Generically Unpacking Ransomware With Memory Breakpoints

malware analysis ransomware
Today we look at how to generically unpack ransomware utilizing memory and hardware breakpoints on specific WinAPI functions as well as key memory locations.
Filename
None
MD5
None
Sample
None
Video

Notes:

While analyzing this particular ransomware we see indicators of it being packed by UPX, however, upon closer inspection the .UPX sections of the PE are false indicators which leads us to generically unpack the file using memory breakpoints on VirtualProtect and VirtualAlloc. These allow us to see most generic memory operations and inspect the resulting memory space. We can also utilize hardware breakpoints on these memory locations to pinpoint key deobfuscation routines which often lead to unpacked files or position independent shellcode.