Source: https://www.computersecuritystudent.com/FORENSICS/VOLATILITY/VOLATILITY2_2/lesson2/

Basic Stuxnet Description (sophisticated APT worm-like trojan):

1. A normal Windows XP installation has just one instance of lsass.exe that the Winlogon process creates when the system boots. (Wininit creates it on Windows Vista and higher).
2. Process tree reveals that the two new lsass.exe instances were both created by services.exe, the Service Control Manager, which implies that Stuxnet somehow got its code into the Services.exe process.
3. Mrxnet.sys is the driver that implements the rootkit that hides files, and Mrxcls.sys is a second Stuxnet driver file that launches the malware when the system boots. 

​2. vol.py  imageinfo=WinXPSP3x86 -f stuxnet.vmem

Analyze Stuxnet Process Tree
3. vol.py pstree --profile=WinXPSP3x86 -f stuxnet.vmem | egrep '(services.exe|lsass.exe|winlogon.exe)' | tee pstree.txt

Source: SysAnalyzer, Immunity Debugger, IDA Pro

File: necurs_dropper.exe
Size: 97792 Bytes
MD5: 6B3D2D146E683DAF0DEB906D57393E22

Mutex:
PID    Name *    
--------------------------------------------------
1212    Instance0:  ESENT Performance Data Schema Version 40   

Processes:
PID    ParentPID    User    Path    
--------------------------------------------------
2688    872    USER-06EF21E8DC:Administrator    C:\Documents and Settings\Administrator\Desktop\dropper.exe    

Ports:
Port    PID    Type    Path    
--------------------------------------------------
3417    2688    TCP    C:\Documents and Settings\Administrator\Desktop\dropper.exe    
3418    3536    TCP    C:\Documents and Settings\Administrator\Desktop\dropper.exe    
3419    384    TCP    C:\Documents and Settings\Administrator\Desktop\dropper

API Logger:
91222     CreateFileA(\\.\NtSecureSys)    
912c6     GetCurrentProcessId()=2688
771bd3a9     connect( 69.50.214.54:80 )

Scanning for 19 signatures
Scan Complete: 108Kb in 0 seconds

Urls
--------------------------------------------------
<html><head><title>504 Connect to %s failed: host unreachable.</title></head><body><h1>504 Connect to %s failed: host unreachable</h1><p>The following error occurred while trying to access <strong>http://%s%s</strong>:<br><br><strong>504 Connect to %s failed: host unreachable</strong></p></body></html>
http://69.50.214.54/i.php?v=1012&affid=36411
http://69.50.214.54/i.php?v=1012&affid=36414
http://213.229.106.135/mac/mac.php?affid=00100
http://69.50.214.54/i.php?v=1012&affid=36413
http://69.50.214.54/i.php?v=1012&affid=36412
http://69.50.214.54/i.php?v=1012&affid=36410

 Sample: 9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04
 
VirusTotal : 2/55
McAfee-GW-Edition,BehavesLike.Win32.Ransom.mm,23.01.2016,132
Qihoo-360,HEUR/QVM20.1.Malware.Gen,23.01.2016,132
 
Compilation Timestamp: 0x5680253A (Sun Dec 27 12:51:54 2015)

 Here are the imported libraries:

• ntdll.dll,x,Implicit,21,NT Layer DLL
• kernel32.dll,-,Implicit,3,Windows NT BASE API Client DLL
• shlwapi.dll,-,Implicit,3,Shell Light-weight Utility Library
• gdiplus.dll,-,Implicit,24,Microsoft GDI+

 
Here are the imported blacklisted calls:

• LdrFindResource_U,x,-,-,ntdll.dll
• ZwAllocateVirtualMemory,x,-,-,ntdll.dll
• LdrUnloadDll,x,-,-,ntdll.dll
• LdrAccessResource,x,-,-,ntdll.dll
• LdrGetProcedureAddress,x,-,-,ntdll.dll
• ZwFreeVirtualMemory,x,-,-,ntdll.dll
• memcpy,x,-,-,ntdll.dll
• ExitProcess,x,-,-,kernel32.dll

 
Here are indicators of the PNG dropper calls from gdiplus.dll (enables applications to use graphics and formatted text on both the video display and the printer):

Red Flags:

• The file contains 10 blacklisted strings.
• The symbol (GdipBitmapLockBits) is imported several (8) times/
• The file references the Windows Native API.
• The file opts for Address Space Layout Randomization (ASLR).
• The file ignores Structured Exception Handling (SEH).
• The file has no Version.
• The file does not contain a digital certificate.
• The file checksum (0x00000000) is invalid.