PML file being encrypted by malware

[oasec1]

I'm still encountering these issue daily with ransomware. What are you thoughts about adding an option to just eliminate the extension of the output file altogether? Many of the samples that I've encountered don't encrypt files that don't have extensions.

[Rurik]

I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test?

In Procmon if you enable File > Backing File... > Virtual Memory, that may be able to get around this issue. However, I can not guess the performance issues, or ultimate memory usage, of that.

Then one small edit to the script, within "launch_procmon_capture()" to force this:

Change:
cmdline = '"{}" /BackingFile "{}" /Quiet /Minimized'.format(procmonexe, pml_file)

To:
cmdline = '"{}" /PagingFile /Quiet /Minimized'.format(procmonexe)

[oasec1]

Thanks for the response, I can certainly get a relatively new sample for analysis and testing. Let me know when you'd like to start, we can do remote sessions with Anyconnect. Robert

…

On Mon, Jan 18, 2021, 11:31 AM Brian Baskin ***@***.***> wrote: I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test? In Procmon if you enable File > Backing File... > Virtual Memory, that may be able to get around this issue. However, I can not guess the performance issues, or ultimate memory usage, of that. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#42 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7UFORSNGKKHGYNBA7NTNTS2RO5RANCNFSM4VCQBDJA> .