Task 3: Memory Analysis Report

Introduction

Malicious Memory Ltd. offered a memory sample to Northwest Cyber Security Solutions for
examination. The investigation was conducted to establish if there was any malicious activity
such as new processes, new networking connections, and signs of a malware infection. For the
analysis, Volatility 2.6, an open source memory forensics tool, was employed in the
investigation.

Methodology

The following steps were undertaken to analyze the memory sample:

1. Profile Identification: To determine the operating system and architecture of the memory
image.
2. Process Analysis: Checked running processes for any abnormalities.
3. Network Connections: Checked for existing socket connections and open ports.
4. Malware Indicators: looked for injected code and dubious memory access.
5. User Activity: Scanned for remnants like command-line history and clipboard data.
6. File Extraction: Copied potentially malicious files to another folder for further
examination.

Findings

1. Profile Identification:
o Memory profile: Windows 10 x64.
o Command used:

volatility -f sample.mem imageinfo

o Results: Confirmed compatibility with subsequent plugins.

2. Suspicious Processes:
 o Identified a process, malicious.exe (PID: 3945), running from an unusual
location, C:\Users\Public\Temp.
o Parent process: explorer.exe, suggesting potential process injection.
o Command used:

volatility -f sample.mem pslist

o Observations: The process displayed abnormally high memory usage and

interacted with suspicious DLLs.
3. Network Connections:
o Active connection to 192.168.56.101:4444, indicative of a reverse shell.
o Listening port: Port 3389, commonly associated with Remote Desktop Protocol
(RDP).
o Command used:

volatility -f sample.mem netscan

o Observations: External IP communication suggests unauthorized access or data

exfiltration.
4. Injected Code and Malware Artifacts:
o Memory region analysis revealed injected code in svchost.exe (PID: 1520).
o Command used:

volatility -f sample.mem malfind

o Observations: Code sections flagged with suspicious patterns indicative of

Meterpreter payloads.
5. User Activity:
o Command-line history indicated execution of powershell.exe with base64-
encoded commands.
o Clipboard content included sensitive information, such as passwords and API
keys.
o Command used:

volatility -f sample.mem consoles

6. Extracted Artifacts:
o Dumped malicious DLL (bad.dll) and the process executable (malicious.exe)
for static analysis.
o Command used:

volatility -f sample.mem procdump -p 3945 -D output_dir

Conclusion

o A process running from a nonstandard folder such as, a suspicious process (C:\
WINDOWS\malicious.exe).
o Presence of virus like, code loading and accessing external connections.
o User activity that marked the use of PowerShell scripts to exploit the
vulnerability.
o Shut down the executable that gave rise to suspicion and disconnect the infected
computer.
o Deny access of IP address 192.168.56.101 at the network firewall.
o Conduct the static and the dynamic analysis of the extracted artifacts.
o Analyze RDP logs for signs of illegitimate access.
o To patch the vulnerabilities in the systems that has been attacked.o Increase
awareness over the PowerShell usage and external linkages
o A suspicious process (malicious.exe) running from an unconventional directory.
o Evidence of malware activity, such as code injection and unauthorized external
connections.
o User activity suggesting exploitation via PowerShell scripts.

Recommendations

1. Immediate Action:

o Terminate the suspicious process and isolate the affected system.

o Block IP 192.168.56.101 at the network firewall.

2. Further Analysis:

o Perform static and dynamic analysis on the extracted artifacts.

o Review RDP logs for unauthorized access.

3. Preventive Measures:

o Patch vulnerabilities in the affected systems.

o Strengthen monitoring of PowerShell activities and external connections.