The Importance of File Integrity
In the realm of cybersecurity, every file possesses a unique "digital fingerprint" known as a Hash. A significant portion of Threat Intelligence relies on analyzing these hashes and matching them against known malicious databases. In this TryHackMe room, we learn how to verify the identity and threat level of a suspicious file without ever having to execute it.
Learning Objectives
By completing this room, you will be able to:
- Interpret suspicious filepaths and filenames using heuristics.
- Generate and validate file hashes.
- Leverage VirusTotal and MalwareBazaar to enrich newly observed binaries.
- Extract behaviour from sandbox telemetry and map it to MITRE ATT&CK.
Now, lets move on to the questions for this room, hoping to learn more.
- One file displays one of the indicators mentioned. Can you identify the file and the indicator? (Answer: file, property)
I had a doubt on where to check, so started checking through every folder. While checking only I came to understand that the file was available in CTI folder under Desktop itself.
Ans : payroll.pdf , Double extensions (even though pdf was the extension, the type was an executable. )
2. What is the SHA256 hash of the file bl0gger?
I checked for the SHA 256 from PowerShell as shown below:
Press enter or click to view image in full size
Ans : 2672B6688D7B32A90F9153D2FF607D6801E6CBDE61F509ED36D0450745998D58
3. On VirusTotal, what is the threat label used to identify the malicious file?
This was available from the VirusTotal main page itself.
Press enter or click to view image in full size
Ans : trojan.graftor/blackmoon
4. When was the file first submitted for analysis? (Answer format: YYYY-MM-DD HH:MM:SS)
Under the details tab, you can find the history of the file.
Press enter or click to view image in full size
Ans : 2025–05–15 12:03:49 UTC
5. According to MalwareBazaar, which vendor classified the Morse-Code-Analyzer file as non-malicious?
First, I took the hash of the file:
Press enter or click to view image in full size
Later tested it in the MalwareBazaar site in the format “sha256:<filehash>”.
Press enter or click to view image in full size
If you open that and click on the intelligence tab, you can see the list of vendor and below is how I got my answer.
Press enter or click to view image in full size
Ans : CyberFortress
6. On VirusTotal, what MITRE technique has been flagged for persistence and privilege escalation for the Morse-Code-Analyzer file?
Initially, took the hash of the file using PowerShell. Then gave that into VirusTotal and looked for answers. This was under the Behavior tab, and checked for the techniques under Persistence and Privilege Execution.
Press enter or click to view image in full size
7. What tags are used to identify the bl0gger.exe malicious file on Hybrid Analysis? (Answer: Tag1, Tag2, Tag3)
I searched on HybridAnalysis with the hash of bl0gger.exe, and checked for the tags assigned to the executable.
Press enter or click to view image in full size
Ans : BlackMoon, Discovery, windows-server-utility
8. What was the stealth command line executed from the file?
I went through the indicators to check for the stealth commandline executed and got the below screenshot:
Press enter or click to view image in full size
Ans : regsvr32 %WINDIR%\Media\ActiveX.ocx /s
9. Which other process was spawned according to the process tree?
I was not sure, how to get the answer for this question, so checked from some external resources. There were few sites, I could help help, one was here. But, still I couldn’t find the spawned process. If any of you gets on how t get the information, please do feel free to comment.
Ans : werfault.exe
10. The payroll.pdf application seems to be masquerading as which known Windows file?
I searched a lot through VirusTotal and HybridAnalysis, but was not able to find the correct answer. I then checked the properties of the file, and found the below:
But, that answer didn’t seem to be correct, so went with external references to see where I was wrong. Then understood that the main type was an executable file, and changed the extension which was then correct.
Ans : svchost.exe
11. What associated URL is linked to the file?
This answer could be got from the HybridAnalysis. I checked for the hash of payroll.pdf and went through the details, found the below information:
Press enter or click to view image in full size
Ans : hxxp://121.182.174.27:3000/server.exe
12. How many extracted strings were identified from the sandbox analysis of the file?
I checked with the hash of the file in Hybrid analysis, and there you will have a section with extracted strings, where it shows the total number, that will be your answer.
Press enter or click to view image in full size
Ans : 454
13 . What is the SHA256 hash of the file?
Pretty direct question by now ;)
Press enter or click to view image in full size
Ans : 43b0ac119ff957bb209d86ec206ea1ec3c51dd87bebf7b4a649c7e6c7f3756e7
14. What family labels are assigned to the file on VirusTotal?
Could get the answer directly from VirusTotal:
Press enter or click to view image in full size
15. When was the first time the file was recorded in the wild? (Answer Format: YYYY-MM-DD HH:MM:SS UTC)
Ans : 2024–10–30 17:17:24 UTC
16. Name the text file dropped during the execution of the malicious file.
I had to check under the Behavior tab, and saw the list of files downloaded, but couldn’t get the name, so had to download the full report.
Press enter or click to view image in full size
Press enter or click to view image in full size
Ans : akira_readme.txt
17. What PowerShell script is observed to be executed?
I couldn’t find the correct answer for the question, so took help from external resources.
Ans : Get-WmiObject Win32_Shadowcopy | Remove-WmiObject
18. What is the MITRE ATT&CK ID associated with this execution?
The PowerShell command from Q17 relates to inhibiting system recovery, and look for the MITRE technique for this behavior.
Ans : T1490
And this is now done and dusted, there are some questions for which I still don’t have answer, hopefully during my journey I get those answers.
Conclusion: Proactive Defense
File and Hash analysis is more than just using tools; it is a defensive mindset. As part of Mission Cyber Force 5000, we are building a generation of defenders capable of identifying and neutralizing cyber threats by their digital signatures before they can ever execute their payload.
Passwords are like underwear. Don’t let people see it, change it very often, and don’t share it with strangers.
Recent Comments
No comments on this post yet. Be the first to comment 🙂