We covered basic dynamic malware analysis using process monitor to uncover network connections, processes spawned by the malware and other important artifacts.This was part of TryHackMe Basic Dynamic Analysis

Setup and Execution of Malware Sample

We covered basic dynamic malware analysis using process monitor to uncover network connections, processes spawned by the malware and other important artifacts

The controls of ProcMon are self-explanatory. The labels in the screenshot show some of the critical controls of the data visible below these controls.

  1. Shows the Open and Save options. These options are for opening a file that contains ProcMon events or saving the events to a supported file.
  2. Shows the Clear option. This option clears all the events currently being shown by ProcMon. It is good to clear the events once we execute a malware sample of interest to reduce noise.
  3. Shows the Filter option, which gives us further control over the events shown in the ProcMon window.
  4. These are toggles to turn off or on Registry, FileSystem, Network, Process/Thread, and Profiling events.

Below these controls, we can see from left to right the Time, Process, Process ID (PID), Event Name, Path, Result and Details of the activity. We can observe that events are shown in chronological order. Generally, ProcMon will show an overwhelming number of events occurring on the system. For ease of analysis, it is wise to filter the events to those of our interest.

ProcMon allows easy filtering of events from the events window itself. If we right-click on the process column on the process of our choice, a pop-up menu opens up. We can see different options in the pop-up menu. Some of these options are related to filtering. For example, if we choose the option Include 'Explorer.EXE', ProcMon will only show events with Process Name Explorer.EXE. If we choose the option Exclude 'Explorer.EXE', it will exclude Explorer.EXE from the results. Similarly, we can right-click on other columns of the events window to filter other options.

Registry Keys, Files, and Mutexes

Each handle type provides a clue into the malware’s function:

  • Registry Keys: Malicious binaries might access or modify registry settings linked to autostart or keystroke logging.
  • Files: If malware tries to access or alter critical or unrelated system files, it’s a red flag.
  • Mutexes: Used to manage access to shared resources, unique mutex names can help identify malware variants.

Indicators of Compromise

Many indicators, lack of signature, suspicious registry access, unknown network connections, should be analyzed in combination, not isolation, to confirm a file’s malicious nature.

String Analysis in Disk vs. Memory

Discrepancies between strings in the disk version and the memory-resident version of a binary strongly suggest process hollowing. This technique allows malware to evade detection while using trusted system binaries as camouflage.

Network Forensics

Active connections made by unknown or unsigned binaries to unrecognized IP addresses are highly suspicious. Such behavior often indicates exfiltration or remote command execution.

Manual Verification Tools

Analysts are encouraged to right-click binaries in Process Explorer to inspect properties such as image path, command line, version, and digital signature. This helps in determining the authenticity of processes.

Process Hollowing vs. Legitimate Processes

We used Windows Logon (winlogon.exe) as an example of a typically trusted process. It contrasts this with potential scenarios where even verified binaries could be hijacked in memory—a hallmark of advanced persistent threats.

Threat Simulation & Correlation

A critical takeaway is that malware analysis is a correlation task. Outputs from Process Monitor, Process Explorer, and tools like VirusTotal should be synthesized to reach meaningful conclusions.

CPU and RAM usage statistics are more than just performance data; they’re behavioral indicators. High usage by unknown binaries might suggest cryptomining or ransomware.

TryHackMe Basic Dynamic Malware Analysis Room Answers

If an analyst wants to analyze Linux malware, what OS should their sandbox’s Virtual Machine have?
Monitor the sample ~Desktop\Samples\1.exe using ProcMon. This sample makes a few network connections. What is the first URL on which a network connection is made?

What network operation is performed on the above-mentioned URL?

What is the name with the complete full path of the first process created by this sample?

The sample ~Desktop\samples\1.exe creates a file in the C:\ directory. What is the name with the full path of this file?

What API is used to create this file?

In Question 1 of the previous task, we identified a URL to which a network connection was made. What API call was used to make this connection?

We noticed in the previous task that after some time, the sample’s activity slowed down such that there was not much being reported against the sample. Can you look at the API calls and see what API call might be responsible for it?

What is the name of the first Mutex created by the sample ~Desktop\samples\1.exe? If there are numbers in the name of the Mutex, replace them with X.

Is the file signed by a known organization? Answer with Y for Yes and N for No.

Is the process in the memory the same as the process on disk? Answer with Y for Yes and N for No.

Analyze the sample ~Desktop\Samples\3.exe using Regshot. There is a registry value added that contains the path of the sample in the format HKU\S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXX-XXX\. What is the path of that value after the format mentioned here?

Video Walkthrough

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles