> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/projects/redline-lab-memory-analysis.md). # RedLine Lab - Memory Analysis ### 🧩 Scenario As part of the Blue Team, your mission is to analyze a memory dump from a potentially compromised machine. The attacker seems to have bypassed NIDS detection and established a foothold. Your goal is to trace their activities, identify the malware family, and uncover artifacts related to persistence and network communication. *** ### 🧰 Tools & Preparation * **Volatility3**: To parse memory artifacts. * **Redline**: (Optional) For timeline analysis. * **VirusTotal / Hybrid Analysis**: For malware validation. * **strings**: To extract IOCs like URLs and file paths. We start with a `.mem` file obtained from a zipped archive: ```bash unzip MemoryDump.zip ls # Output: MemoryDump.mem ``` *** ### πŸ” Q1: What is the name of the suspicious process? We begin with identifying unusual processes using `pstree` (preferred over `pslist` for visualizing parent-child relationships): ```bash vol.py -f MemoryDump.mem windows.pstree.PsTree ``` A suspicious process stands out:\ βœ… **`oneetx.exe`** * **PID**: 5896 * **PPID**: 8844 A quick search confirms it's malicious β€” VirusTotal and Hybrid Analysis both flag it. **Answer**: `oneetx.exe` *** ### πŸ‘Ά Q2: What is the child process name of the suspicious process? From the process tree, we can see that `oneetx.exe` spawns a child:\ βœ… **`rundll32.exe`** **Answer**: `rundll32.exe` *** ### πŸ›‘οΈ Q3: What is the memory protection applied to the suspicious process memory region? We can use Volatility's `malfind` plugin to identify injected code and memory protections: ```bash vol.py -f MemoryDump.mem windows.malfind.Malfind ``` Output shows: ``` Protection: PAGE_EXECUTE_READWRITE ``` This is a red flag. This permission allows memory to be both writable and executable β€” a common trait in malware and exploits. **Answer**: `PAGE_EXECUTE_READWRITE` *** ### 🌐 Q4: What is the name of the process responsible for the VPN connection? By scanning the process list again: ```bash vol.py -f MemoryDump.mem windows.pslist.PsList ``` One interesting process stands out:\ βœ… **`tun2socks.exe`** * A component often used with VPNs to forward traffic via SOCKS proxies. Upon further inspection, `tun2socks.exe` is a **child of `Outline.exe`**, which manages the VPN tunnel. **Answer**: `Outline.exe` *** ### πŸ“‘ Q5: What is the attacker’s IP address? To get network connection info, we use: ```bash vol.py -f MemoryDump.mem windows.netscan.NetScan ``` Reviewing established connections, we spot: ``` Foreign Address: 77.91.124.20 ``` This IP is connected to oneetx.exe, likely representing C2 infrastructure. **Answer**: `77.91.124.20` *** ### 🌐 Q6: What is the full URL of the PHP file that the attacker visited? There are multiple ways to approach this: #### Method 1 – Using `strings`: ```bash strings MemoryDump.mem | grep "77.91.124.20" ``` Result: ``` http://77.91.124.20/store/games/index.php ``` #### Method 2 – Using Hybrid Analysis: Search the IP to find related dropped files or observed URLs. #### Method 3 – Dump and analyze `msedge.exe`: This process likely stores browser history. Use `vol.py windows.dumpfiles.DumpFiles` to dump and inspect. **Answer**: `http://77.91.124.20/store/games/index.php` *** ### πŸ“ Q7: What is the full path of the malicious executable? Again, multiple approaches help here: #### Method 1 – `strings`: ```bash strings MemoryDump.mem | grep "oneetx.exe" ``` #### Method 2 – Dump `oneetx.exe` from memory: ```bash vol.py -f MemoryDump.mem windows.pslist.PsList # Then use PID with: vol.py -f MemoryDump.mem windows.memmap.MemMap --pid 5896 vol.py -f MemoryDump.mem windows.dumpfiles.DumpFiles --pid 5896 ``` #### Method 3 – `filescan`: ```bash vol.py -f MemoryDump.mem windows.filescan.FileScan ``` Eventually, we find: βœ… **Full path**:\ `C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe` **Answer**: `C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe` *** ### βœ… Summary of Answers | Question | Answer | | -------- | ---------------------------------------------------------- | | Q1 | `oneetx.exe` | | Q2 | `rundll32.exe` | | Q3 | `PAGE_EXECUTE_READWRITE` | | Q4 | `Outline.exe` | | Q5 | `77.91.124.20` | | Q6 | `http://77.91.124.20/store/games/index.php` | | Q7 | `C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe` | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://omar-4.gitbook.io/omar-khalid/pages/projects/redline-lab-memory-analysis.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.