# 4. Perform Dynamic Malware Analysis

{% embed url="<https://youtu.be/k4_l1-SHtu8>" %}
Dynamic Malware Analysis - Let's Defend
{% endembed %}

## 1. Perform Port Monitoring with TCPView and CurrPorts

**TCPView** TCPView is a Windows program that shows the detailed listings of all the TCP and UDP endpoints on the system, including the local and remote addresses, and the state of the TCP connections. It provides a subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.

**CurrPorts** CurrPorts is a piece of network monitoring software that displays a list of all the currently open TCP/IP and UDP ports on a local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, etc.), the time that the process was created, and the user that created it.

In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP port information to an HTML file, XML file, or to tab-delimited text file.

CurrPorts also automatically marks suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons) in pink.

{% embed url="<https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview>" %}

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FBL597KW0vseS2f4Nbf6k%2Fimage.png?alt=media&#x26;token=48a75670-39b0-4aa0-bdc8-6da84e80797c" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2Fy2H1U8kN9zTQM8Kp0vm0%2Fimage.png?alt=media&#x26;token=eec85916-1ee7-4369-90fc-ba538a7a71fd" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.nirsoft.net/utils/cports.html>" %}

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FFEBzY4phd5M0ZMbQEW45%2Fimage.png?alt=media&#x26;token=070210bd-b7ef-4147-a792-13bade42aed3" alt=""><figcaption></figcaption></figure>

## 2. Process Monitoring using Process Monitor

{% embed url="<https://learn.microsoft.com/en-us/sysinternals/downloads/procmon>" %}

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FO4lpXOMt6AcCuBfuck2m%2Fimage.png?alt=media&#x26;token=3c986682-372f-4cbd-a042-6537413fa388" alt=""><figcaption></figcaption></figure>

1. Observe that the **Trojan.exe** process is running on the machine. Process Monitor shows the running process details such as the PID, Operation, Path, Result, and Details.

   ![](https://labondemand.blob.core.windows.net/content/lab168800/screens/vuq5jmcq.jpg)
2. To view the properties of a running process, select the process (here, **Trojan.exe**), right-click on the process and select **Properties** from the context menu.

   ![](https://labondemand.blob.core.windows.net/content/lab168800/screens/q4ktfns2.jpg)
3. The **Event Properties** window appears with the details of the chosen process.
4. In the **Event** tab, you can see the complete details of the running process such as Date, Thread, Class, Operation, Result, Path, and Duration.

   ![](https://labondemand.blob.core.windows.net/content/lab168800/screens/tdb3uslb.jpg)
5. Once the analysis is complete, click the **Process** tab.
6. The **Process** tab shows the complete details of the process running, as shown in the screenshot.

   ![](https://labondemand.blob.core.windows.net/content/lab168800/screens/ql1zrodk.jpg)
7. Click the **Stack** tab to view the supported DLLs of the selected process. Once the analysis is done, click **Close**.

   ![](https://labondemand.blob.core.windows.net/content/lab168800/screens/xcxg0plb.jpg)
8. This way, you can analyze the processes running on a machine.

## <mark style="color:red;">3. Registry Monitoring using Reg organizer</mark>

{% embed url="<https://www.chemtable.com/organizer.htm>" %}

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FYvoftBPQaQ3GKtEoRZ2X%2Fimage.png?alt=media&#x26;token=c953111f-d0e5-4959-9ab0-6ba2aa9c2fcd" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FxZtUo1jPRpvNO8OWAwQT%2Fimage.png?alt=media&#x26;token=62e0a10e-e217-4fa7-99b8-04216be563f7" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">4. Windows Service Monitoring using windows service manager (SrvMan)</mark>

Attackers design malware and other malicious code in such a way that they install and run on a computer device in the form of a service. As most services run in the background to support processes and applications, malicious services are invisible, even when they are performing harmful activities on the system, and can even function without intervention or input. Malware spawns Windows services that allow attackers to control the victim machine and pass malicious instructions remotely. Malware may also employ rootkit techniques to manipulate the following registry keys to hide their processes and services. H KEY\_LOCAL\_MACHINE\System\CurrentControlSet\Services These malicious services run as the SYSTEM account or another privileged account, which provides more access compared to regular user accounts, making them more dangerous than common malware and executable code. Attackers also try to conceal their actions by naming the malicious services with the names similar to genuine Windows services to avoid detection. You can trace malicious services initiated by the suspect file during dynamic analysis by using Windows service monitoring tools such as Windows Service Manager (SrvMan), which can detect changes in services and scan for suspicious Windows services. SrvMan has both GUI and Command-line modes. It can also be used to run arbitrary Win32 applications as services (when such a service is stopped, the main application window automatically closes).

{% embed url="<https://sysprogs.com/legacy/tools/srvman/>" %}

## <mark style="color:red;">5. Perform Startup Monitoring using Autoruns for Windows and WinPatrol</mark>

{% embed url="<https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns>" %}

{% embed url="<https://www.bleepingcomputer.com/download/winpatrol/>" %}

## <mark style="color:red;">6. Perform Installation Monitoring using Mirekusoft install monitor</mark>

{% embed url="<https://www.mirekusoft.com/>" %}

## <mark style="color:red;">7. Perform Files and Folder Monitoring using PA File Sight</mark>

{% embed url="<https://www.poweradmin.com/products/file-sight/>" %}

Remote file monitoring tool. Only trial available.

## <mark style="color:red;">8. Device Driver monitoring using DriverView and Driver  Reviver</mark>

{% embed url="<https://www.nirsoft.net/utils/driverview.html>" %}

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FIHYujSofmnv9dYvzVako%2Fimage.png?alt=media&#x26;token=1773a1cb-1e8f-4747-9d53-bfa5b6cd0db0" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.reviversoft.com/driver-reviver/>" %}

## <mark style="color:red;">9. DNS monitoring using DNSQuerySniffer</mark>

{% embed url="<https://www.nirsoft.net/utils/dns_query_sniffer.html>" %}

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}