My Methodology to Analyse Ram Dump

Prince Prafull
3 min readNov 2, 2022

Test Case Description:

This Ram dump of a computer which is under attack and attacker is accessing it with reverse TCP connection.

Answer of these following question we have to find?

  • Name of malicious process and its Process ID?
  • Malicious payload’s Reverse IP and port number?
  • Testing the Virus on online sandbox and online Antiviruses?

Setup our lab:

Starting with Image info:

python3 -f /media/sf_share_me/dump.raw

It displays the information about the ram captured.

Displaying all the processes running:

python3 -f /media/sf_share_me/dump.raw windows.pslist

See all the processes very carefully to identify any malicious process is running or not.

Yes I Found the malicious process:

lsasss.exe is not a legitimate process and we can put this in our suspicious list of process running. I think the name is just to trick the user because lsass.exe is a legitimate process. There is “s” extra in our founded process.

The process ID is 8140

Founding the IP address and Port Number of the Malicious process.

python3 -f /media/sf_share_me/dump.raw windows.netscan.NetScan

Now, we found that reverse connection is going on

IP address:

Port number: 6969

Analyze the Process on Sandbox and online tools

To analyse that firstly, we need to dump the process.

python3 -f /media/sf_share_me/dump.raw windows.pslist --pid 8140 --dump

Secondly, Upload the process dump or the hash of process on to check the process by various antiviruses softwares.

we were correct IT IS A MALWARE



Prince Prafull

Cyber Security Learner | Web Application Testing | Student