Dissecting Shellcode Execution in Memory

Source: itamarhall.github.io

Author: unknown

URL: https://itamarhall.github.io/Tracepoint/blog/writeups/dissecting-process-hollowing-rogue-lsass-with-injected-shellcode/

https://itamarhall.github.io/Tracepoint/blog/writeups/dissecting-process-hollowing-rogue-lsass-with-injected-shellcode/

ONE SENTENCE SUMMARY:

This forensic investigation examines process hollowing in Windows memory, revealing malicious activities involving lsass.exe and Metasploit-like shellcode.

MAIN POINTS:

1. Analysis focuses on identifying process hollowing using Volatility 3.
2. Multiple tools used: MemProcFS, YARA, Eric Zimermman tools, PEstudio.
3. Memory image reveals dual lsass.exe processes, indicating malicious activity.
4. Suspicious processes involve rogue lsass.exe and related cmd.exe executions.
5. Handle investigations highlight unusual file and network interactions.
6. Memory injections detected using ldrmodules, malfind, ProcSentinel.
7. In-memory module linked to Metasploit-style API hashing, reflecting injection.
8. Disk artifacts like Prefetch, Amcache, PCA confirm file execution.
9. Timeline correlates defense impairments with malicious execution activities.
10. Metasploit YARA matches suggest network-capable shellcode operation.

TAKEAWAYS:

1. Process hollowing detected via memory analysis shows disguised malicious processes.
2. Volatility 3 and complementary tools enrich memory forensics investigation.
3. Dual lsass.exe presence reveals process manipulation and shellcode execution.
4. Timeline analysis correlates defensive changes with malicious actions.
5. Comprehensive analysis ties network activity to injected shellcode behavior.