Notes:
While analyzing this particular ransomware we see indicators of it being packed by UPX, however, upon closer inspection the .UPX sections of the PE are false indicators which leads us to generically unpack the file using memory breakpoints on VirtualProtect and VirtualAlloc. These allow us to see most generic memory operations and inspect the resulting memory space. We can also utilize hardware breakpoints on these memory locations to pinpoint key deobfuscation routines which often lead to unpacked files or position independent shellcode.
Email
YouTube
Twitter
Reddit