This time, we are going to see how to unpack ATLAS ransomware.
The first thing it does, as many other malware, is to allocate memory regions to hold the decryption routines for the real ransomware core.
Then, there is a loop where it changes the permissions of every memory page, included the PE header section, of the current process:
This is the mentioned loop where it changes the memory protections of every PE section:
Then, it erases part of the PE data (included PE Header):
We can see that it starts at the PE header section address and it’s going to erase 0x32000 bytes from the PE:
Here’s the .text section being erased:
And here’s the end of the erased data:
After erasing the PE data, it searches for a hashed function name value but in this case it seems it doesn’t find it, however, it continues:
Then, it starts a loop to copy data to the previously erased sections from a fully decrypted PE:
We can see that the second parameter (source address) points to the decrypted PE:
At this point, we can use PE Tools or VSD to dump the entire PE from memory and continue with the analysis of the ransomware.
The following are the strings from the decrypted PE: