BTLO : Memory Analysis – Ransomware

The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!

Download and unzip the folder to find a memory file. Use the volatility tool to analyze the file.

What is the name of the suspicious process?

Use the psscan plugin to find suspicious processes.

At the bottom of the list we are able to see some very suspicious processes.

What is the parent process ID for the suspicious process?

We get to view the PPID for the @wannaDecryptor process.

What is the initial malicious executable that created this process?

We can trace back the PPID to find the creator.

If you drill down on the suspicious PID ( -f infected.vmem –profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

Find the path where the malicious file was first executed

Use the cmd plugin to find the path.

Can you identify what ransomware it is? (Do your research!)


What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

Use the filescan plugin to view files and grep for a eky file.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: