EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationdynamic-analysisprocmonfakenet

Behavioural Analysis of Windows Executables

Running malware safely in an isolated VM and monitoring the three dimensions of behaviour — process activity, file and registry changes, and network traffic — to build a complete runtime profile.

Ashish Revar12 May 202618 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Malware Blueprints in Portable Executable Headers

A deep dive into the Portable Executable (PE) structure used by Windows binaries — how analysts decode executable metadata to uncover malicious intent, compiler behaviour, packing indicators, and execution flow.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Sysinternals Suite — Procmon, Process Explorer, Autoruns

Official Microsoft download for the complete Sysinternals Suite. Essential tools for behavioural analysis on Windows.

tool
FakeNet-NG — Network Simulation for Malware Analysis

Mandiant FakeNet-NG simulates network services on Windows. Included in FlareVM. Start before every dynamic analysis session.

tool
More articlesTest your knowledge

Overview

After examining static properties, the analyst detonates the sample inside the analysis VM and observes its runtime behaviour. The three dimensions of monitoring — process activity, filesystem/registry changes, and network traffic — are applied in a structured workflow.

Static analysis tells you what a binary looks like. Behavioural analysis tells you what it does.

The Cardinal Rule (Repeated)

Never run malware on your host machine. Never on a system connected to a production network. Never in a VM with shared folders or clipboard sharing enabled. Snapshot before execution. Revert after every run.

The Seven-Step Dynamic Analysis Workflow

1. Revert VM to clean snapshot
2. Start monitoring tools (Procmon, Process Hacker, Wireshark/FakeNet-NG)
3. Execute the sample
4. Wait and interact (some malware requires user action — click dialogs, wait 2-5 min)
5. Collect artefacts (export Procmon logs, save PCAP, note new processes/files/keys)
6. Analyse artefacts (correlate filesystem drops with network traffic)
7. Revert VM to clean snapshot

Never skip step 7. Every sample leaves traces that contaminate subsequent analyses.

Three Monitoring Dimensions

DimensionToolsWhat to Watch For
Process activityProcess Hacker, Process ExplorerChild processes (cmd.exe, powershell.exe), thread injection into explorer.exe or svchost.exe, mutex creation, suspended processes
File and registryProcmon, RegshotFiles dropped in %TEMP%, DLLs in System32, Run keys for persistence, DisableAntiSpyware=1, ransom notes
Network trafficWireshark, FakeNet-NGDNS queries to suspicious domains, HTTP POST exfiltration, TOR traffic (ports 9001/9050), C2 beaconing, JA3 TLS fingerprints

Procmon Filters

Procmon generates thousands of events per second. Without filtering it is unusable. Set these filters before executing the sample:

Process Name  →  is  →  [malware filename]  →  Include
Operation     →  is  →  RegSetValue          →  Include
Operation     →  is  →  WriteFile            →  Include
Operation     →  is  →  Process Create       →  Include
Path          →  contains  →  Run            →  Include

Save this filter set. Load it before every analysis session.

Identifying Persistence Mechanisms

During dynamic analysis, monitor for modifications to known persistence locations:

LocationProcmon FilterIndicator
Registry Run keysRegSetValueNew entry pointing to dropped file
Startup folderWriteFile.lnk or script in %APPDATA%\...\Startup
Scheduled tasksProcess Createschtasks.exe /create in command line
Windows servicesProcess Createsc.exe create or CreateServiceA/W API call
WMI subscriptionsUse AutorunsEvent filter + consumer pair

Autoruns tip: Run Sysinternals Autoruns before and after detonation. Compare the two snapshots to identify exactly what the malware added across all persistence locations simultaneously.

Simulating Network Services

Many samples attempt DNS resolution and HTTP connections during execution. If these fail, the malware may refuse to proceed, hiding secondary behaviours.

FakeNet-NG (Windows, FlareVM): intercepts all outbound connections, responds with simulated services, and logs every request.

Start FakeNet-NG before executing the sample.
After analysis, review FakeNet-NG log:
  [DNS]  Query: evil-c2.example.com → Responded: 192.0.2.1
  [HTTP] POST /gate.php HTTP/1.1
         User-Agent: Mozilla/5.0 (compatible)
         Data: [base64 encoded stolen data]

The DNS query reveals the C2 domain. The HTTP POST reveals the exfiltration endpoint and user-agent string. Both become network-level IOCs.

Building the Behavioural Report

After collecting artefacts, structure findings into four sections:

1. Execution chain

malware.exe
  └── cmd.exe /c vssadmin delete shadows /all
  └── powershell.exe -enc [base64]

2. Files created or modified

C:\Users\[user]\AppData\Roaming\svchost32.exe  (dropped payload)
C:\Users\[user]\Desktop\README_DECRYPT.txt     (ransom note)

3. Registry modifications

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  → "WindowsUpdate" = "C:\...\svchost32.exe"

4. Network indicators

DNS:  evil-c2.example.com → 185.220.x.x
HTTP: POST /gate.php (User-Agent: Mozilla/5.0 compatible)

This four-section structure maps directly to the IOC types used in threat intelligence sharing (MISP, OpenIOC, STIX/TAXII).

Correlating Static and Dynamic Findings

The IAT from static analysis predicted: file manipulation, registry access, HTTP communication. Dynamic analysis confirms all three and adds the specific file paths, registry keys, and C2 domains. This correlation is the validation step — if dynamic behaviour contradicts static predictions, investigate the discrepancy first.