In my recent article (here) I wondered why cybercriminals would use VHD files for their campaigns and offered a few tips and tools to analyse VHD files for forensic artifacts. After posting the article, I received a few questions about why VHD file forensics might be worth investing time into. This article continues on my forensic journey into this file format that is being used by cybercriminals.

Digging more for VHD files, I discovered another one that supposed to belong to the same group:

Hash: d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353

Filename: 30–1868.vhd

File size: 12.00 MB (12583424 bytes)

IN this case, the VHD file…


This is a repost from a year ago, but since migrating to Medium, this is still a relevant exercise when analyzing malware in memory.

Over the past couple of weeks, the LockerGoga ransomware has been targeting many victims. In this post, I will take you through how one could analyze the memory-dump of a machine infected with ransomware.

We start with the setup of a basic VM with Windows 7, enough memory and disk-space to circumvent any particular evasion techniques used in certain malware families to detect if it’s detonated in a VM. …


In recent investigations, I observed an adversary making use of a VHD attachment to a spear-phishing email being sent. VHD files are ‘Virtual Hard-Disk’ files. Originally the file format was introduced with Connectix Virtual PC and it can store the contents of a hard disk drive. Windows 7 and newer systems include the ability to manually mount VHD files. From Windows 8 and onwards, a user can mount a VHD by simply double-clicking on the file. Once mounted, a VHD disk image appears to Windows as a normal hard disk physically connected to the system.

Why would an adversary use…

Christiaan Beek

Saved by His Grace • Visionary Threat Research leader•synth lover •opinions are my own• Speaker•

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store