Pulling threads

Memory sample

vol.py --info | grep Win10

If the correct profiles are not available in volatility, pull the latest release of volatility from github.
git clone <https://github.com/volatilityfoundation/volatility.git>
Now get into the cloned directory and you can see the latest profiles available.

python2 vol.py -f {memdump} --profile=Win10x64_15063

If you don’t find the required plugin with volatility, clone the plugin from github and put the .py file into the “plugins” directory inside “volatility” directory

malprocfind

Look for “false” values in the output. False alone does not indicate that the process is evil, but if multiple false values appear for a process, investigate further.
You can notice multiple svchost.exe processes which is normal for a windows system, but this is a favorite for malware authors as it is ubiquitours and they will create rogue svchost.exe process as they can hide in plain sight often in incorrect paths or with a slight spelling change like scvhost.exe
PID 2888 has multiple false values. PPID shows false as the parent for svchost.exe should be services.exe and it is not the case here and path, user and cmd values are also false.

pslist | grep 2888

This returns the svchost.exe and the PPID is listed as 7416, which should be services.exe for a legit process.

pslist | grep 7416

But the parent process is cmd.exe which has no business spawning a legit svchost.exe
Also, you can see a lsaiso.exe which should appear only when credential guard is turned on which isn’t in this case

cmdline | grep 2888

cmdline | grep -A1 2888

This shows the matchling line and the line after it (B for before and C for before & after)
You can see it is running in the wrong directory “windows”. It should be “Windows\System32” and there are 2 spaces after it ,while -k NetworkService seems like a valid flag.

cmdline | grep -A1 3456

Again, it is running out of the wrong path as it should be Windows\System32 if it were a legit process.
It shouldn’t be running in the first place as Credential Guard wasn’t turned on.

netscan | more

Few things appear to be communicating on TCP 80 and TCP 443 which is probably expected, but we may want to look for anything that is communicating on either of those two ports that is not a web browser or any web browser that is communicating on anything other than those two ports. Either of those things would be considered abnormal in most environments.
Also look for listening and established connections and also feed the result abbybus python script which will parse ipv4 addresses and perform geoip lookup on those addresses providing ASN etc.

netscan | grep -i established

netscan | grep -i established | grep -v 80, 443

This filters the connections that were established that is not TCP 80 or 443, will are outliers.
We get a match that is TCP 4444, which is meterpreter, which should not be seen on a system and is a powershell.exe process.

After analyzing network traffic, look for code injection malfind and process hollowing hollowfind

Dump suspicious process binaries to disk and memory associated with it
Till now 3 PIDs got out attention : 2888 - svchost.exe; 3456 - lsaiso.exe; 9316 - powershell.exe

procdump -p 2888 --dump-dir=./

memdump -p 2888 --dump-dir=./

This will dump the memory associated with the given PID.
This also is a PE32 executable, but will be larger in size as it contains all the memory associated with the process.

Extract passwords and hashes :

hashdump and lsadump

Vol3 alternatives for Prodump and Memdump:

./vol.py -f memdump_Win10x64_15063.mem windows.pslist --pid=2888 --dump ./vol.py -f memdump_Win10x64_15063.mem windows.memmap --pid=2888 --dump

Last updated 1 year ago