{
	"id": "e7affca3-f6c9-413d-8430-a45b123740c6",
	"created_at": "2026-04-06T00:08:56.214755Z",
	"updated_at": "2026-04-10T03:21:45.755521Z",
	"deleted_at": null,
	"sha1_hash": "0b4c92a97873ac7a55883a8dbd0c11ae2e9b4fc4",
	"title": "SUNBURST \u0026 Memory Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53119,
	"plain_text": "SUNBURST \u0026 Memory Analysis\r\nPublished: 2020-12-25 · Archived: 2026-04-05 17:05:37 UTC\r\nThe recent SolarWind’s hack which resulted in a backdoor version of their SolarWind Orion product which counts\r\n33,000 customers has been all over the news in the past few weeks - most things have been said and repeated,\r\nalthough there are few notes that I mentioned on Twitter which I would like to compile in a blogpost for\r\nperenniality.\r\nFirst of all, I would like to point out to the presence in the backdoor process blacklist (the full list can be found on\r\nItay Cohen’s repository) of several processes that can be used for either:\r\ncreating system raw memory dump such as Belkasoft RAM Capturer,\r\nor creating Microsoft process crash dumps with some of the Sysinternals Tools such as ProcDump or\r\nProcess Explorer.\r\n 13611814135072561278UL /* procdump64 (ProcDump - RE/Malware analysis) */,\r\n 2810460305047003196UL /* procdump (ProcDump - RE/Malware analysis) */,\r\n 2032008861530788751UL /* processhacker (Process Hacker - RE/Malware analysis) */,\r\n 27407921587843457UL /* procexp64 (Process Explorer - RE/Malware analysis) */,\r\n 6491986958834001955UL /* procexp (Process Explorer - RE/Malware analysis) */,\r\n (...)\r\n 7775177810774851294UL /* ramcapture64 (Ram Capturer - Forensics) */,\r\n 16130138450758310172UL /* ramcapture (Ram Capturer - Forensics) */,\r\nThis makes sense given how powerful memory analysis and memory forensics are in general, and memory\r\nimaging was also included as a DHS emergency directive (21-01). (Thanks to Andrew Case for sharing this on\r\nLinkedIn).\r\nThis emergency directive requires the following actions:\r\nAgencies that have the expertise to take the following actions immediately must do so before proceeding to Actio\r\na. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion vers\r\nAlthough, memory was completly dismissed by the Microsoft DART team in their Advice for incident responders\r\non recovery from systemic identity compromises blogpost:\r\nAfter you validate that no persistence mechanisms created by the attacker exist or remain on your system, sched\r\nBEFORE you validate persistence, you always want to create a Microsoft full memory crash dump of the system\r\n(with DumpIt or any other tools) before rebooting. As an incident responder, you should not omit any artifacts that\r\nhttps://www.comae.com/posts/sunburst-memory-analysis/\r\nPage 1 of 2\n\nmay be useful for your investigation.\r\nAnd the last point, I would like to highlight was a very good tweet from Kim Zetter:\r\nKim is highlighting a very important point here which is the lack of logging in the critical infrastucture industry.\r\nTwo years ago, we wrote about a new logging paradigm which we believe should be in place for critical assets\r\nacross industries where instead of relying on logs/events (that are often missing context and information) - to\r\nperiodically make memory images (such as Microsoft full memory crash dumps) and to archive them to be able to\r\nretro-investigate critical incidents such as those that we have seen over the past years (DOUBLEPULSAR,\r\nSUNBURST etc.).\r\nIf you haven’t read it yet, go ahead: https://www.comae.com/posts/rethinking-logging-for-critical-assets/.\r\nWe are more than happy to share thoughts on this.\r\nIf you are interested by our memory analysis platform Comae Stardust also feel free to reach out if you are\r\ninterested in testing or a custom deployment instance.\r\nSource: https://www.comae.com/posts/sunburst-memory-analysis/\r\nhttps://www.comae.com/posts/sunburst-memory-analysis/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.comae.com/posts/sunburst-memory-analysis/"
	],
	"report_names": [
		"sunburst-memory-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434136,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b4c92a97873ac7a55883a8dbd0c11ae2e9b4fc4.pdf",
		"text": "https://archive.orkl.eu/0b4c92a97873ac7a55883a8dbd0c11ae2e9b4fc4.txt",
		"img": "https://archive.orkl.eu/0b4c92a97873ac7a55883a8dbd0c11ae2e9b4fc4.jpg"
	}
}