Skip to content
Site logo Site logo ucch45

Notes on Dynamic Analysis

First, obtain the malware sample.

4 things to look for:

  • Process Activity (malware creating other programs). Tools: Process Hacker, Procmon
  • Network Activity (malware wants to establish contact with C2 servers). Tools: Wireshark (Filter for SMTP, HTTP, DNS), Fiddler
  • Registry Activity (look for persistence). Tools: regshot, Procmon
  • File Activities (look for persistence). Tools: regshot, Procmon

First, opening up Regshot, Wireshark, and Process Hacker.

On Regshot, click on 1st shot and let it finish. Let Wireshark capture packets and Process Hacker be open on the side.

Open Procmon. And then unzip the malware. Change the extension from .bin to .exe

Run the malware .exe as administrator.

Leave wireshark running on the background.

Malwares have child processes. And they terminate themselves. Procmon is capturing what is happening with the processes. And wireshark is capturing the packets.

After a few minutes, stop capturing packets from Wireshark (click red button) and stop capture in Procmon also (click highlighted capture button).

Process activity

On Procmon, click on process tree to open it up. Process Hacker is not able to show the child processes because the child processes kill themselves. But using procmon, we can see them.

  • Look at the child processes
  • Invoking of PowerShell. The paths used. Other programs/malwares dropped into other directories
  • Scheduled tasks. This is a persistence mechanism. Malwares drop scheduled tasks. The scheduled tasks run on certain conditions. Observe the commands being invoked. Open up Task Scheduler (windows tool). Can find something under Updates.
  • Under the Triggers tab, check relevant triggers created by the malware. For example, the trigger can be at log on
  • Under the Actions tab, check for what actions are associated with the scheduled task set by the malware. For example, the action can be Start a program

Network activity

Utilize Wireshark to filter for SMTP, HTTP, DNS traffic

We look for SMTP traffic to search for any emails sent to the attacker (usually containing system info). We look for HTTP traffic to spot any http requests being made. We look for DNS traffic to spot requests made for particular domains. Malwares try to reach malicious domains in order to establish connection.

If we find suspicious events by investigating the packets, we can do OSINT as the next step. For example, if we were to find a suspicious DNS request being made, we can get the IP it resolved to, and search for it in a Geo IP database to find the location or AbuseIPDB to check it’s reputation.

Even if HTTP traffic is not generated (due to connection not established), the DNS records may still reflect the communication attempts.

Registry activity

Go back to Regshot. Click on 2nd shot and let that finish.

Now we have two shots of the registry:

  • 1st shot - before the computer was normal
  • 2nd shot - after the computer got malware infected

On Regshot, right-click Compare and select Compare and output to see changes in the Registry. We want to look for any:

  • keys added
  • values added
  • values modified
  • files added

For example, Keys to look for when it comes to startups

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Malwares may want to run at startup. But there are also other persistence techniques such as scheduling tasks etc.

File activities

The Regshot registry record comparison may include the Files added or file deleted records.

We can use Procmon to view file activities (Unhighlight options for network activity, registry activity).

Go to Process tree > right-click malware > Add process and children to include filter.

Malwares persist in the location C:\Users\Username\AppData\Roaming\.

Other places

We should also look into other common places.

  • %TEMP%
  • shell:startup
  • shell:common startup

We can Run these to directly go the directories.

To generate file and registry activities, we may want to let the malware run for a while.

We might also spot registry locations from where the malware tries to steal data from local browser. The location might look like:

C:\Users\Username\AppData\Local\Google\Chrome\User Data\Login Data

The browser local data then might be sent to the C2.

Must do steps

After we’re done with the analysis, and taking notes and others, we must close all opened apps.

Must RESTORE the VM to it’s snapshot state



© 2020-2025 Ucchas Muhury