Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
6 views11 pages

Introduction To Basic Dynamic Malware Analysis

Dynamic Malware Analysis involves executing suspicious programs in a controlled environment to observe their behavior and extract Indicators of Compromise (IOC). The analysis focuses on Host-Based Indicators, which are signs of malicious activity on the local system, and utilizes various tools like Procmon and Regshot to monitor changes. A lab activity is included, guiding users to analyze a specific executable and document the observed indicators.

Uploaded by

MUHAMMAD HASEEB ZIA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
6 views11 pages

Introduction To Basic Dynamic Malware Analysis

Dynamic Malware Analysis involves executing suspicious programs in a controlled environment to observe their behavior and extract Indicators of Compromise (IOC). The analysis focuses on Host-Based Indicators, which are signs of malicious activity on the local system, and utilizes various tools like Procmon and Regshot to monitor changes. A lab activity is included, guiding users to analyze a specific executable and document the observed indicators.

Uploaded by

MUHAMMAD HASEEB ZIA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Introduction to Basic

Dynamic Malware Analysis


Basic Dynamic Analysis
Dynamic Malware Analysis is the
process of executing a suspicious
program in a controlled
environment (like a virtual
machine) to see what it actually
does — like what files it creates,
what websites it connects to, or
what damage it tries to do.
Why this Analysis Step
• Extract of IOC
• The indicators of Compromise (IOC) means to identify and collect
clues left behind by malware during its execution so these clues can
help detect or block similar threats in the future
How Dynamic Analysis fits into Malware
1. Static Analysis (Basic Info)
2. Dynamic Analysis (Live execution)
3. Advanced Static Analysis( Assembly Language, Decompiling and
Disassembly Malware )
4. Advanced Dynamic Analysis (Debugging Malware )
Let's Start
In Basic Dynamic Analysis when we execute the malware in to virtual
environment then we analyze after the execution the Host Based
Indicators and Networks Based Indicators after the execution
Host Based Indicators
Host-Based Indicators are the signs of infection or malicious
activity that are found on the local system (host) where the
malware was executed.
To Detect what changes malware made inside the victim
machine
Common Examples of Host-Based Indicators
Category Example
File Changes C:\Users\Public\shell.dll created
Adds to HKCU\Software\Microsoft\
Registry Edits
Windows\...\Run
Spawns cmd.exe, powershell.exe, or custom
New Processes
exe
Persistence Scheduled tasks, services, autorun entries
Injects malicious code into legitimate
DLL Injection
processes
User Account Adds new admin user without permission
Tools to Capture HBI
Tool Function
Monitors live changes (file, process,
Procmon
registry)
Compare registry before/after malware
Regshot
execution
View running processes & memory
Process Explorer
locations
Autoruns Detect persistence entries
View scheduled tasks created by
Task Scheduler
malware
Process Monitor
How to note your Result
1. [HBI] File Created: C:\Users\Public\evil.exe
2. [HBI] Registry Key Added: HKCU\...\Run\stealer.exe
3. [HBI] Process Created: cmd.exe /c start malware.exe
4. [HBI] Service Registered: MalwareService
Lab Activity
You are provided with a suspicious executable named 'activity_sim.exe'. Your task
is to perform dynamic analysis in a virtual environment to observe and extract Host-
Based Indicators (HBIs). Begin by taking a snapshot of your virtual machine to
preserve the clean state. Use Regshot to capture the initial state of the Windows
registry, and run Process Monitor (Procmon) to observe system activity in real time.
Once your monitoring tools are active, execute the 'activity_sim.exe' file and closely
observe its behavior. After execution, take a second snapshot with Regshot and
compare it to identify registry modifications. Additionally, analyze the Procmon log
for signs of file creation, process execution, or registry access. Based on your
analysis, identify and document at least three distinct host-based indicators,
specifying what type of change occurred, the exact path or value, and which tool
was used to observe each indicator. Your response should be clearly structured and
supported by the evidence gathered during your analysis.

You might also like