Volatility analyse windows dup ram netscan and pslist

Question

Hi,

I allow myself to come to you today because I would like to do a RAM analysis of a Windows machine via volatility from Linux. Knowing that the system resulting from the dump was infected I am looking for the anomaly via the RAM memory by Volatility.

So I took several actions.

First the analysis of the image via 'imageinfo' to retrieve the analysis profile. Then perform pslist and pstree to check running processes.

pstree

But nothing is very suspicious in my opinion. Or just maybe skype.exe with pid 3064.

I look at network connections from netscan command.

I see here that the skype.exe file has the status 'closed' and that it only points to local ip addresses.

With the cmdline and cmdscan command, I see that the skype.exe file has been installed by the user, launches conhost.exe, but is this normal or not ?

**

dlllist**

The malfind command give me just "explorer.exe" process, and "svchost"

I am a beginner in the field and would like to understand, and know what to be wary of knowing that here I know that the pc has been infected. The malfind

I thank you in advance for your attention and your more than precious feedback.

Answer 1

Hello there,

You can detect fileless malware with RAM analysis. Memory-resident malware, also known as fileless malware, is a type of malicious software that writes itself directly onto a computer’s system memory.

To perform this below steps are mandatory:

Have the memory dump to perform analysis on.

Have Kali Linux operating system.

Have a volatility forensic framework installed.

Have knowledge on digital forensic analysis.

Have python installed.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–