DumpMe Blue Team Challenge

Category : Endpoint Forensics

4.5

Medium

Attention! "DumpMe" is no longer active and will not contribute to leaderboard points. However, you can still solve the lab and explore avaliable walkthroughs to gain valuable experience.

What is the SHA1 hash of Triage-Memory.mem (memory dump)?

Weight : 25 | Solved : 1936 | Average Solve Time: 4 minutes

What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)

Weight : 25 | Solved : 1906 | Average Solve Time: 2 minutes

What was the process ID of notepad.exe?

Weight : 50 | Solved : 1911 | Average Solve Time: 1 minute

Name the child process of wscript.exe.

Weight : 50 | Solved : 1894 | Average Solve Time: 1 minute

What was the IP address of the machine at the time the RAM dump was created?

Weight : 75 | Solved : 1845 | Average Solve Time: 1 minute

Based on the answer regarding the infected PID, can you determine the IP of the attacker?

Weight : 75 | Solved : 1808 | Average Solve Time: 1 minute

How many processes are associated with VCRUNTIME140.dll?

Weight : 75 | Solved : 1707 | Average Solve Time: 18 minutes

After dumping the infected process, what is its md5 hash?

Weight : 100 | Solved : 1573 | Average Solve Time: 5 minutes

What is the LM hash of Bob's account?

Weight : 75 | Solved : 1577 | Average Solve Time: 1 minute

Q10

What memory protection constants does the VAD node at 0xfffffa800577ba10 have?

Weight : 75 | Solved : 1474 | Average Solve Time: 1 minute

Q11

What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?

Weight : 75 | Solved : 1453 | Average Solve Time: 2 minutes

Q12

There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)

Weight : 125 | Solved : 1473 | Average Solve Time: 3 minutes

Q13

An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)

Weight : 100 | Solved : 1408 | Average Solve Time: 15 minutes

Q14

What was written in notepad.exe at the time when the memory dump was captured?

Weight : 200 | Solved : 1330 | Average Solve Time: 10 minutes

Q15

What is the short name of the file at file record 59045?

Weight : 150 | Solved : 1333 | Average Solve Time: 1 minute

Q16

This box was exploited and is running meterpreter. What was the infected PID?

Weight : 200 | Solved : 1407 | Average Solve Time: 3 minutes

Instructions:

Unzip the challenge (pass: cyberdefenders.org)

Scenario:

A SOC analyst took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.

Tools:

Stuck? Don't worry

We've got you covered! 🛠️ Head over to the community lab channel for guidance #dumpme channel

First blood

hnl

923 days ago

Last solve

verror

today

DumpMe Blue Team Challenge

Category : Endpoint Forensics

Memory

Volatility

Windows

DFIR

Stuck? Don't worry

First blood

Last solve

Blog

Media Kit

Store

Careers

DumpMe Blue Team Challenge

Category : Endpoint Forensics

Memory

Volatility

Windows

DFIR

Stuck? Don't worry

First blood

Last solve