4. Perform Dynamic Malware Analysis

Dynamic Malware Analysis, also known as behavioral analysis, involves executing malware code to learn how it interacts with the host system and its impact after infecting the system.

1. Perform Port Monitoring with TCPView and CurrPorts

TCPView TCPView is a Windows program that shows the detailed listings of all the TCP and UDP endpoints on the system, including the local and remote addresses, and the state of the TCP connections. It provides a subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.

CurrPorts CurrPorts is a piece of network monitoring software that displays a list of all the currently open TCP/IP and UDP ports on a local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, etc.), the time that the process was created, and the user that created it.

In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP port information to an HTML file, XML file, or to tab-delimited text file.

CurrPorts also automatically marks suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons) in pink.

LogoTCPView for Windows - Sysinternalsdocsmsft
LogoCurrPorts: Monitoring TCP/IP network connections on WindowsNirSoft

2. Process Monitoring using Process Monitor

LogoProcess Monitor - Sysinternalsdocsmsft

  1. Observe that the Trojan.exe process is running on the machine. Process Monitor shows the running process details such as the PID, Operation, Path, Result, and Details.

  2. To view the properties of a running process, select the process (here, Trojan.exe), right-click on the process and select Properties from the context menu.

  3. The Event Properties window appears with the details of the chosen process.

  4. In the Event tab, you can see the complete details of the running process such as Date, Thread, Class, Operation, Result, Path, and Duration.

  5. Once the analysis is complete, click the Process tab.

  6. The Process tab shows the complete details of the process running, as shown in the screenshot.

  7. Click the Stack tab to view the supported DLLs of the selected process. Once the analysis is done, click Close.

  8. This way, you can analyze the processes running on a machine.

3. Registry Monitoring using Reg organizer

LogoReg Organizer 9.11: PC Maintenance, Cleaning, Optimization

4. Windows Service Monitoring using windows service manager (SrvMan)

Attackers design malware and other malicious code in such a way that they install and run on a computer device in the form of a service. As most services run in the background to support processes and applications, malicious services are invisible, even when they are performing harmful activities on the system, and can even function without intervention or input. Malware spawns Windows services that allow attackers to control the victim machine and pass malicious instructions remotely. Malware may also employ rootkit techniques to manipulate the following registry keys to hide their processes and services. H KEY_LOCAL_MACHINE\System\CurrentControlSet\Services These malicious services run as the SYSTEM account or another privileged account, which provides more access compared to regular user accounts, making them more dangerous than common malware and executable code. Attackers also try to conceal their actions by naming the malicious services with the names similar to genuine Windows services to avoid detection. You can trace malicious services initiated by the suspect file during dynamic analysis by using Windows service monitoring tools such as Windows Service Manager (SrvMan), which can detect changes in services and scan for suspicious Windows services. SrvMan has both GUI and Command-line modes. It can also be used to run arbitrary Win32 applications as services (when such a service is stopped, the main application window automatically closes).

LogoWindows Service Manager (SrvMan)Sysprogs

5. Perform Startup Monitoring using Autoruns for Windows and WinPatrol

LogoAutoruns for Windows - Sysinternalsdocsmsft
LogoDownload WinPatrolBleepingComputer

6. Perform Installation Monitoring using Mirekusoft install monitor

LogoThe Smart Approach For A Fast And Clean PC - MirekusoftMirekusoft Install Monitor - The Smart Approach For A Fast And Clean PC

7. Perform Files and Folder Monitoring using PA File Sight

LogoPA File SightPower Admin LLC

Remote file monitoring tool. Only trial available.

8. Device Driver monitoring using DriverView and Driver Reviver

LogoDriverView: Loaded Windows Drivers ListNirSoft

9. DNS monitoring using DNSQuerySniffer

LogoCertified Ethical Hacker (CEHv12) Practical hands on LabsUdemy
Previous3. Perform Static Malware AnalysisNextModule 8. Sniffing

Last updated