Volatility

• What is the build version of the host machine in Case 001?

2600.xpsp.080413-2111

• At what time was the memory file acquired in Case 001?

2012-07-22 02:45:08

• What process can be considered suspicious in Case 001?

reader_sl.exe

• What is the parent process of the suspicious process in Case 001?

explorer.exe

• What is the PID of the suspicious process in Case 001?

1640

• What is the parent process PID in Case 001?

1484

• What user-agent was employed by the adversary in Case 001?

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US

• Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)

Y

• What suspicious process is running at PID 740 in Case 002?

@wanadecryptor@

• What is the full path of the suspicious binary in PID 740 in Case 002?

C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe

• What is the parent process of PID 740 in Case 002?

tasksche.exe

• What is the suspicious parent process PID connected to the decryptor in Case 002?

1940

• From our current information, what malware is present on the system in Case 002?

WannaCry

• What DLL is loaded by the decryptor used for socket creation in Case 002?

WS2_32.dll

• What mutex can be found that is a known indicator of the malware in question in Case 002?

MsWinZonesCacheCounterMutexA

• What plugin could be used to identify all files loaded from the malware working directory in Case 002?

windows.filescan