Generically Unpacking Ransomware With Memory Breakpoints

Today we look at how to generically unpack ransomware utilizing memory and hardware breakpoints on specific WinAPI functions as well as key memory locations.





WARNING:
USE OF INFORMATION IN THIS REPORT FOR ANY ACTION AGAINST A MACHINE WITHOUT THE OWNERS CONSENT MAY VIOLATE THE LAW.





Notes:

While analyzing this particular ransomware we see indicators of it being packed by UPX, however, upon closer inspection the .UPX sections of the PE are false indicators which leads us to generically unpack the file using memory breakpoints on VirtualProtect and VirtualAlloc. These allow us to see most generic memory operations and inspect the resulting memory space. We can also utilize hardware breakpoints on these memory locations to pinpoint key deobfuscation routines which often lead to unpacked files or position independent shellcode.