Week 27 – Dynamic Analysis

Week 27: Executing malware safely and capturing behavioral telemetry across Windows and REMnux.

Overview What you will accomplish

This week focuses on dynamic malware analysis — executing malware samples inside your isolated environment and observing their behavior. You will capture process activity, registry changes, file system modifications, network traffic, and behavioral indicators using Sysmon, Suricata, INetSim, and REMnux tooling.

Prepare Windows 11 for safe malware execution.
Capture process, registry, and file system activity with Sysmon.
Capture network traffic with Suricata and tcpdump.
Analyze malware behavior using REMnux tools.
Extract dynamic Indicators of Compromise (IOCs).
Document findings using a structured dynamic analysis template.

1. Prepare Windows 11 for Safe Malware Execution

This activity prepares your Windows 11 analysis workstation for safe malware execution. You will disable Windows Defender, configure snapshots, and prepare directories for sample execution.

Disable Windows Defender real‑time protection
PowerShell:

Set-MpPreference -DisableRealtimeMonitoring $true

Disable SmartScreen

Windows Security → App & Browser Control → Reputation-based protection → Off

Create execution directories

mkdir C:\Malware-Analysis\Execution
mkdir C:\Malware-Analysis\Execution\sample001

Copy sample to execution directory

copy C:\Malware-Analysis\Samples\sample001.exe C:\Malware-Analysis\Execution\sample001\

Create a pre‑execution snapshot
In Proxmox:

Snapshot Name: win11-pre-execution-sample001

Document pre‑execution state
Add:
- Snapshot name
- Sample name
- Execution directory
- Hash values

2. Execute Malware and Capture Windows Telemetry (Sysmon + Wazuh)

This activity executes the malware sample and captures all process, registry, and file system activity using Sysmon. All events are forwarded to Wazuh for centralized analysis.

Open Sysmon event log

Event Viewer → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational

Start process monitoring
PowerShell:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 20

Execute the malware sample

C:\Malware-Analysis\Execution\sample001\sample001.exe

Capture process creation events
Look for Sysmon Event ID:
```
1 — Process Create
```

Capture registry modifications
Look for:

12 — Registry Object Create/Delete
13 — Registry Value Set

Capture file system modifications
Look for:

11 — File Create
15 — File Stream Created

Capture network connections
Look for:
```
3 — Network Connection
            
```
Verify Sysmon → Wazuh forwarding
In Wazuh dashboard:
```
Security Events → Sysmon
            
```

Export Sysmon logs

wevtutil epl Microsoft-Windows-Sysmon/Operational C:\Malware-Analysis\Reports\sample001-sysmon.evtx

Document findings
Add:
- Process tree
- Registry changes
- File system changes
- Network connections

3. Capture Network Traffic (Suricata + tcpdump + INetSim)

This activity captures all network traffic generated by the malware sample. Suricata provides IDS alerts, while tcpdump captures full packet data for later analysis.

Start Suricata monitoring
On REMnux:

sudo tail -f /var/log/suricata/eve.json

Start packet capture

sudo tcpdump -i ens18 -w ~/pcaps/sample001-dynamic.pcap

Execute the malware sample again
From Windows:

C:\Malware-Analysis\Execution\sample001\sample001.exe

Observe DNS requests
Expected:

INetSim DNS service responding with 10.30.0.10

Observe HTTP/HTTPS traffic
Expected:

INetSim HTTP/HTTPS service banners

Observe SMTP traffic
Expected:

220 inetsim ESMTP service ready

Stop packet capture
```
Ctrl + C
            
```

Copy PCAP to Windows for analysis

scp remnux@10.30.0.10:~/pcaps/sample001-dynamic.pcap C:\Malware-Analysis\PCAPs\

Document network behavior
Add:
- Domains contacted
- Protocols used
- Ports accessed
- HTTP requests
- SMTP behavior

4. Analyze Dynamic Behavior Using REMnux

This activity analyzes the malware’s behavior using REMnux tools. You will inspect network traffic, decode payloads, and extract behavioral indicators.

Analyze PCAP using Zeek
On REMnux:
```
zeek -C -r sample001-dynamic.pcap
            
```
Review:
- conn.log
- dns.log
- http.log
- smtp.log
Analyze PCAP using NetworkMiner
On Windows:
```
NetworkMiner.exe → Open sample001-dynamic.pcap
            
```
Extract:
- Files
- Credentials
- DNS queries
- HTTP requests
Decode base64 or encoded payloads
On REMnux:
```
echo "" | base64 -d
            
```

Inspect dropped files
On Windows:

C:\Malware-Analysis\Execution\sample001\

Analyze persistence mechanisms
Look for:
- Run keys
- Scheduled tasks
- Startup folder artifacts
Document behavioral findings
Add:
- Process tree
- Network behavior
- Persistence
- File system changes
- Registry changes

5. Extract Dynamic Indicators of Compromise (IOCs)

This activity extracts dynamic Indicators of Compromise (IOCs) from your Sysmon logs, Suricata alerts, and PCAP analysis.

Extract process-based IOCs
From Sysmon:
- Process names
- Command-line arguments
- Child processes
Extract registry-based IOCs
Look for:
- Run keys
- Service creation
- Persistence entries
Extract file-based IOCs
Look for:
- Dropped files
- Modified files
- New directories
Extract network-based IOCs
From Suricata and Zeek:
- Domains
- IP addresses
- User agents
- HTTP paths
- SMTP recipients

Compile IOC list
Save to:

C:\Malware-Analysis\Reports\sample001-dynamic-iocs.txt

6. Document Findings & Prepare for Week 28

This final activity documents your dynamic analysis findings and prepares your environment for detection engineering in Week 28.

Complete dynamic analysis report
Include:
- Process behavior
- Registry changes
- File system changes
- Network behavior
- Persistence mechanisms
- Dynamic IOCs

Export all logs

Sysmon EVTX  
Suricata eve.json  
PCAP files  
Zeek logs

Create final snapshots

win11-week27-complete  
remnux-week27-complete

Prepare for Week 28
Ensure:
- All IOCs documented
- All logs archived
- Snapshots created

◀️ Back to Week 26 | Next: Week 28 – Detection Engineering ▶️