Kira2

Kira2 Badge
Difficulty
Difficulty Easy
Score
Score 4000
Tags
Completions
Completions 0
Authors
Rating

This is the second phase of the NorthLedger investigation.

In the first phase, analysts reviewed the available Windows event logs across the winevt and winevt-recover indexes to identify signs of compromise, suspicious authentication activity, PowerShell execution, service changes, staging activity, and behaviour consistent with Akira ransomware preparation.

However, the logging available to NorthLedger was incomplete. Following the incident, Splunk had to be reinstalled in an attempt to recover visibility, leaving gaps in the timeline and limiting what can be confirmed from event logs alone.

As part of the follow-up DFIR investigation, a memory image was captured from the domain controller in scope.

Your task is to analyse the provided memory dump and use it to validate, enrich, or challenge the findings from the initial log-based investigation. Focus on identifying host details, system time, suspicious files, ransomware-related artefacts, evidence of recovery deletion, encrypted file indicators, ransom note references, and any signs that the Splunk Universal Forwarder was reinstalled during the response.

Answer the questions using evidence recovered from memory.

Defensive


Activity

Lab Released 2026-07-10 19:00:00