LetsDefend: Dynamic Malware Analysis

Sample: invoice.exe (Trojan) Tools: Procmon, Wireshark, Regshot.

1. Baseline

We start capturing before running the malware. Filter Procmon: Process Name is invoice.exe.

2. Detonation

We run the sample. It deletes itself immediately. Typical dropper behavior.

3. Analysis (Procmon)

We see a File Creation event: C:\Users\Public\svchost.exe (Imposter!). We see a Registry Write: HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Value: C:\Users\Public\svchost.exe. This establishes persistence.

4. Analysis (Wireshark)

We filter for http or dns. Query: evil-c2.com. POST Request: key=value (Exfiltrating output of calc.exe? No, system info).

Conclusion

The malware drops a payload, sets a run key, and beacons home.