This week I have started dynamic analysis. This consists of using Process Monitor, Process Explorer, WireShark, and INetSim.
As outlined in my previous blog posts I have set up an isolated virtual environment and I have taken safety precautions before launching the malware. What is key to this analysis is setting up snapshots prior to unleashing the malware so I may revert my virtual machine after unleashing the malware and using each tool.
Process Monitor allows me to see all of the processes, files system changes, and registry changes running on the machine. This software provides a heavily detailed report as it captures information about ALL processes running on the machine. To gain relevant information filters are used to narrow down data.
After starting the process monitor and launching the malware I see that a process is created for wupdmgr.exe.
After seeing this I was curious as to whether wupdmgr creates any files so I set filters for the process name wupdmgr.exe and the function CreateFile. Below we can see that it created winup.exe and wupdmgrd.exe.
Process Explorer is useful as it demonstrates which handles or DLLs processes have opened.
To supplement the information provided by Process Monitor, we learn that wupdmgr.exe is a subprocess launched from Lab01-04.exe
The executable wupdmgr.exe then launches winup.exe as a subprocess. Internet Explorer is also launched.
Both wupdmgr.exe and winup.exe terminate leaving wupdmgrd.exe running. When wupdmgrd.exe runs it makes the default GUI binary from INetSim run. This appears to be run when wupdmgrd.exe is launched.
By using these three programs I already have a good idea of how the malware works in real time. As I continue my research I will analyze the effects on the registry using RegShot. RegShot allows me to see if any values are added or deleted from the registry.
Sources Cited
- https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
