Scenario

You are a Digital Forensics and Incident Response (DFIR) analyst tasked with investigating a ransomware attack that has affected a company's system. The attack has resulted in file encryption, and the attackers are demanding payment for the decryption of the affected files. You have been given a memory dump of the affected system to analyze and provide answers to specific questions related to the attack.

https://app.letsdefend.io/challenge/lockbit

1- Can you determine the date and time that the device was infected with the malware? (UTC, format: YYYY-MM-DD hh:mm:ss)

2023-04-13 10:06:45

Screenshot 2025-07-29 203128.png

Screenshot 2025-07-29 203307.png

Screenshot 2025-07-29 203256.png

first we determine which profile to use with vol.py -f Lockbit.vmem imageinfo

then we use pstree plugin to list all processes and find the malicious one after using pstree we can see mal.exe doesn’t even try to hide itself

2- What is the name of the ransomware family responsible for the attack?

lockbit

Screenshot 2025-07-29 203416.png

Screenshot 2025-07-29 203737.png

Screenshot 2025-07-29 203837.png

Screenshot 2025-07-29 195056.png