This Post covers free tools that can be used for basic malware analysis to identify if a machine has been infected with malware. You can use these tools to extract IOCs to share with the community or to include in an Incident Response report in a professional setting. We will start with built in tools that you probably already know and discuss how to use them for basic malware analysis. Task Manager is a built in Windows tool that allows you to view running processes. You can use it to view running processes and how much resources they are using. On Windows 10, right click the task bar and select Task Manager from the menu to launch the Task Manager. On Windows 11, click the Windows Start Menu icon and type Task Manager to search for the Task Manager app. You may then need to click the drop down arrow entitled more details.
You can use this tool to find suspicious processes running on the machine. More sophisticated Malware will attempt to blend in by using the names of common legitimate programs, however, if you have a specific process name from an IOC you can easily look to see if it is running. Each process also has an arrow you can click to expand to show child processes. There are also Startup and Services tabs that allow you to review processes that are set to run on startup and the list of installed services. You can review the Startup tab to help identify simple persistence mechanism of malware to find applications that run on startup that are uncommon or should not be included. This same process can be done on the Services tab to find suspicious services installed on the machine. These tabs show you the same information that you would get by running Startup Apps or services.msc independently from Task Manager.
You can pull up the details for each service listed in the Services tab or from services.msc. It will list the Startup type which is either Manual, Automatic, or Disabled. The Automatic startup type services will start automatically when the computer boots up Windows. You can also find the path to the executable that the service runs and what user or context it runs under. These details are useful IOCs for malicious services installed by malware.
Process Explorer (procexp.exe and procexp64.exe) from the Sysinternals Suite is another free tool that provides a greater level of detail than the built in Task Manager in Windows. It provides the same functionality to kill processes while providing additional details in the main window. You can submit hashes to VirusTotal through Process Explorer to help determine if a process is malicious.
Right clicking on the process and selecting Check VirusTotal will prompt you to accept submitting hashes of the suspected process to VirusTotal. After selecting yes on the prompt, the VirusTotal box on the image tab will contain a link to the VirusTotal results of the submitted hash. In this case, the legitimate Microsoft Print Spooler executable spoolsv.exe was submitted and resulted in 0 out of 73 Antivirus vendors detecting it as malicious. Process Explorer also has a tab to review TCP/IP connections listing listening addresses and ports or outbound communications made by the process. This helps a malware analyst determine if the process is listening or receiving on any network ports. This can help find IOCs for Command and Control (C2) or even data exfiltration.
The Strings tab is another great feature that allows you to list the strings embedded in the binary just like the strings command in Linux. This is useful for finding IOCs and determining some of the capabilities of the malware. You may be able to find IPs or domain names that are coded in to the application. Or you may find strings that point to dangerous Windows API calls that can hint at the executable being malicious. The Sysinternals Suite can be downloaded here.
System Informer, formerly Process Hacker, is another great tool that performs similar functions to Task Manager and Process Explorer. It will provide you the same level or process details and group the processes in a parent/child process layout like Process Explorer. Right clicking a process in System Informer allows you to terminate a process just like in Task Manager and Process Explorer. Right clicking and selecting Send to provided an option to send the process executable or dll to VirusTotal similar to Process Explorer.
System Informer includes a Modules tab when right clicking and selecting properties on a process. This Modules tab lists all of the modules loaded and in use by the process. This is helpful for finding additional IOCs or identifying malicious dll files used by a suspicious process.
System Informer provides Services and Network tabs that offer similar functionality to the features covered under Task Manager and Process Explorer. A malware analyst can use the Services tab to search for suspicious services and review the details of the service. The Network tab can be used to map running processes to active network connections and listening ports. System Informer is available for download at https://github.com/winsiderss/systeminformer.
Process Monitor, or Procmon, is another tool included in the Sysinternals Suite that is useful for monitoring processes. Procmon goes beyond the process information provided by Task Manager, Process Explorer, or System Informer. It details every action taken by the process allowing in-depth analysis of suspicious or malicious processes. Procmon will quickly overload an analyst with data unless filters are used to filter out the noise. It enables an analyst to find IOCs and understand what actions the malware has taken on the system.
ProcDOT is useful for filtering and displaying the results from Procmon. ProcDOT allows an analyst to ingest the logs generated from a Procmon capture saved in a CSV file. The analyst can then select the desired process from the imported CSV file and ProcDOT will generate an interactive graph.
This effectively filters out the noise of unrelated processes giving the analyst an easy-to-follow graph that displays all actions conducted by the malware to include those of child processes spawned by the original process. It also allows to ingest packet captures to correlate with Procmon. ProcDOT can be downloaded here. The netstat tool included in Windows is another useful tool. You can use it to list all listening ports and established connections. You can review the connections and listening ports with the command netstat -ano. This command includes the process ID of the process using that listed port to help you correlate a suspicious connection to a process.
The tasklist⁶⁴ command can be used to list running process and their associated process ID from the command line. This can help you enumerate suspicious processes without needing to use a Graphical User Interface (GUI). It is helpful when used in conjunction with netstat to look up the process ID found with a suspicious network connection. The below screenshot lists that PID 4 listening on port 445 (RPCSMB) on all interfaces (0.0.0.0) is the System process. In this case it is a legitimate process and listening port combination. The System process also always loads at PID for so if it were a PID other than 4 that would be unusual and a potential IOC.
Another way to do the same analysis is to use the TCPView⁶⁵ tool from Sysinternals Suite. The TCPView tool provides the same information received from netstat -ano and tasklist /SVC in a convenient and easy to read GUI. This allows you to quickly identify suspicious listening ports or connections and correlate them to the corresponding process. The remote address listed in TCPView and netstat is another useful IOC to include in your analysis.
Wireshark is a valuable tool to conduct more in-depth packet analysis. Wireshark enables a malware analyst to view all network traffic sent and received on the suspected machine. An analyst can filter the packets by IP, port, protocol, or many other options. Filtering by DNS protocol enables an analyst to find DNS queries to malicious sites used for Command and Control (C2) of malware. The domains found in the DNS queries are useful IOCs to determine if the machine is compromised. Wireshark provides capabilities to conduct more advanced analysis of malware communication. It allows an analyst to identify C2 traffic hidden in protocols such as DNS. It also enables an analyst to extract data such as second stage binaries or infected text documents downloaded by the malware. Using a proxy in combination with Wireshark enables an analyst to export the certificate and keys used to encrypt Transport Layer Security (TLS) encrypted traffic to recover the plaintext data sent between malware and attacker-controlled servers.
The malware analysis walkthrough in this chapter will focus on using Wireshark to perform basic analysis tasks. This includes reviewing DNS queries to identify suspicious domain lookups and plaintext commands/passwords sent during malware communication. More advanced usage of Wireshark is out of scope of basic malware analysis and is saved for future writings on intermediate and advanced malware analysis. Microsoft’s NetMon is an alternative to Wireshark, but is only available for download from archive and is no longer being developed. Regedit is another useful tool built in to Windows. Regedit gives the ability to view and edit the Windows registry. It can be used for basic malware analysis to search for persistence mechanism such as entries in HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\Run. Applications listed in the run keys will auto start when a user logs in to the machine and is sometimes used by malware to establish persistence.
Regshot is useful for determining what changes an application makes to the Windows registry when it is executed. Regshot allows an analyst to take a snapshot of the Windows registry before and after executing a suspicious application and generates a comparison of the two snapshots. This is useful when analyzing a suspicious application in a controlled lab setting. Regshot can be downloaded here. However, Regshot is no longer being actively maintained. NirSoft provides an alternative to Regshot that is capable of handling registry comparisons. NirSoft’s RegistryChangesView can be found here. The malware analysis portion of this chapter will still use Regshot.
Certutil is another tool built in to Windows that is useful for malware analysis. An analyst can use certutil to generate a hash of a file to compare it to a known malicious file hash. This can indicate if a file is malicious without having to execute it to investigate what it does. An analyst can use the hashes generated by cerutil as IOCs once a suspicious file is determined to be malicious thru analysis.
Certutil is used in the above screenshot to generate the SHA1, MD5, and SHA256 hashes of cmd.exe. A malware analyst can compare these hashes to the hashes of the known legitimate versions of cmd.exe installed with Windows. The analyst can also submit these hashes to VirusTotal to see if it is a known malicious file. An analyst can also use automated tools for analysis. Multiple tools mentioned already have features to upload files or hashes to VirusTotal. A suspicious file can be uploaded to VirusTotal. VirusTotal is an online system that will execute the file in a sandbox to attempt to determine if it is malicious or not. It will then provide file hashes and IOCs an analyst can use to identify the file. VirusTotal also shares uploaded files with Antivirus vendors to use for building detection signature.
Antiscan.me is another option an analyst can use to analyze a suspected file. Antiscan.me only checks uploaded files against 26 different Antivirus vendors. It also does not share the files with the Antivirus vendors. This makes it a good option if you are analyzing a file that you do not want to be shared with other organizations.
For solution, online support and query email us at .