Disclaimer: This article is for education, defensive research, and authorized testing only. Detonating live malware is dangerous. Only execute samples inside an isolated lab you own or are explicitly authorized to operate. Mishandling a sample can compromise your network or cause irreversible data loss. Comply with all applicable laws and your organization's rules of engagement.
Introduction / Overview
Static analysis tells you what a binary could do; dynamic analysis tells you what it actually does when it runs. By detonating a sample inside an instrumented, isolated sandbox and watching its interaction with the operating system and network, you can extract concrete behavioral indicators — dropped files, registry persistence, injected processes, and command-and-control (C2) traffic — far faster than reversing every code path by hand.
This post walks through a pragmatic dynamic-analysis loop built on three free, battle-tested tools: Procmon (filesystem/registry/process telemetry), Process Hacker (live process and handle inspection), and Wireshark (network capture). It closes with an equally weighted Detection & Defense section so Blue Teams can turn these observations into detections.
If you want to pair this with code-level work, see my notes on reversing with Ghidra and unpacking and anti-analysis tricks.
How it works / Background
Dynamic analysis maps observed activity to the MITRE ATT&CK framework. The behaviors you typically chase are:
- Execution & Discovery — child processes,
whoami,systeminfo, AV enumeration. - Persistence —
Runkeys, Scheduled Tasks (T1053.005), Services. - Defense Evasion / Injection — process hollowing and remote-thread injection (T1055).
- Command and Control — beacons over HTTP/HTTPS or DNS (T1071).
The key tension is anti-analysis. Modern samples sandbox-check: they look for VM artifacts (drivers, MAC OUI prefixes), low CPU/RAM, recent uptime, mouse movement, or known analysis processes. A capable sandbox must therefore blend in — realistic hostname, plausible files, simulated user activity — and the analyst must watch for evasion as a behavior in its own right.
Prerequisites / Lab setup
A minimum viable lab:
- Host hypervisor: VMware Workstation or VirtualBox. Network set to Host-Only (no internet bridge to your LAN).
- Victim VM: Windows 10/11, snapshotted clean.
- Gateway / sink VM: A Linux box running INetSim or FakeNet-NG to answer DNS/HTTP/TLS so the sample "believes" it has connectivity while traffic stays contained.
- Tooling on the victim: Sysinternals Procmon and Process Monitor, Process Hacker (or System Informer), Wireshark, plus Autoruns and TCPView.
Snapshot the clean state before every detonation. Take the sample in password-protected form (e.g., the infected ZIP convention) and only unpack it inside the VM.
# On the Linux sink VM: route victim traffic to a fake internet
sudo inetsim --config /etc/inetsim/inetsim.conf
# Confirm DNS/HTTP/HTTPS services are listening
sudo ss -tulnp | grep inetsimPoint the victim VM's DNS and default gateway at the sink VM's IP so every outbound request is captured and answered.
Walkthrough / PoC (step by step)
1. Baseline and arm the tools
On the clean snapshot, start Wireshark capturing on the host-only adapter, then open Procmon and immediately pause/clear its capture so you start from a clean buffer.
Procmon -> Ctrl+E (toggle capture) -> Ctrl+X (clear)
Wireshark -> select Ethernet0 (host-only) -> start captureApply a Procmon filter to cut noise before you detonate. The most useful starting filters:
Filter -> Add:
Process Name is <sample.exe> then Include
Operation is Process Create then Include
Operation is RegSetValue then Include
Operation is WriteFile then Include2. Detonate and let it run
Run the sample (often you must rename it from .bin/.dat to .exe). Give it 60-120 seconds — many samples sleep or stagger their stages.
# Inside the isolated victim VM only
Rename-Item .\sample.bin .\sample.exe
.\sample.exe3. Triage process behavior with Process Hacker
Open Process Hacker, sort the tree by recent processes. Look for:
- Suspicious parent/child chains — e.g.,
winword.exespawningpowershell.exeorcmd.exe. - Injection targets — a benign process (
explorer.exe,svchost.exe) suddenly holding a private, executable, non-image-backed memory region. Right-click the process, Memory, and look forRX/RWXregions with no mapped file: a classic injection tell. - Network owner — right-click a process and check the Network tab to attribute connections to a PID.
Process Hacker -> right-click process -> Properties
-> Memory tab: filter Protection = RWX, Use = Private (injected shellcode)
-> Handles tab: look for mutexes (campaign markers) and named pipesNamed mutexes are gold — they are often hardcoded and make excellent host-based IOCs.
4. Reconstruct file and registry activity in Procmon
Stop the Procmon capture and review. Highlight persistence and drops:
RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<value>
WriteFile C:\Users\<user>\AppData\Roaming\<random>\<payload>.exe
WriteFile C:\Users\<user>\AppData\Local\Temp\<staging>.tmp
Process Create C:\Windows\System32\schtasks.exe /create /sc minute ...Use Tools -> Process Tree for a clean visual of the execution chain, and export the filtered log to CSV for your report.
5. Pull C2 indicators from Wireshark
Stop the capture and pivot to network indicators:
# Display filters
dns # resolve C2 domains the sample queried
http.request # URIs, User-Agent, Host header (beacon fingerprint)
tls.handshake.type == 1 # Client Hello -> SNI reveals HTTPS C2 host
ip.addr == <sink_ip> && tcp.flags.syn == 1 # connection attemptsEven against a FakeNet sink, you recover the domain, URI path, User-Agent, and beacon interval — the core of a network signature. Right-click a packet, Follow -> HTTP Stream, to read cleartext beacons. Hardcoded or unusual User-Agent strings are reliable IOCs.
6. Collect the indicators
Consolidate what you have: file paths and hashes (Get-FileHash), registry keys, mutex names, C2 domains/IPs/URIs, and the User-Agent. These become your IOC set and detection content.
Get-FileHash -Algorithm SHA256 C:\Users\test\AppData\Roaming\loader\payload.exeMermaid diagram
The diagram shows the full loop: prepare a clean instrumented VM, detonate, confirm the sample didn't evade, then correlate host and network telemetry into IOCs before reverting.
Detection & Defense (Blue Team)
The same indicators you extracted become detections. Weight these as heavily as the offensive workflow.
1. Turn behaviors into telemetry. Deploy Sysmon with a curated config (e.g., the SwiftOnSecurity or Olaf Hartong baselines). The highest-value events mirror exactly what you observed:
- Event ID 1 (Process Create) — catch suspicious parent/child chains (
office -> powershell,services.exeanomalies). - Event ID 7 (Image Load) — unsigned or unusual DLLs in user-writable paths.
- Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) — process injection (T1055).
- Event ID 11 (FileCreate) — drops in
AppData/Temp. - Event ID 12/13 (Registry) —
Runkey persistence. - Event ID 22 (DNS Query) and Event ID 3 (Network Connect) — C2 attribution by PID.
2. Hunt with the IOCs. A simple Sigma-style hunt for AppData execution:
detection:
selection:
EventID: 1
Image|contains:
- '\AppData\Roaming\'
- '\AppData\Local\Temp\'
condition: selection3. Convert host artifacts into YARA/IOC rules. Mutex names, hardcoded strings, and the C2 User-Agent are durable. Block C2 domains/IPs at the DNS resolver and proxy; alert on anomalous User-Agents and rare-domain beaconing with consistent intervals.
4. Reduce attack surface. Enforce Attack Surface Reduction rules (block Office child processes, block credential theft), enable Controlled Folder Access, and restrict script interpreters with WDAC/AppLocker. Persistence via Run keys and Scheduled Tasks should trigger alerts, not silent success.
5. Operational hygiene. Centralize Sysmon + Windows Security logs into your SIEM, map detections to ATT&CK techniques for coverage gaps, and validate them by re-detonating samples in the lab. For deeper memory-resident threats, pair this with Volatility memory forensics.
Conclusion
Dynamic analysis is a disciplined loop: isolate, instrument, detonate, observe, and revert. Procmon gives you the host story, Process Hacker exposes injection and live process state, and Wireshark recovers the C2 fingerprint — even against a sinkhole. Convert every observation into a Sysmon/Sigma/YARA detection, and the offensive exercise pays for itself defensively. Always work from a clean snapshot, keep the lab air-gapped, and treat anti-analysis evasion as a first-class behavioral signal.
References
- MITRE ATT&CK — Process Injection (T1055), Application Layer Protocol (T1071), Scheduled Task (T1053.005)
- Microsoft Sysinternals — Procmon & Process Monitor: https://learn.microsoft.com/sysinternals/downloads/procmon
- Process Hacker / System Informer: https://systeminformer.sourceforge.io/
- Wireshark User's Guide: https://www.wireshark.org/docs/
- INetSim: https://www.inetsim.org/ — FakeNet-NG: https://github.com/mandiant/flare-fakenet-ng
- Sysmon & configs: https://learn.microsoft.com/sysinternals/downloads/sysmon
- Sigma project: https://github.com/SigmaHQ/sigma
Comments