{"id":33,"date":"2022-05-13T04:48:44","date_gmt":"2022-05-13T04:48:44","guid":{"rendered":"https:\/\/blogs.oregonstate.edu\/glennf\/?p=33"},"modified":"2022-05-13T04:48:44","modified_gmt":"2022-05-13T04:48:44","slug":"a-hint-of-dynamic-analysis","status":"publish","type":"post","link":"https:\/\/blogs.oregonstate.edu\/glennf\/2022\/05\/13\/a-hint-of-dynamic-analysis\/","title":{"rendered":"A Hint of Dynamic Analysis"},"content":{"rendered":"\n

This week I have started dynamic analysis. This consists of using Process Monitor, Process Explorer, WireShark, and INetSim.<\/p>\n\n\n\n

As outlined in my previous blog posts I have set up an isolated virtual environment and I have taken safety precautions before launching the malware. What is key to this analysis is setting up snapshots prior to unleashing the malware so I may revert my virtual machine after unleashing the malware and using each tool.<\/p>\n\n\n\n

Process Monitor allows me to see all of the processes, files system changes, and registry changes running on the machine. This software provides a heavily detailed report as it captures information about ALL processes running on the machine. To gain relevant information filters are used to narrow down data.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After starting the process monitor and launching the malware I see that a process is created for wupdmgr.exe.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After seeing this I was curious as to whether wupdmgr creates any files so I set filters for the process name wupdmgr.exe and the function CreateFile. Below we can see that it created winup.exe and wupdmgrd.exe.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Process Explorer is useful as it demonstrates which handles or DLLs processes have opened.<\/p>\n\n\n\n

To supplement the information provided by Process Monitor, we learn that wupdmgr.exe is a subprocess launched  from Lab01-04.exe<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The executable wupdmgr.exe then launches winup.exe as a subprocess. Internet Explorer is also launched.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Both wupdmgr.exe and winup.exe terminate leaving wupdmgrd.exe running. When wupdmgrd.exe runs it makes the default GUI binary from INetSim run. This appears to be run when wupdmgrd.exe is launched.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

By using these three programs I already have a good idea of how the malware works in real time. As I continue my research I will analyze the effects on the registry using RegShot. RegShot allows me to see if any values are added or deleted from the registry.<\/p>\n\n\n\n

Sources Cited<\/strong><\/p>\n\n\n\n