyinstxtractor.py .\ffffe009230b6180-backup.exe
[+] Processing .\ffffe009230b6180-backup.exe
[+] Pyinstaller version: 2.1+
[+] Python version: 3.13
[+] Length of package: 11502822 bytes
[+] Found 40 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: pyi_rth_cryptography_openssl.pyc
[+] Possible entry point: backup.pyc
[+] Found 246 files in PYZ archive
[+] Successfully extracted pyinstaller archive: .\ffffe009230b6180-backup.exe
You can now use a python decompiler on the pyc files within the extracted directory
After that, depending on the Python version, these bytecode files can be either decompiled or at least disassembled. In this case, there are currently no finalized tools for Python 3.13 to produce a complete decompilation. However, using pydas from pycdc, it is possible to generate the disassembly. The proposed entry point backup.pyc is selected, and the resulting disassembly is examined to find clues about the file path.
[...]
380 LOAD_GLOBAL 0: tempfile
390 LOAD_ATTR 2: NamedTemporaryFile
410 PUSH_NULL
412 LOAD_CONST 1: False
414 LOAD_CONST 2: 'wb'
416 LOAD_CONST 3: ('delete', 'mode')
418 CALL_KW 2
420 BEFORE_WITH
422 STORE_GLOBAL 16: temp_pub_file
424 LOAD_GLOBAL 34: public_key
434 LOAD_ATTR 37: public_bytes
454 LOAD_GLOBAL 10: serialization
464 LOAD_ATTR 12: Encoding
484 LOAD_ATTR 14: PEM
504 LOAD_GLOBAL 10: serialization
514 LOAD_ATTR 38: PublicFormat
534 LOAD_ATTR 40: SubjectPublicKeyInfo
554 LOAD_CONST 6: ('encoding', 'format')
556 CALL_KW 2
558 STORE_FAST 1: pub_pem
560 LOAD_GLOBAL 32: temp_pub_file
570 LOAD_ATTR 23: write
590 LOAD_FAST 1: pub_pem
592 CALL 1
600 POP_TOP
602 LOAD_GLOBAL 24: debug
612 TO_BOOL
620 POP_JUMP_IF_FALSE 39 (to 700)
624 LOAD_GLOBAL 26: logging
634 LOAD_ATTR 28: info
654 PUSH_NULL
656 LOAD_CONST 7: 'Public key saved to: '
658 LOAD_GLOBAL 32: temp_pub_file
[...]
This function and the associated log entries (which were not written in the current run due to the logging level) indicate that NamedTemporaryFile from the tempfile module is being used. Therefore, the file in question is likely located in the local Temp directory. A cross-reference with the previously identified timestamp (and the list generated in Task 06) points to the file tmp98p1q14j in the AppData\Local\Temp\ directory of the affected user.
PS M:\ > Get-Content "M:\forensic\ntfs\1\Users\Robert Paulson\AppData\Local\Temp\tmp98p1q14j"
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubL25JOIMo4yCstMlYOS
KOnBgaH617AMy+BwTT6K3eLOZt9TiXw7+l3zX6y6YQvZy6nshrVE9SpO7sRLpLdb
nkvsEnAS7zprWOx5n75VT39wY926vi7qy8CExV54phz7IxFZlrXNxgyxkWbsfP1o
dt6Egem8gOPddcqSZTUqdqqFDsn1xNtEktePw3X6q+Bb8YX7VhAm2NsZEsnVqwxS
7WN5jcX6r2IyCui+CEz+Ud2wQkPOAT58FKtKPDGg8+iUbsXL5+B0Ub5JAhkw1lF+
KC83uQwrllyvn6i8KvTtdmCD4H/2lrQHssdxhAlOvf2fQ1mWSl9oqRYYWv9hcBTu
xwIDAQAB
-----END PUBLIC KEY-----
Question 9: What is the first line of key material from the TA’s private key?
According to the source code, the private key should also be temporarily stored at this location. However, it could not be extracted in the same way. Without significant additional information or knowledge about how to extract this private key more precisely, a YARA search across the entire memory image reveals that the desired private key resides in the System process (PID: 4).
strings:
$rsa_priv = "BEGIN RSA PRIVATE KEY" ascii
condition:
$rsa_priv
This is likely due to the key generation process. I am interested in learning more about this, please contact me if you have further insights.
ffffe009235f4fc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ffffe009235f4fd0 00 68 03 00 73 68 03 00 00 f5 44 00 73 68 10 00 .h..sh....D.sh..
ffffe009235f4fe0 08 10 1a 26 5b 8b d7 a5 02 00 00 00 09 e0 ff ff ...&[...........
ffffe009235f4ff0 e8 3f 64 23 09 e0 ff ff e8 2f 5f 23 09 e0 ff ff .?d#...../_#....
ffffe009235f5000 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 -----BEGIN RSA P
ffffe009235f5010 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a RIVATE KEY-----.
ffffe009235f5020 4d 49 49 45 6f 77 49 42 41 41 4b 43 41 51 45 41 MIIEowIBAAKCAQEA
ffffe009235f5030 75 62 4c 32 35 4a 4f 49 4d 6f 34 79 43 73 74 4d ubL25JOIMo4yCstM
Question 10: What is the last web search performed by the user?
To reproduce the web searches, different browsers provide various artifacts for analysis. In this case, Edge was used, which creates a user profile similar to Chrome. However, only a corrupted SQLite3 file could be recovered from the memory image. Therefore, the .recover command is used to extract whatever data SQLite3 can still read, generating a corresponding SQL dump. From this, a new table could be created, but the required queries are already visible within the recovered data.
INSERT INTO lost_and_found VALUES(29, 29, 14, 8, NULL, -1, NULL, '', -1, 0, '', '', 'https://www.ebay.com/sch/i.html?_nkw=fight+club+on+vhs&_sacat=0&_from=R40&_trksid=m570.l1313', 'fight club on vhs', '', '', 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO lost_and_found VALUES(29, 29, 14, 9, NULL, -1, NULL, '', -1, 0, '', '', 'https://www.bing.com/search?q=backup+software&FORM=ANAB01&PC=U531', 'backup software', '', '', 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO lost_and_found VALUES(29, 29, 14, 10, NULL, -1, NULL, '', -1, 0, '', '', 'https://www.bing.com/search?q=free+backup+utility+for+windows+11&FORM=ANAB01&PC=U531', 'free backup utility for windows 11', '', '', 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
Bonus Question: What folder does the “Backup Software” landing page tell users to exclude?
Based on the previously answered question regarding browser usage, it can be concluded that Edge was used. In the recovered history, the download from the malicious link and the known IP address can also be identified. To examine the content of the website, various cache options are available; in this case, the entire HTML website (including the <title>Backup Pro - Secure Your Files</title>) can be extracted from ffffe00923431690-data_2.
</div>
<h2>Troubleshooting:</h2>
<ul class="features">
<li>🆗 Virus warnings are a false positive</li>
<li>🆗 Please disable real time scanning</li>
<li>🆗 Add a folder exception for C:/</li>
<li>🆗 Disable any other cloud-based protections</li>
</ul>
</div>