Using Physical Memory Images to Quickly ID Suspicious Files
Begin Blog: 1:44pm EST, Shutting down Windows 7 Professional Edition
Step with me into Bizarro World for a moment, because we are going to pretend that for some reason you have a physical memory image from a system. Someone wants you to identify if there is anything fishy going on with it and what it is. On top of that, you have to find it before a laptop reboots. It is best not to ask questions, let us roll.
We are going to say that we already have our physical memory image. Someone captured it and now for some reason you are in a hurry to beat Windows.
I am going to throw this puppy into Redline with the default settings and IOC’s. You want to click ‘From a Saved Memory File‘ from the Analyze Data section. Why Redline? I think it is particularly good at quick looks at memory images, as we will discover.
So once this gets loaded in, Redline lights this up with a bunch of redlined program icons, so we will start there. This is, as I said, part of why I picked this program at this moment.
I have hidden a few columns here – depending on what you like to use for detection (we are big on PIDs, parents, locations and permissions) you can decide what you really want to see in the viewer. Notice anything interesting about the one I have highlighted? Like the lack of a parent? Flag that!
Now you can keep buzzing through here – at least check out all of those redlined processes and see if anything else looks out of place. Like I said, out of order PIDs, strange parent or no parent, strange user or no user, system level locations; all interesting things to note. But back to our tagged one – runsvc32.exe. Where are you?
The answer, of course, is C:\WINDOWS\system32. If you had a second flag field I would tell you to flag that puppy, too.
From here I would normally tell you to go pull that file from your drive or image, but we are in a time crunch and remember this is Bizarro World and you cannot do things normally. What you can do with a handy-dandy built-in feature is search for it. Maybe someone else has seen this little critter in the wild.
Hmm…no, I did not mean nvsvc32.exe. But hey, check out your results. Hot dog, Sophos has something for you.
These are just examples – ideally you want YOUR file’s hash, but again – Bizarro World. There are some HTTP requests to a runsvc32.exe here, but no file analyses for it. Is this bad or not? (OK, the HTTP requests alone are fishy, plus the large amount of Google hits. But wait, there is more!)
Rats. Nothing coming from VirusTotal but how about Malwr?
There we go! No, that does not look good. It is not definitive either, but with 10 pages of activity in the behavioral analysis, a note that something on VirusTotal has flagged it as malicious and the fact that it is sitting in system32 with no parent process and all of the search results, I think this is the point where you can safely say that needs to be investigated.
Now, obviously this is NOT as effective as pulling off your file and checking it yourself. However, in our imaginary scenario where you for some reason have a memory image and nothing else to go on, you just found some pretty compelling (although circumstantial) evidence that something fishy is going on here. How did we do on time…?
Windows: 1:45pm – 2:00pm = 15 minutes
Quick and dirty malware ID: 1:45pm – 1:59pm = 14 minutes
Kerstyn wins by a hair! Maybe a little, tiny hair from a small rabbit, but a win nonetheless.
Bonus round: If you have another minute or two (waiting on a user to log in? Programs to start?) Check out dat hash. Other security sites may have something for the hash value you can locate with a Google search.