Today we look at how to generically unpack ransomware utilizing memory and hardware breakpoints on specific WinAPI functions as well as key memory locations. Filename None MD5 None Sample None Video

Notes:

While analyzing this particular ransomware we see indicators of it being packed by UPX, however, upon closer inspection the .UPX sections of the PE are false indicators which leads us to generically unpack the file using memory breakpoints on VirtualProtect and VirtualAlloc. These allow us to see most generic memory operations and inspect the resulting memory space. We can also utilize hardware breakpoints on these memory locations to pinpoint key deobfuscation routines which often lead to unpacked files or position independent shellcode.