Enes Arda Baydaş

WannaCry Memory Forensics Analysis

latest post: [Click to go]

4 min read

Memory Forensics: Volatility 3 Analysis of WannaCry Ransomware

Date: 2026-02-18

Author: Enes Arda Baydaş

Category: Malware Analysis / Digital Forensics

Lab Source: TryHackMe (Room: Remnux VM)

1. Summary

Incident Summary This report details the forensic analysis of a compromised Windows memory image wcry.mem. The objective was to identify the presence of the WannaCry ransomware, map its execution flow, and extract Indicators of Compromise (IOCs) without interacting with the live malware.

Business Impact The malware exploits EternalBlue (MS17-010) to spread. If not addressed, it poses a critical risk to business continuity due to the rapid encryption of filesystem assets. Quickly finding the malware’s execution path helps contain it right away. This also meets reporting needs for data breaches, like KVKK notification deadlines in Türkiye.

2. The Investigation

Trigger: A memory image was taken from a suspicious endpoint showing ransomware behavior.

Phase 1: Triage & Bulk Extraction

To simplify the analysis, a Bash loop ran several Volatility 3 plugins at once. This method speeds up data collection from process lists, network connections, and command lines.

Extraction Logic:

 
for plugin in windows.malfind.Malfind windows.psscan.PsScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine windows.filescan.FileScan windows.dlllist.DllList; do vol3 -q -f wcry.mem $plugin > wcry.$plugin.txt; done

Phase 2: Code Injection Analysis (Process Hollowing)

Methodology: The windows.malfind plugin was utilized to scan for injected code. This plugin identifies memory pages with PAGE_EXECUTE_READWRITE (RWX) protections that are not mapped to a file on the disk (Virtual Address Descriptor VAD tags).

Pasted image 20260210110344

Observation:

  • Process: csrss.exe (PID 596) and winlogon.exe (PID 620).

  • Permissions: PAGE_EXECUTE_READWRITE is enabled. (Image above says enabled but don’t be confused, it’s for “File Output” column.)

  • Hexdump: The output shows an MZ header or suspicious assembly instructions (e.g., mov, add) in the extracted memory.

Inference: Legitimate Windows processes, like csrss.exe and winlogon.exe, usually lack RWX memory sections that aren’t tied to a file. This strongly suggests Process Hollowing (MITRE T1055.012). In this technique, malware removes valid code and injects its own harmful payload into a trusted process to avoid detection.

Phase 3: Path Identification & Binary Extraction

Methodology: The windows.dlllist plugin was analyzed to determine the execution path of the malware and identify loaded modules.

Pasted image 20260210112336

Observation: Querying the memory image for the known WannaCry artifact string “Wana” revealed the active process.

PID     Process                Path
740     @WanaDecryptor@.exe    C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe

Identifying the directory is critical. Malware often hides in legitimate-sounding folders (like C:\Intel) or user directories (AppData) to mimic normal operations. In this case, the random directory name inside C:\Intel is highly suspicious.

3. Findings & Artifacts (IOCs)

Artifact TypeValueContext
Malicious Binary@WanaDecryptor@.exeMain ransomware executable
Suspicious PathC:\Intel\ivecuqmanpnirkt615\Staging directory for malware
Injected PID596 (csrss.exe)Target for Process Hollowing
Injected PID620 (winlogon.exe)Target for Process Hollowing
MITRE ATT&CKT1055 (Process Injection)Code running in RWX memory regions

4. Remediation & Hardening

Immediate Mitigation:

  1. Network Isolation: Disconnect the infected host to prevent SMB spread.
  2. Process Termination: Suspend (do not kill immediately, as it may trigger anti-forensic triggers) the injected csrss.exe and winlogon.exe processes if active mitigation is required.

Detection Logic:

  • SIEM/EDR Rule: Alert on any process granting PAGE_EXECUTE_READWRITE (RWX) permission to memory regions not backed by a disk file.

  • Path Monitoring: Monitor for executables running from unusual subdirectories within C:\Intel\ or AppData.

  • Real-World Context: Similar to Emotet infections where services.exe runs from AppData instead of System32.

Root Cause Fix:

Ensure MS17-010 (EternalBlue) patches are applied to prevent the initial SMB exploit vector used by WannaCry.

5. Reflections

Key Takeaways:

  • Efficiency in Triage: Bash loops for Volatility plugins save time. In a live incident, every minute counts.

  • The Importance of Paths: Just finding the process name isn’t enough. As shown in my Emotet comparison, knowing where a binary runs (like AppData vs. System32) can mean the difference between a false positive and a real breach.

  • Compliance Note: In a Turkish business setting, it’s crucial to check if this ransomware exfiltrated data (through filescan or network logs). This step helps decide if a notification to the KVKK (Personal Data Protection Authority) is needed within 72 hours.