TryHackMe: OpenCTI Walkthrough (Only Investigations)

Onur Alp Akin
3 min readApr 13, 2023

Hi, in this walkthrough I won’t be doing any other questions considering they already have answers within the room.

Original Publish Date: Nov 28, 2022

As a SOC analyst, you have been tasked with investigations on malware and APT groups rampaging through the world. Your assignment is to look into the CaddyWiper malware and APT37 group. Gather information from OpenCTI to answer the following questions.

1 — What is the earliest date recorded related to CaddyWiper? Format: YYYY/MM/DD

Searching the malware and clicking the only one that shows up would put us where we want to be. Under analysis tab, we can see reports.


2 — Which Attack technique is used by the malware for execution?

Under Knowledge > Attack Patterns

Native API

3 — How many malware relations are linked to this Attack technique?

Clicking on native API then navigating to knowledge tab, we can find our answer.


4 — Which 3 tools were used by the Attack Technique in 2016? (Ans: Tool1, Tool2, Tool3)

Instead of overview, we can find what we’re looking for under Tools section. Sorting by start time

BloodHound, Empire, ShimRatReporter

5 — What country is APT37 associated with?

Start by searching the keyword.

It’s right under description.

North Korean

6 — Which Attack techniques are used by the group for initial access? (Ans: Technique1, Technique2)

To find initial access techs, we have to navigate to knowledge tab then attack patterns.

Scrolling to initial access then clicking highlighted attacks to get their codes.

T1189, T1566

And that was all to it! :) Thank you for reading.