Module 3: Basic of Dynamic Analysis (Medium)

Task 1: Introduction to Dynamic Analysis

Previously, we explored how to dissect malware without running it in the Basic
Static Analysis room. We discovered that while this approach provides valuable
insights, malware often employs techniques to obscure its true nature.
Regardless of the effectiveness of these techniques, malware's primary objective
is to execute, which inevitably leaves behind detectable traces. In this module,
we will employ basic dynamic analysis methods to investigate these execution
traces and identify malicious behavior.
Learning Objectives: In this module, you will gain hands-on experience in:
 Understanding sandboxing and using it effectively for malware analysis.
 Examining the core components of a sandbox and learning how to set one
up independently.
 Utilizing Process Monitor to track process activity in real-time.
 Leveraging Process Hacker to determine if a process has been altered
maliciously.
Pre-requisites: To maximize your understanding and benefit from this module,
it is recommended that you have completed the following:
 Intro to Malware Analysis (Module 1)
 Basic Static Analysis (Module 2)
Answer the questions below-----------------------------------------------------------
1. What does malware execute?
Answer: Malicious code traces.
2. What tool tracks processes?
Answer: Process Monitor tool.
3. What determines process changes?
Answer: Process Hacker analysis.

1 | Page
Task 2: Process Explorer
Process Explorer is an advanced tool from the Sysinternals Suite,
serving as a more comprehensive version of Windows Task Manager.
It helps identify suspicious activity such as process masquerading and
process hollowing. Here’s how it works and what to look for:
1. Interface Overview:
 Displays all running processes in a hierarchical tree format,
showing relationships between parent and child processes.
 Columns include CPU utilization, memory usage, Process
IDs (PIDs), descriptions, and company names.

2. Process Properties:
 Accessed by right-clicking a process and selecting 'Properties'.
 The Image tab reveals extensive details, including verification of the
executable’s digital signature. Malware may use names similar to
legitimate processes to evade detection; clicking Verify confirms the
authenticity of the signature.

2 | Page
1. Process Hollowing Detection:
 Involves malicious code injected into a legitimate process's
memory. The Strings tab in properties displays strings found in the
disk image and memory.
 A significant difference between strings in
the Image and Memory may indicate that the code in the memory
differs from the original executable on the disk, signaling process
hollowing.

3 | Page
Detecting Malware Using Process Explorer
1. Understand the Processes Shown:
 From the image you provided, it looks like you’re observing three
specific processes: powershell.exe, conhost.exe, and wab.exe.
 Ordine (Ordine.exe) is an uncommon process and may not be
associated with standard system functions. Its presence in the process
list, especially if marked as "Suspended," could be worth
investigating. Watch for unusual behaviors, such as unexpected CPU
or memory usage, as this may indicate it’s part of unauthorized or
malicious software.
 PowerShell (powershell.exe) is often a target for attackers because it
can be used to execute scripts and commands. Watch for unusual
memory usage or CPU spikes in this process, as it may indicate it’s
being used maliciously.
 Console Window Host (conhost.exe) is associated with command-
line interfaces and should ideally be initiated by legitimate programs.
 Windows Contacts (wab.exe) is less commonly used, so its
presence with high resource usage could be worth investigating.

4 | Page
Answer the questions below-----------------------------------------------------------
1. What type of payload files might Ordine.exe drop to facilitate
unauthorized activities?
Answer: Wab.exe
2. Is the powershell.exe process verified as signed by Microsoft
Corporation?
Answer: Yes (if it shows a valid signature from Microsoft Corporation)

5 | Page
Task 3: Process Monitor (ProcMon)
In this task, we will explore how to use Process Monitor (ProcMon) to track
and analyze malware's behavior. ProcMon is a powerful tool from the
Sysinternals suite, a set of utilities developed by Winternals Software and
acquired by Microsoft in 2006. The suite includes various tools designed to
offer advanced capabilities for Windows systems, and ProcMon is one of the
most commonly used utilities in security research. Throughout this room and
others, we will be using ProcMon alongside other Sysinternals tools.
Getting Started
To begin, please start the attached virtual machine (VM). The VM will open in a
split view. Alternatively, use the following credentials to log into the system:
 Username:
 Password:
 Once the machine is running, navigate to the following directory to
launch ProcMon:
Desktop > Tools > Utilities > procmon.exe. After launching ProcMon,
you should see the following interface.
1. Understanding ProcMon Controls
The ProcMon window is designed with several key controls, each serving a
specific purpose. Below is a brief overview of some critical controls:
1. Open/Save Options: These allow you to open a file containing ProcMon
events or save current events to a file.
2. Clear Option: This clears all the events visible in the window, useful for
reducing noise after running a malware sample.
3. Filter Option: This allows you to filter events to focus on specific
actions or processes, essential for narrowing down relevant data.
4. Event Toggles: These toggles allow you to filter events related to
Registry, File System, Network, Process/Thread, and Profiling
activities.

6 | Page
 1 2 3
4

Below these controls, the event details such as Time, Process, Process ID
(PID), Event Name, Path, Result, and Details will be displayed, with the
events listed in chronological order. ProcMon typically generates a lot of data,
so filtering to focus on relevant information is key.
2. Filtering Events in ProcMon
ProcMon allows you to filter events easily. For example, to filter events related
to a specific process, you can right-click on the Process Name column and
choose from the filtering options:

7 | Page
  Include Ordine.exe: This column shows that the
executable Ordine.exe is performing various operations
Operation:
 Lists actions taken by the process, such as CreateFile, RegQueryKey,
and CloseFile.
 CreateFile doesn’t necessarily mean creating a new file; it often refers to
opening or accessing an existing file

3. Using the Process Tree Feature

ProcMon also provides the ability to view processes in a parent-child
relationship, forming a process tree. You can access this feature by clicking the
Process Tree icon in the menu. This view helps you understand the relationship
between processes, which can be particularly useful for identifying malicious
processes spawned by other processes.

8 | Page
4. Advanced Filtering in ProcMon
For more precise filtering, ProcMon offers advanced options. Access this
through the Filter menu (labeled as 3 in the initial screenshot). The advanced
filter window lets you define specific filter conditions, such as:
 Process Name: Choose a specific process to include or exclude.
 Relation: Set criteria for how filters relate to one another.
 Action: Decide whether an event should be included or excluded based
on the defined filters.
These filters are applied immediately and help streamline the analysis by
focusing only on relevant events.

The Ordine.exe process shown in Process Monitor is performing various

operations, including accessing files and querying registry keys. It encounters
results like ACCESS DENIED and SUCCESS, indicating potential security
concerns or investigations.

Step 1: Use the Filter Method

9 | Page
 1. Open Process Monitor.
2. Click on Filter in the top menu or press Ctrl + L.
3. In the Filter window, set the following condition:
 Column: Process Name
 Value: Ordine.exe
 Click Add, then OK.
This will filter the output to show only events related to Ordine.exe.

Step 2: Review All Activities

 Once the filter is applied, you can see all activities performed
by Ordine.exe, including file operations, registry changes, and network
connections.
 Scroll through the list to examine operations
like CreateFile, RegQueryKey, CloseFile, etc.
 Double-click any entry to see detailed information about the operation.

10 | P a g e
Step 3: Monitor the Activity
 Keep Process Monitor running to observe real-time activity as it happens.
This allows you to track how Ordine.exe interacts with the system, which
can help identify suspicious behavior.

Answer the questions below-----------------------------------------------------------

What is the full path of the first process created by Ordine.exe in

ProcMon?
Answer: C:\Windows

What is the significance of a registry key with a length of 70 and the value
%Skvalderhovedet%\basserallers.Ald?
Answer: REG_EXPAND_SZ

11 | P a g e
Task 4: Regshot
The tool Regshot provides a straightforward way to detect changes in the
Windows registry, which can be especially useful in malware analysis. With
Regshot, we can track which registry keys have been created, deleted, or
modified by taking snapshots before and after malware execution. The steps to
execute this are as follows:
1. Launching Regshot: Navigate to the tool's location on the VM, typically
found at ~Desktop\Tools\Utilities\Regshot-x64-Unicode.exe, and start the
application. The interface will show options to save the log format as
plain text or HTML.
2. Taking the First Snapshot:
 In the Regshot interface, you’ll see options for “1st shot” and “2nd
shot.”
 Click on 1st shot to capture the initial state of the registry. The tool
provides an option to save this shot for later comparison.
 (Optional) Enable Scan dir1 if you want to monitor changes to
specific file system directories. However, we’re focusing only on
registry changes for this example.

12 | P a g e
 3. Comparing Snapshots:
 With both snapshots taken, click Compare to generate a detailed log
of the differences. This report will highlight added, deleted, and
modified registry keys, showing exactly what changes the malware
made.
4. Reviewing the Results:
 The results page in Regshot presents a summary, which includes
entries for keys and values that have been modified.
 If the Scan dir1 option was enabled, changes in selected directories
would also be displayed in the comparison results. However, in this
case, it’s disabled to focus solely on registry changes.
5. Saving the Comparison Log:
 You can save the comparison results by clicking Output. The saved
log file includes metadata such as the date and time of both
snapshots, the computer and username, and detailed information on
registry modifications.

Answer the questions below-----------------------------------------------------------

Q1) What format can Regshot save the comparison log as?
Answer: Plain text, HTML

13 | P a g e
Task 5: Conclusion of the Basic Dynamic Analysis Room
In this room, we covered foundational skills in dynamic malware analysis,
including:
 Monitoring Process Activities: Using Process Monitor (ProcMon), we
learned how to track a process's activities in real-time and apply filters to
focus on our target process, allowing us to observe specific behaviors
without interference from other processes.
 Detecting Evasion Techniques: Process Explorer helped us detect
techniques like Process Masquerading (where malware tries to disguise
itself as a legitimate process) and Process Hollowing (where malicious
code is injected into a legitimate process's memory).
 Tracking Registry Changes: We used Regshot to identify changes made
by malware in the Windows registry, which can provide clues about
persistence mechanisms or system modifications.
This room has shown us that malware analysis requires patience, persistence,
and attention to detail. Malware authors are constantly evolving their
techniques to thwart analysis efforts, and what we’ve learned here forms just the
foundation. In future rooms, we’ll explore advanced techniques to analyze and
understand even more sophisticated malware.
We’re excited to hear what you found most interesting! Share your thoughts on
our LinkedIn or Website let's keep the conversation going

14 | P a g e