File and Hash Threat Intel TryHackMe Writeup

Overview

This room explores enriching file and hash artefacts using threat intelligence, covering malware analysis, hash identification, and behavioral analysis through various security platforms.

Task 1: File Properties Analysis

One file displays one of the indicators mentioned. Can you identify the file and the indicator? (Answer: file, property)

Answer: payroll.pdf, Double extensions

Task 2: Hash and Threat Intelligence Analysis

2.1 What is the SHA256 hash of the file bl0gger?

Answer: 2672B6688D7B32A90F9153D2FF607D6801E6CBDE61F509ED36D0450745998D58

2.2 On VirusTotal, what is the threat label used to identify the malicious file?

Answer: trojan.graftor/flystudio

2.3 When was the file first submitted for analysis? (Answer format: YYYY-MM-DD HH:MM:SS)

Answer: 2025-05-15 12:03:49

2.4 According to MalwareBazaar, which vendor classified the Morse-Code-Analyzer file as non-malicious?

Answer: CyberFortress

2.5 On VirusTotal, what MITRE technique has been flagged for persistence and privilege escalation for the Morse-Code-Analyzer file?

Answer: DLL Side-Loading

Task 3: Hybrid Analysis Investigation

3.1 What tags are used to identify the bl0gger.exe malicious file on Hybrid Analysis? (Answer: Tag1, Tag2, Tag3)

Answer: BlackMoon, Discovery, windows-server-utility

3.2 What was the stealth command line executed from the file?

Answer: regsvr32 %WINDIR%\Media\ActiveX.ocx /s

3.3 Which other process was spawned according to the process tree?

Answer: werfault.exe

3.4 The payroll.pdf application seems to be masquerading as which known Windows file?

Answer: svchost.exe

3.5 What associated URL is linked to the file?

Answer: hxxp://121.182.174.27:3000/server.exe

3.6 How many extracted strings were identified from the sandbox analysis of the file?

Answer: 454

Task 4: Ransomware Sample Analysis

4.1 What is the SHA256 hash of the file?

Answer: 43B0AC119FF957BB209D86EC206EA1EC3C51DD87BEBF7B4A649C7E6C7F3756E7

4.2 What family labels are assigned to the file on VirusTotal?

Answer: akira, filecryptor

4.3 How many security vendors have flagged the file as malicious?

Answer: 61 (Note this might change to 60)

4.4 Name the text file dropped during the execution of the malicious file.

Answer: akira_readme.txt

4.5 What PowerShell script is observed to be executed?

Answer: Get-WmiObject Win32_Shadowcopy | Remove-WmiObject

4.6 What is the MITRE ATT&CK ID associated with this execution?

Answer: T1490

Lessons Learned

Double extensions are a common indicator of malicious files trying to appear legitimate
SHA256 hashes are crucial for identifying and tracking malware samples across platforms
VirusTotal aggregates threat intelligence from multiple security vendors
Not all vendors will classify files the same way - some may mark as clean while others detect malware
MITRE ATT&CK framework provides standardized techniques for malware behavior
Hybrid Analysis offers detailed sandbox execution traces and behavior analysis
Malware often uses living-off-the-land techniques to blend with legitimate processes
Process trees reveal parent-child relationships and spawned malicious processes
File masquerading attempts to hide malware behind legitimate Windows executable names
Malware often connects to command and control servers via suspicious URLs
String extraction from binaries can reveal configuration data and C2 addresses
Ransomware families like Akira often have distinctive file markers (readme files, family names)
Shadow copy deletion is a common anti-forensic technique used by ransomware
MITRE ATT&CK technique T1490 specifically refers to deleting shadow copies for recovery prevention

File and Hash Threat Intel Writeup