Running malware safely in an isolated VM and monitoring the three dimensions of behaviour — process activity, file and registry changes, and network traffic — to build a complete runtime profile.
Sign in to mark this article as read and track your progress.
After examining static properties, the analyst detonates the sample inside the analysis VM and observes its runtime behaviour. The three dimensions of monitoring — process activity, filesystem/registry changes, and network traffic — are applied in a structured workflow.
Static analysis tells you what a binary looks like. Behavioural analysis tells you what it does.
Never run malware on your host machine. Never on a system connected to a production network. Never in a VM with shared folders or clipboard sharing enabled. Snapshot before execution. Revert after every run.
1. Revert VM to clean snapshot
2. Start monitoring tools (Procmon, Process Hacker, Wireshark/FakeNet-NG)
3. Execute the sample
4. Wait and interact (some malware requires user action — click dialogs, wait 2-5 min)
5. Collect artefacts (export Procmon logs, save PCAP, note new processes/files/keys)
6. Analyse artefacts (correlate filesystem drops with network traffic)
7. Revert VM to clean snapshot
Never skip step 7. Every sample leaves traces that contaminate subsequent analyses.
| Dimension | Tools | What to Watch For |
|---|---|---|
| Process activity | Process Hacker, Process Explorer | Child processes (cmd.exe, powershell.exe), thread injection into explorer.exe or svchost.exe, mutex creation, suspended processes |
| File and registry | Procmon, Regshot | Files dropped in %TEMP%, DLLs in System32, Run keys for persistence, DisableAntiSpyware=1, ransom notes |
| Network traffic | Wireshark, FakeNet-NG | DNS queries to suspicious domains, HTTP POST exfiltration, TOR traffic (ports 9001/9050), C2 beaconing, JA3 TLS fingerprints |
Procmon generates thousands of events per second. Without filtering it is unusable. Set these filters before executing the sample:
Process Name → is → [malware filename] → Include
Operation → is → RegSetValue → Include
Operation → is → WriteFile → Include
Operation → is → Process Create → Include
Path → contains → Run → Include
Save this filter set. Load it before every analysis session.
During dynamic analysis, monitor for modifications to known persistence locations:
| Location | Procmon Filter | Indicator |
|---|---|---|
| Registry Run keys | RegSetValue | New entry pointing to dropped file |
| Startup folder | WriteFile | .lnk or script in %APPDATA%\...\Startup |
| Scheduled tasks | Process Create | schtasks.exe /create in command line |
| Windows services | Process Create | sc.exe create or CreateServiceA/W API call |
| WMI subscriptions | Use Autoruns | Event filter + consumer pair |
Autoruns tip: Run Sysinternals Autoruns before and after detonation. Compare the two snapshots to identify exactly what the malware added across all persistence locations simultaneously.
Many samples attempt DNS resolution and HTTP connections during execution. If these fail, the malware may refuse to proceed, hiding secondary behaviours.
FakeNet-NG (Windows, FlareVM): intercepts all outbound connections, responds with simulated services, and logs every request.
Start FakeNet-NG before executing the sample.
After analysis, review FakeNet-NG log:
[DNS] Query: evil-c2.example.com → Responded: 192.0.2.1
[HTTP] POST /gate.php HTTP/1.1
User-Agent: Mozilla/5.0 (compatible)
Data: [base64 encoded stolen data]
The DNS query reveals the C2 domain. The HTTP POST reveals the exfiltration endpoint and user-agent string. Both become network-level IOCs.
After collecting artefacts, structure findings into four sections:
malware.exe
└── cmd.exe /c vssadmin delete shadows /all
└── powershell.exe -enc [base64]
C:\Users\[user]\AppData\Roaming\svchost32.exe (dropped payload)
C:\Users\[user]\Desktop\README_DECRYPT.txt (ransom note)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
→ "WindowsUpdate" = "C:\...\svchost32.exe"
DNS: evil-c2.example.com → 185.220.x.x
HTTP: POST /gate.php (User-Agent: Mozilla/5.0 compatible)
This four-section structure maps directly to the IOC types used in threat intelligence sharing (MISP, OpenIOC, STIX/TAXII).
The IAT from static analysis predicted: file manipulation, registry access, HTTP communication. Dynamic analysis confirms all three and adds the specific file paths, registry keys, and C2 domains. This correlation is the validation step — if dynamic behaviour contradicts static predictions, investigate the discrepancy first.