4. Perform Dynamic Malware Analysis

1. Perform Port Monitoring with TCPView and CurrPorts

TCPView for Windows - Sysinternalsdocsmsft

CurrPorts: Monitoring TCP/IP network connections on WindowsNirSoft

2. Process Monitoring using Process Monitor

Process Monitor - Sysinternalsdocsmsft

3. Registry Monitoring using Reg organizer

Reg Organizer 9.11: PC Maintenance, Cleaning, Optimization

4. Windows Service Monitoring using windows service manager (SrvMan)

Attackers design malware and other malicious code in such a way that they install and run on a computer device in the form of a service. As most services run in the background to support processes and applications, malicious services are invisible, even when they are performing harmful activities on the system, and can even function without intervention or input. Malware spawns Windows services that allow attackers to control the victim machine and pass malicious instructions remotely. Malware may also employ rootkit techniques to manipulate the following registry keys to hide their processes and services. H KEY_LOCAL_MACHINE\System\CurrentControlSet\Services These malicious services run as the SYSTEM account or another privileged account, which provides more access compared to regular user accounts, making them more dangerous than common malware and executable code. Attackers also try to conceal their actions by naming the malicious services with the names similar to genuine Windows services to avoid detection. You can trace malicious services initiated by the suspect file during dynamic analysis by using Windows service monitoring tools such as Windows Service Manager (SrvMan), which can detect changes in services and scan for suspicious Windows services. SrvMan has both GUI and Command-line modes. It can also be used to run arbitrary Win32 applications as services (when such a service is stopped, the main application window automatically closes).