We covered basic dynamic malware analysis using process monitor to uncover network connections, processes spawned by the malware and other important artifacts.This was part of TryHackMe Basic Dynamic Analysis

Get Computer Forensics Notes

The controls of ProcMon are self-explanatory. The labels in the screenshot show some of the critical controls of the data visible below these controls.

  1. Shows the Open and Save options. These options are for opening a file that contains ProcMon events or saving the events to a supported file.
  2. Shows the Clear option. This option clears all the events currently being shown by ProcMon. It is good to clear the events once we execute a malware sample of interest to reduce noise.
  3. Shows the Filter option, which gives us further control over the events shown in the ProcMon window.
  4. These are toggles to turn off or on Registry, FileSystem, Network, Process/Thread, and Profiling events.

Below these controls, we can see from left to right the Time, Process, Process ID (PID), Event Name, Path, Result and Details of the activity. We can observe that events are shown in chronological order. Generally, ProcMon will show an overwhelming number of events occurring on the system. For ease of analysis, it is wise to filter the events to those of our interest.

ProcMon allows easy filtering of events from the events window itself. If we right-click on the process column on the process of our choice, a pop-up menu opens up. We can see different options in the pop-up menu. Some of these options are related to filtering. For example, if we choose the option Include 'Explorer.EXE', ProcMon will only show events with Process Name Explorer.EXE. If we choose the option Exclude 'Explorer.EXE', it will exclude Explorer.EXE from the results. Similarly, we can right-click on other columns of the events window to filter other options.

Room Answers

If an analyst wants to analyze Linux malware, what OS should their sandbox’s Virtual Machine have?
Monitor the sample ~Desktop\Samples\1.exe using ProcMon. This sample makes a few network connections. What is the first URL on which a network connection is made?

What network operation is performed on the above-mentioned URL?

What is the name with the complete full path of the first process created by this sample?

The sample ~Desktop\samples\1.exe creates a file in the C:\ directory. What is the name with the full path of this file?

What API is used to create this file?

In Question 1 of the previous task, we identified a URL to which a network connection was made. What API call was used to make this connection?

We noticed in the previous task that after some time, the sample’s activity slowed down such that there was not much being reported against the sample. Can you look at the API calls and see what API call might be responsible for it?

What is the name of the first Mutex created by the sample ~Desktop\samples\1.exe? If there are numbers in the name of the Mutex, replace them with X.

Is the file signed by a known organization? Answer with Y for Yes and N for No.

Is the process in the memory the same as the process on disk? Answer with Y for Yes and N for No.

Analyze the sample ~Desktop\Samples\3.exe using Regshot. There is a registry value added that contains the path of the sample in the format HKU\S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXX-XXX\. What is the path of that value after the format mentioned here?

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles