tryhackme redline writeup

posted on March 5, 2023, 5:51 a.m.

https://tryhackme.com/room/btredlinejoxr3d 



  •  I do not provide any answers.

  •  To connect to tryhackme virtual machines go here: https://tryhackme.com/access

  •  If the directions are written clearly in the task description, then I will skip that question.

  •  Basically, if you are stuck then check this writeup.


Task 1
be patient with this entire lab because redline is resource intensive and the vm is slow


Task 2
follow the task directions and generate a redline report (this will take a while, 15-20 minutes)
make sure you choose all the correct fields in the scripts so that your report has the necessary information to answer the questions
all answers can be found by reading the task


Task 3
follow the task and open the report after its finished (this also takes a while, 10 minutes)
click on the items on left hand side to see all the different information
answer is there


Task 4



  • Question 1:
    look at system information
    Question 2:
    look at system information
    Question 3:
    look at tasks scheduled
    Question 4:
    click on Tasks and search for one that looks suspicious(it should be near the top if you havent touched any filters)
    Question 5:
    looking at the same task from question 4, the comment column gives you this answer
    Question 6:
    go to Event Logs
    search for "THM-Redline-User" and you'll get one result and the ID column will give you the ID
    Question 7:
    same thing, the message column will give you the answer
    Question 8:
    go to File Downloads
    find the url where flag.txt was downloaded from
    Question 9:
    answer is the download path
    Question 10:
    go to the flag.txt file and find answer


Task 5
let IOCe load. It can get hung up but let it load
follow the task directions
all answers are found in the screenshots the author provides


Task 6:
you cannot complete this task by running a new scan for some reason
create an IOC with file size = 834936 as one property
open the original redline report found at C:\Users\Administrator\Documents\1\Sessions\AnalysisSession1
click on IOC Reports at the bottom and then create a new report using the IOC file you just created



  • Question 1:
    once the IOC report is generated you will find the answer
    Question 2:
    answer in the report
    Question 3:
    answer in the report
    Question 4:
    click details on the right hand side of the report and then the ! icon to the right of the file path
    Questions 5:
    answer in the details
    Question 6:
    copy the file path and open powershell
    enter: Get-FileHash
    paste the path and hit enter again and the function will spit out the SHA256 hash
    Question 7:
    submit the hash to virustotal and look for the actual filename 


Task 7:



  • Question 1:
    look at system information
    Question 2:
    Go to processes in the report and filter for the username "charles"
    find the process that uses notepad.exe
    Question 3:
    Go to Windows Services tab and filter for "defender" and double click on the one result to find more information
    Question 4:
    Go to the file download history and filter for "Download Type" and find the one manual download
    Question 5:
    go to  file system and look at the user charles' desktop and checkmark Endermanch@cerber5.bin to see the malware.exe file on the desktop
    Question 6
    double click on it to see more information
    Question 7 upload the MD5 hash to virustotal to get the official name of the ransomware