BTLO: Memory Analysis — Ransomware

Sean Dixon
4 min readJun 10, 2023

Overview: This is a medium-difficulty memory forensics challenge hosted by Blue Team Labs Online (BTLO). The challenge requires the use of Volatility to analyze a memory dump and determine the malicious processes. For this challenge, I used a REMnux machine.

Scenario: The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!


Run “ -f infected.vmem — profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process?

The question gives us the profile to use within Volatility, so we can skip determining the proper profile. The question also says to use psscan, but I opted for pstree since it will help us easily understand the process hierarchy. Either plugin will work for this question.

pstree output

From the output, we can see two executables with suspicious names: or4qtckT.exe and @WanaDecryptor. We can assume they want the suspicious child process.

Answer: @WanaDecryptor


What is the parent process ID for the suspicious process?

We noted the suspicious parent process in the previous screenshot, and the parent process ID is listed in the PPid column.

Answer: 2732


What is the initial malicious executable that created this process?

Again, our output from pstree included this information.

Answer: or4qtckT.exe


If you drill down on the suspicious PID ( -f infected.vmem — profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files

psscan, filtered for the suspicious PID
psxview, filtered for brevity

The thing to note about this question is that the answer did not appear in our pstree output. This is because pstree uses pslist to form its output. Psxview’s output includes columns that show whether or not the entry appears in different plugins’ output. This can be, but is not necessarily, a sign of malicious activity.

Links to their reference docs:





Answer: taskdl.exe


Find the path where the malicious file was first executed

We’ll use the cmdline plugin to look for execution of the file.

cmdlist, filtered for the malicious file

Answer: C:\Users\hacker\Desktop\or4qtckT.exe


Can you identify what ransomware it is? (Do your research!)

To confirm our suspicions we can search for the IOCs we’ve gathered. Aside from Google, sites like AnyRun can be very useful for this type of research.

AnyRun listing for one of the suspicious files

Answer: wannacry


What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension)

We can get the answer to this question by reading about how WannaCry works and its various IOCs. To confirm the filename in our memory sample, we can use the mftparser plugin.

mftparser, filtered for files ending in .eky

Note: mftparser scans for MFT entries in memory. Per Microsoft’s documentation — “The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself”.

Answer: 00000000.eky


This was a rather easy challenge, but it did a good job of demonstrating the difference between psscan and pslist, and how we can use psxview to better understand the processes running on the system.