WEBVTT 1 00:00.740 --> 00:02.980 Hello and welcome back. 2 00:02.990 --> 00:14.660 In this video, we are going to use xdbg to debug the program, the malware, and we are going to analyze 3 00:14.660 --> 00:19.010 to look for the evidence of unpacking. 4 00:19.010 --> 00:24.590 And then after that, we will use Process Hacker to try to dump the memory. 5 00:25.280 --> 00:36.530 So let's begin. Since we saw in PEStudio that it is a 32-bit program, we use the 32-bit version of x32dbg. 6 00:49.380 --> 00:58.440 Then set the Options > Preferences. Uncheck System Breakpoint and uncheck DLL Callbacks, and 7 00:58.500 --> 01:02.040 just leave the Entry Breakpoint. Click Save. 8 01:04.080 --> 01:06.780 We then open the malware. 9 01:12.450 --> 01:14.130 Select All Files. 10 01:19.620 --> 01:22.710 And you will see that it has hit the entry point. 11 01:25.060 --> 01:28.830 Now we put a breakpoint on VirtualAlloc: BP 12 01:29.920 --> 01:38.230 VirtualAlloc. Press Enter and confirm that the breakpoint has been set. 13 01:38.770 --> 01:41.800 Double-check here under the Breakpoints tab. 14 01:42.310 --> 01:43.060 VirtualAlloc. 15 01:44.770 --> 01:46.780 Now we will run. 16 01:49.700 --> 01:51.650 And then it hit our breakpoint. 17 01:52.660 --> 01:54.280 So we will continue to step. 18 01:56.770 --> 01:58.240 It will jump to VirtualAlloc. 19 02:01.380 --> 02:09.270 And now it is going to push the parameters to the stack in preparation to execute VirtualAlloc. 20 02:11.050 --> 02:18.790 Now it is going to call VirtualAlloc and return the allocation of memory in the EAX register. 21 02:19.480 --> 02:20.440 Step over, 22 02:20.860 --> 02:24.220 and this is the memory that has been allocated. 23 02:25.150 --> 02:29.080 So we right-click on this and Follow in Dump. 24 02:32.010 --> 02:35.280 And you can see here it is currently blank. 25 02:36.030 --> 02:41.280 And we want to see what the permissions are, so we can right-click and Follow in Memory Map. 26 02:43.440 --> 02:46.410 So currently it is Readable and Writable. 27 02:49.330 --> 02:57.280 Next, we will run again to see if we hit VirtualAlloc the second time. 28 02:58.900 --> 03:02.680 And it has hit VirtualAlloc a second time. 29 03:03.850 --> 03:05.740 Now we will step over again. 30 03:05.800 --> 03:12.520 As before, it will jump again to VirtualAlloc. 31 03:13.390 --> 03:16.630 And now it's going to push the parameters to the stack, 32 03:17.110 --> 03:20.800 and it is going to call VirtualAlloc a second time. 33 03:21.100 --> 03:25.000 So we will keep an eye on EAX. Step over, 34 03:25.540 --> 03:28.960 and this is the second allocation of memory. 35 03:29.710 --> 03:31.840 So now we will right-click this 36 03:33.460 --> 03:36.760 and Follow in Dump, Dump 2. 37 03:38.870 --> 03:40.460 And we come down here to Dump 38 03:40.460 --> 03:48.770 Number 2. This is the second location in memory which has been allocated for unpacking. 39 03:49.160 --> 03:56.330 If we go back to the earlier memory that was allocated, you see that the malware has unpacked something 40 03:56.330 --> 03:56.750 there. 41 03:58.890 --> 04:00.960 Now the second one is over here. 42 04:01.860 --> 04:04.200 So let us run and see what happens to this. 43 04:04.200 --> 04:10.770 But before that, let us go to the Memory Map and see what permissions have been set. 44 04:10.950 --> 04:16.020 So you right-click on this memory, Follow in Memory Map. 45 04:17.310 --> 04:29.070 And this time, this new allocation is set to ERW, meaning Executable, Readable, and Writable. 46 04:30.770 --> 04:34.040 So now let us run and see what happens down here. 47 04:38.410 --> 04:42.820 As you can see, it has unpacked itself into memory. 48 04:43.120 --> 04:51.950 And as you can take a look here, this is the magic byte for a PE header. And for double confirmation, 49 04:51.970 --> 04:53.680 we can see the string: 50 04:53.800 --> 04:57.490 "This program cannot be run in DOS mode." 51 04:58.390 --> 05:03.490 So this is confirmation that it has unpacked the executable, 52 05:03.620 --> 05:07.570 another executable, inside this memory location. 53 05:08.140 --> 05:10.840 So now we can try to dump this memory. 54 05:11.440 --> 05:15.130 So for that, we will use Process Hacker. 55 05:16.780 --> 05:25.810 So we now open our Utilities, open Process Hacker. 56 05:35.210 --> 05:39.500 And scroll down to look for the ransomware. Over here. 57 05:40.220 --> 05:44.060 Double-click on it and take a look at its memory. 58 05:45.380 --> 05:46.670 Let's expand this. 59 05:47.770 --> 05:51.020 Now we want to go to this memory location: 60 05:51.590 --> 05:54.830 0x36, followed by four zeros. 61 06:03.030 --> 06:05.880 So if we scroll down, we can see over here, 62 06:07.710 --> 06:08.150 Read, 63 06:08.190 --> 06:08.640 Write, 64 06:08.640 --> 06:09.420 Executable. 65 06:10.240 --> 06:19.330 So if we double-click on this, we can confirm that indeed there is a PE header over there, and we can 66 06:19.330 --> 06:23.590 compare it with what we saw in our x32dbg. 67 06:25.570 --> 06:27.940 The PE header and this address. 68 06:28.270 --> 06:30.110 So now we can dump this. 69 06:30.130 --> 06:38.050 So click on Save, and you can dump it in our folder over here. 70 06:38.050 --> 06:40.630 We can call it 71 06:43.510 --> 06:47.180 ransomware_dump. 72 06:51.640 --> 06:52.540 Click Save. 73 06:54.270 --> 07:03.900 So we have now successfully unpacked the EXE executable that was found in memory. 74 07:04.200 --> 07:14.040 So in the next video, I will show you how to open the file for analysis using Ghidra. 75 07:14.940 --> 07:16.230 Thank you for watching.