DYNAMIC MALWARE ANALYSIS – PROCESS MONITOR AND EXPLORER
Now, by the previous posts, we know that what are the artifacts can be identified by the using static analysis and dynamic analysis of a malware. This is the time to learn how to use the tools to get those artifacts.
Before getting into the analysis, there are important precautions we have to take so that we shouldn’t miss anything and shouldn’t face any infection. So please make sure that we have followed below mentioned precautions.
- Avoid building the sandbox in the production network.
- Should be isolated and make sure that is not connected to an internal network.
- Make sure all the required tools and software are installed and running.
- Set up and take backup of restore point of the virtual machine so that we can revert it back after testing the malware. Please refer the below-mentioned image for the importance of restore point.
- Disable all the default Anti-Virus solutions, OS firewall, and other security programs.
Why we have to avoid using Sandbox in Production Network?.
There are many ways that malware can escape from the sandbox and it depends on who is building the malware. I can give little examples such as:
1. Malware might be constructed to check whether it is running on any VM/Sandbox. If yes, then it will try to exploit the vulnerabilities of the VM and then target host/Network.
2. If you have configured file share to have some reason, then it might target and use this to spread and escape to other systems.
Now we will see how to collect the artifacts from the tools and starting with Microsoft Sysinternals ProcMon or Process Monitor tool.
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Process monitor has the capability of monitoring, capturing and filtering all the artifacts. Below are the capabilities for the reference.
- More data captured for operation input and output parameters
- Non-destructive filters allow you to set filters without losing data
- Capture of thread stacks for each operation makes it possible in many cases to identify the root cause of an operation.
- Reliable capture of process details, including image path, command line, user and session ID
- Configurable and moveable columns for any event property
- Filters can be set for any data field, including fields not configured as columns
- Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
- Process tree tool shows the relationship of all processes referenced in a trace
- Native log format preserves all data for loading in a different Process Monitor instance
- Process tooltip for easy viewing of process image information
- Detail tooltip allows convenient access to formatted data that doesn’t fit in the column
- Cancellable search
- Boot time logging of all operations.
Below is the sample screenshot of Process Monitor to understand how the UI and what are default minimal options.
But the issue is, the tool is able to handle and capture the huge amount of data. So it is important to filter out the useless data from the haystack to identify the abnormal things and get the required artifacts.
There are already some filters are available as suggested by the Microsoft blog and the ready-made filters of Process Monitor for Malware Analysis. These filters are having many inclusions and exclusions to make the job easy. But it is recommended to use your own filter list based on your requirement and analysis because there will many malicious processes which is having legitimate windows process name. In this case, if you filter the windows process you might miss the malicious process activity.
TCP/UDP Send and Receive – any connections that malware may try to use while it’s running.
Load Image – DLL/Executable loading.
Create File – new files being created.
Write/ Delete/Rename File – any changes to files.
Registry activities – Run entries used for malware persistence.
Procmon/Procmon64/Autoruns/Sysmon : These will exclude any events related to the Sysinternals tools.
Disposition: Open – used to filter any call for create a file used to open a file rather than actually creating a file (See here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx).
Page File – In my opinion, the page file is less/not relevant when doing malware analysis.
Process Explorer: It is better to have Process Explorer along with the Process Monitor because Process Explorer provides some other features from which we can interact with the process to analyze the further behavior of the malicious process. Below are the capabilities of Process Explorer.
- The default tree view shows the hierarchical parent relationship between processes, and displays using colors to easily understand processes at a glance.
- Very accurate CPU usage tracking for processes.
- Can be used to replace Task Manager, which is especially useful on XP, Vista, and Windows 7.
- Can add multiple tray icons to monitor CPU, Disk, GPU, Network, and more.
- Figure out which process has loaded a DLL file.
- Figure out which process is running an open window.
- Figure out which process has a file or folder open and locked.
- View complete data about any process, including threads, memory usage, handles, objects, and pretty much anything else there is to know.
- Can Kill an entire process tree, including any processes started by the one you choose to kill.
- Can Suspend a process, freezing all its threads so they do nothing.
- Can see which thread in a process is actually maxing out the CPU.
- The latest version (v16) integrates VirusTotal into the interface so you can check a process for viruses without leaving Process Explorer.
Along with these, it will give you some color coding to understand what type of process it is such as listed below:
- New Objects (Bright Green) – When a new process shows up in Process Explorer, it starts out as bright green.
- Deleted Objects (Red) – When a process is killed or closes it will usually flash red right before deleting.
- Own Processes (Light Blueish) – Processes running as the same user account as Process Explorer.
- Services (Light Pink) – Windows Service processes, although it’s worth noting that they might have child processes that are launched as a different user, and those might be a different color.
- Suspended Processes (Dark Gray) – When a process is suspended it can’t do anything. You can easily use Process Explorer to suspend an application. Sometimes crashed apps will briefly show up in gray while Windows is handling the crash.
- Immersive Process (Bright Blue) – This is just a fancy way of saying that the process is a Windows 8 application using the new APIs. In the screenshot earlier you might have noticed WSHost.exe, which is a “Windows Store Host” process that runs Metro apps. For some reason, Explorer.exe and Task Manager will also show up as immersive.
- Packed Images (Purple) – these processes might contain compressed code hidden inside of them, or at least Process Explorer thinks that they do by using heuristics. If you see a purple process, make sure to scan for malware!. Below screenshot for the reference for how UI looks like and how it can help you on identifying and categorizing the process.
If we use these filters, we can easily identify the anomaly activities which are making changes to system, memory and file systems.
If you wish to start from the basic on Process Monitor, I recommend you to go through the below tutorials which will help you lot on the tool.
Please give us the feedback and comment if you would like to add something or missing. Thank you!
Image & Content References:
Originally published here: http://prasannamundas.com/share/dynamic-malware-analysis-process-monitor-and-explorer/