# MEMORY ANALYSIS – RANSOMWARE ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FQsvg4sNICe9a6jCo7EyQ%2FScreenshot%202022-07-24%20154231.png?alt=media\&token=3b5a7613-d4a0-41bc-aa8d-13264ae3bd58) first we need to run the next command vol.py -f infected.vmem imageinfo after know what the profile is , we can start and analysis this memory , fisrt question is to find what is **the name of the suspicious process?** **to answer this we have two method or to write the command directly or we can do some thing smart maybe we will need it in the feture** **we can write the next commands** **vol.py** volatility -f infected.vmem --profile=Win7SP1x86 pslist > pslist.txt **vol.py** volatility -f infected.vmem --profile=Win7SP1x86 psscan > pslscan.txt ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FhZ0ktJrBW17aUxX7Mh5d%2FScreenshot%202022-07-24%20130859.png?alt=media\&token=e3be63bd-16b6-47f0-bf22-80ee8c6377b7) now it's time to see what is the deference between this two files , diff pslist.txt pslscan.txt ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FAUwZnZW8ataDbzKybtQ5%2FScreenshot%202022-07-24%20131120.png?alt=media\&token=d8ec7177-1a19-4e3a-b5de-7900c555dea3) we can see know the answer of the first question directly ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FQ7MnKI6JPY5gFZIH6ShK%2FScreenshot%202022-07-24%20161435.png?alt=media\&token=cf52d09d-aff1-4aa4-97c0-f1a4c3a4c68e) what is the parent process ID for the **suspicious process ?** **vol.py** volatility -f infected.vmem --profile=Win7SP1x86 pstree ![ ](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FCORP6bdcSyOWh37e1Ye9%2FScreenshot%202022-07-24%20131558.png?alt=media\&token=96de5d96-4766-4e31-8ca3-08612913ace8) ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FOCmH4meCYMxHegdTLEcI%2FScreenshot%202022-07-24%20162006.png?alt=media\&token=7c8b73ea-ebd3-4e50-9104-de824a9b371e) What is the initial malicious executable that created this process? cat pslscan.txt | grep "2732" ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FCmadEOVrSWnEm32PwAEn%2FScreenshot%202022-07-24%20131803%20\(2\).png?alt=media\&token=9a86c290-8dd5-4df2-b393-63d49880955a) ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FdNTsTKiKxUBgjdReGCZw%2FScreenshot%202022-07-24%20162457.png?alt=media\&token=aee6c246-a7f9-4c3a-9854-65362e2a7307) If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FoLuGMyz1XzbsjKqJmVrb%2FScreenshot%202022-07-24%20162729.png?alt=media\&token=a8fa6786-3db4-40a2-9633-7c84ae4619c0) Find the path where the malicious file was first executed ? vol.py -f infected.vmem --profile=Win7SP1x86 dlllist -p 2732 or vol.py -f infected.vmem --profile=Win7SP1x86 cmdline ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FuQZzdht3cclbtA8i04FQ%2FScreenshot%202022-07-24%20132332.png?alt=media\&token=2d6afcd9-d21f-422c-8f64-17436f830329) ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2F2BxynSEeBuODYqsUWBr1%2FScreenshot%202022-07-24%20163317.png?alt=media\&token=d398a393-e07c-452c-bf4a-e16131d4ad1c) Can you identify what ransomware it is? (Do your research!) ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FTTxx9877zfC2VqqHc1W8%2FScreenshot%202022-07-24%20163546.png?alt=media\&token=4dd32b7a-9a8a-4812-809f-474dc13d9214) What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension) vol.py -f infected.vmem --profile=Win7SP1x86 memdump -p 2732 --dump-dir=./ after it we can grep the key word we looking for ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FQqy04llo6L8kUQ5vlFAZ%2FScreenshot%202022-07-24%20133608.png?alt=media\&token=f81a5e56-513b-43e0-baad-f5822bf3f9be) ![](https://2896766067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FeJEDpZ8S2oO5YsiTGReY%2Fuploads%2FHVf3M18MfNLVhRMmmQMG%2FScreenshot%202022-07-24%20164023.png?alt=media\&token=63a485b4-275b-4fe1-b082-61cd8ba4274e)