Ransomware investigation using Splunk - BlackSun

In this write up, we will be assuming the role of a SOC analyst investigating a ransomware incident using Splunk. The task is to understand how the ransomware infected the machine and what happened. Check out the TryHackMe lab here.

Background

We are given limited details about the incident including the name of the user and the timeframe of the incident.

User: Keegan date: Monday, May 16th, 2022

Investigation

Firstly, I set the time frame of the logs to that of when the incident occurred and also searched for the user Keegan. This gave me an idea of the type of logs and activity surrounding this user.

I noticed that when looking at sysmon event ID 3, Powershell.exe was making outbound connections which is very suspicious. It made connections to 3 IP addresses (3.17.7.232, 3.22.30.40 and 3.134.125.175) all to port 80.

* User="*keegan*" EventCode=3 
| table User Image SourceIp DestinationIp DestinationPort

I then looked at process create events surrounding PowerShell.exe. I noticed that PowerShell.exe was used to create a number of PowerShell scripts, but most importantly, the creation of OUTSTANDING_GUTTER.exe. This is the suspicious binary that was downloaded to Keegan's computer.

* User="*keegan*" EventCode=11* User="*keegan*" EventCode=11 Image="*powershell.exe*"
| table _time Image TargetFilename

Using Sysmon Event ID 22, I was able to filter all DNS queries from PowerShell which shows that it made queries to the following domain 886e-181-215-214-32.ngrok.io. This was the URL used to download the suspicious binary.

EventCode=22 Image="*powershell*"
| table Image QueryName

Looking for command line arguments and commands passed that may be related to the suspicious binary, I was able to find some encoded PowerShell commands.

CommandLine="*" "*outstanding_gutter*"
| table ParentImage ParentCommandLine Image CommandLine

Decoding the encoded PowerShell command, I was able to learn that schtasks.exe was used to forcefully create a task and supresses any warnings if the task already exists. The scheduled task runs when an event is triggered (I believe when an application generates an event ID 777). This task also runs as the SYSTEM user and so runs with elevated privileges.

"C:\Windows\system32\schtasks.exe" /Create /TN OUTSTANDING_GUTTER.exe /TR C:\Windows\Temp\COUTSTANDING_GUTTER.exe /SC ONEVENT /EC Application /MO *[System/EventID=777] /RU SYSTEM /f

The binary will run with NT AUTHORITY permissions and would be run with the following command.

"C:\Windows\system32\schtasks.exe" /Run /TN OUTSTANDING_GUTTER.exe

Filtering for DNS queries, I could see that the suspicious binary called out to a remote server

9030-181-215-214-32.ngrok.io. This is the same domain (Ngrok.io) we saw before used to download the binary but a different subdomain.

EventCode=22 Image="*OUTSTANDING_GUTTER*"
| table Image QueryName

We are given a hint that a malicious PowerShell script in same location as the suspicious binary has also been flagged as suspicious. We know the original suspicious binary was in "C:\Windows\Temp\" and we can see there is a script script.ps1 in the same location.

TargetFilename="C:\\Windows\\Temp\\*ps1*"
| table Image TargetFilename
| stats by TargetFilename

Taking the SHA1 hash of this script we can submit it to VirusTotal to see what verdict we get back.

I observed that there is a high detection rate with original file being identified as being named BlackSun.ps1.

Filtering for all .txt files on Keegan's machine I noticed that there was a ransom note.

C:\Users\keegan\Downloads\vasg6b0wmw029hd\BlackSun_README.txt

Often with ransomware, there is a component to change the wallpaper of the victims machine to get their attention. I looked for file create events surrounding the PowerShell process and found a jpeg that was created.

"eventcode=11" Image="*Powershell*"
| table TargetFilename

The jpeg used to change the background of the victims computer is stored at the location below.

C:\Users\Public\Pictures\blacksun.jpg

Conclusion

The infected machine called out to 3 IP addresses 3.17.7.232, 3.22.30.40 and 3.134.125.175 using PowerShell. The suspicious binary OUTSTANDING_GUTTER.exe is then downloaded and PowerShell is then used to call out to 886e-181-215-214-32.ngrok.io. PowerShell is used to set up a scheduled task to run OUTSTANDING_GUTTER.exe as NT AUTHORITY. The binary then called out to 9030-181-215-214-32.ngrok.io and we find a suspicious PowerShell script on the victims machine called script.ps1 which we later identify to be BlackSun.ps1.