What You'll Learn
- Explain what dynamic analysis is and when to use it after static analysis has been completed
- Describe the principles of a safe analysis environment: isolation, snapshots, network simulation, and controlled execution
- Use Process Monitor (Procmon) to capture and filter process, file system, and registry activity during malware execution
- Use Process Explorer to inspect process trees, loaded DLLs, handles, and thread activity
- Use Autoruns to detect persistence mechanisms installed by malware
- Monitor file system changes during malware execution to identify dropped payloads and configuration files
- Recognize process injection indicators: unusual parent-child relationships, suspicious memory allocation patterns, and hollow processes
- Build a structured behavioral profile from dynamic analysis observations
- Apply safe analysis practices to prevent malware from escaping the analysis environment
Crossing the Line: From Reading to Running
In Lessons 11.1 and 11.2, you examined malware without letting it execute — dissecting PE structure, extracting strings, computing hashes, analyzing imports, and detecting packers. Static analysis answered "what is this file made of?" Now you need to answer a different question: "What does this file do when it runs?"
Dynamic analysis means executing malware in a controlled environment and observing its behavior in real time. You watch what processes it creates, what files it drops, what registry keys it modifies, what network connections it makes, and what persistence mechanisms it installs.
| What Static Analysis Tells You | What Dynamic Analysis Reveals |
|---|---|
The binary imports CreateRemoteThread | It injects code into explorer.exe PID 4892 |
Strings contain C:\\Users\\Public\\update.exe | It drops a second-stage payload to that exact path |
The IAT includes RegSetValueExA | It writes to HKCU\\...\\Run with value WindowsUpdate |
| The binary has network-related imports | It connects to 185.220.101.34:443 every 60 seconds |
| High entropy sections suggest packing | The unpacked code reveals a full RAT (Remote Access Trojan) feature set |
Dynamic analysis has real risk. Unlike static analysis where the file never executes, you are now running actual malware. If your analysis environment is not properly isolated, the malware can escape — infecting your network, exfiltrating data, or encrypting files. Every dynamic analysis session must follow strict isolation protocols. Never analyze malware on your production workstation.
The Analysis Environment
Before executing anything, your environment must be properly configured. The goal is maximum observability with zero escape risk.
Isolation Requirements
| Requirement | Implementation | Why It Matters |
|---|---|---|
| VM-based isolation | VirtualBox, VMware, or Hyper-V with no shared folders | Malware cannot access host file system |
| Snapshot before execution | Take a clean snapshot with all tools installed | Revert to clean state after every analysis session |
| Network isolation | Host-only networking or simulated network (INetSim, FakeNet-NG) | Prevents C2 communication and lateral movement |
| No shared clipboard | Disable clipboard sharing between host and guest | Prevents data exfiltration via clipboard |
| Limited resources | Allocate enough RAM/CPU but no USB passthrough | Reduces attack surface for VM escape |
Network Simulation
Malware that cannot reach its C2 server often behaves differently — it may crash, sleep indefinitely, or skip payload delivery. Network simulation tools respond to malware's network requests with fake responses:
# INetSim — simulates HTTP, HTTPS, DNS, SMTP, FTP, and more
sudo inetsim
# FakeNet-NG (Windows) — intercepts and responds to all network traffic
FakeNet.exe
| Tool | Platform | What It Simulates |
|---|---|---|
| INetSim | Linux | HTTP, HTTPS, DNS, FTP, SMTP, POP3, TFTP, NTP, and more |
| FakeNet-NG | Windows | All protocols — intercepts at the network layer |
| ApateDNS | Windows | DNS only — redirects all lookups to a specified IP |
Take a pre-execution baseline. Before running the malware, capture a baseline of running processes, open network connections, registry autorun entries, and scheduled tasks. After execution, compare against the baseline to identify exactly what changed. In Lab 11.3, you will use this diff-based approach to build a complete behavioral profile.
Process Monitor (Procmon): Seeing Everything
Process Monitor from Sysinternals is the single most powerful dynamic analysis tool for Windows malware. It captures every file system operation, registry access, network connection, process creation, and thread activity in real time — with microsecond precision.
Setting Up Procmon for Malware Analysis
The challenge with Procmon is volume: a typical Windows system generates thousands of events per second. Without filtering, you drown in noise. The key is setting up filters before executing the malware.
Essential Procmon filters for malware analysis:
| Filter | Condition | Purpose |
|---|---|---|
| Process Name | is suspicious.exe | Capture only the malware's activity |
| Operation | is WriteFile | Focus on file system writes (payload drops) |
| Operation | is RegSetValue | Focus on registry modifications (persistence) |
| Operation | is Process Create | Capture spawned child processes |
| Path | contains \\Run | Detect autorun registry modifications |
| Path | contains \\Services | Detect service-based persistence |
| Path | contains \\Tasks | Detect scheduled task persistence |
Procmon Analysis Workflow
Step 1: Configure filters — Add the malware's process name as a primary filter. Include child process names as you discover them.
Step 2: Start capture — Press Ctrl+E to begin capturing. Minimize Procmon (some malware detects monitoring tools by window title).
Step 3: Execute the malware — Run the sample and wait 2-5 minutes for initial behavior. Some malware has delayed execution (sleeps before acting).
Step 4: Analyze by category:
File System Activity:
- Look for: WriteFile operations to Temp, AppData, ProgramData, System32
- Significance: Dropped payloads, configuration files, log files
Registry Activity:
- Look for: RegSetValue to Run keys, Services, Scheduled Tasks
- Significance: Persistence mechanisms
Process Activity:
- Look for: Process Create events, especially spawning cmd.exe, powershell.exe, or system utilities
- Significance: Lateral execution, living-off-the-land techniques
Network Activity:
- Look for: TCP Connect, UDP Send operations
- Significance: C2 communication, data exfiltration
Step 5: Save the log — File → Save to PML format for later reference and team sharing.
Procmon's Process Tree feature is invaluable. Tools → Process Tree shows every process that existed during capture with parent-child relationships, command lines, start/end times, and user context. This single view often reveals the entire execution chain: the malware spawns cmd.exe, which runs powershell.exe, which downloads and executes a second stage. In Lab 11.3, you will reconstruct a complete attack chain from the Process Tree.
Procmon on Linux: Alternative Tools
Linux does not have a direct Procmon equivalent, but you can achieve similar observability with multiple tools:
# strace — trace system calls (file, network, process operations)
strace -f -e trace=file,network,process -o trace.log ./suspicious_binary
# sysdig — system-level visibility (modern alternative)
sudo sysdig proc.name=suspicious_binary
# inotifywait — monitor file system changes in real time
inotifywait -r -m /tmp /var/tmp /home --format '%T %w%f %e' --timefmt '%H:%M:%S'
Process Explorer: Deep Process Inspection
While Procmon captures events over time, Process Explorer gives you a live view of the current system state — process trees, loaded DLLs, open handles, network connections, and thread details.
What to Look For
Process Tree Anomalies:
| Normal Pattern | Suspicious Pattern |
|---|---|
explorer.exe → user applications | svchost.exe → cmd.exe → powershell.exe |
services.exe → svchost.exe | winword.exe → powershell.exe (macro execution) |
cmd.exe started by user action | notepad.exe with network connections |
| Processes running as logged-in user | User-space process running as SYSTEM |
DLL Inspection:
Process Explorer's lower pane (View → Lower Pane View → DLLs) shows every DLL loaded by the selected process:
- Unsigned DLLs in system processes = potential DLL injection or side-loading
- DLLs loaded from unusual paths (Temp, Downloads, AppData) = suspicious
- DLLs without version information = non-standard, possibly malicious
Handle Analysis:
Handles reveal what resources a process has open:
- Open file handles to other executables = possible file manipulation or payload staging
- Mutexes with specific names = malware often creates named mutexes to prevent multiple instances
- Registry key handles to Run keys or Services = active persistence installation
Verify Image Signatures
Process Explorer can verify digital signatures for every running process (Options → Verify Image Signatures). Legitimate Windows processes and signed applications show "Verified" — unsigned processes or those with invalid signatures warrant investigation.
Autoruns: Persistence Detection
Autoruns from Sysinternals is the definitive tool for enumerating all persistence mechanisms on a Windows system. It checks over 40 locations where programs can configure themselves to run during startup or login.
Autoruns Analysis for Malware
Before execution baseline:
1. Run Autoruns
2. File → Save (autorunsc.exe -a * -c > baseline.csv for CLI)
3. This captures legitimate autorun entries before malware modifies anything
After execution comparison:
1. Run Autoruns again
2. File → Compare → select baseline
3. New entries highlighted in green = installed by the malware
| Autoruns Tab | What It Shows | Malware Persistence Common Here |
|---|---|---|
| Logon | Run/RunOnce registry keys, Startup folder | Most common persistence location |
| Scheduled Tasks | Task Scheduler entries | Increasingly popular for persistence |
| Services | Windows services | Survives user logoff, runs as SYSTEM |
| Drivers | Kernel drivers | Rootkit persistence |
| Winlogon | Winlogon notification DLLs | Credential theft and persistence |
| Boot Execute | Programs that run before Windows fully starts | Bootkit persistence |
| Image Hijacks | IFEO debugger entries, .exe redirection | Execution hijacking |
Sophisticated malware detects Autoruns. Some malware checks for the Autoruns window title or process name and hides its persistence entries while the tool is running, revealing them only when it is closed. To counter this, use the command-line version (autorunsc.exe) which is harder to detect, or compare before/after snapshots rather than relying on live inspection.
File System Monitoring
Beyond Procmon's file system filters, you can monitor file system changes using dedicated tools:
Windows:
# Capture a baseline directory listing before execution
Get-ChildItem -Recurse C:\Users\analyst\ | Select FullName, Length, LastWriteTime > baseline.txt
# After execution, compare
$before = Import-Csv baseline.txt
$after = Get-ChildItem -Recurse C:\Users\analyst\ | Select FullName, Length, LastWriteTime
Compare-Object $before $after -Property FullName
Linux:
# Before execution
find /tmp /var/tmp /home -type f > baseline_files.txt
# After execution
find /tmp /var/tmp /home -type f > after_files.txt
diff baseline_files.txt after_files.txt
Common drop locations to monitor:
| Windows | Linux |
|---|---|
C:\\Users\\<user>\\AppData\\Local\\Temp\\ | /tmp/ |
C:\\Users\\Public\\ | /var/tmp/ |
C:\\ProgramData\\ | /dev/shm/ |
C:\\Windows\\Temp\\ | ~/.local/share/ |
C:\\Windows\\System32\\ (elevated) | /usr/local/bin/ (elevated) |
Process Injection Indicators
Process injection is one of the most important behaviors to detect during dynamic analysis. Malware injects code into legitimate processes to evade detection — the malicious activity appears to come from a trusted process.
Red Flags During Dynamic Observation
| Indicator | What It Means | How to Spot It |
|---|---|---|
| Unusual parent-child | winword.exe → powershell.exe | Process Explorer tree view |
| Process with no command line | Hollow process — original code replaced | Process Explorer properties |
| Private bytes >> image size | Extra code allocated in memory | Process Explorer memory column |
| RWX memory regions | Executable memory that was allocated (not loaded from a DLL) | Process Explorer → Properties → Threads |
| Threads from non-image addresses | Thread start address not within any loaded module | Process Explorer → Properties → Threads → Start Address |
| Suspended process creation | Process created in suspended state (CREATE_SUSPENDED flag) | Procmon → Process Create with suspended flag |
Common Injection Techniques to Watch For
| Technique | Static Indicators (Lesson 11.2) | Dynamic Indicators |
|---|---|---|
| Classic injection | Imports VirtualAllocEx + WriteProcessMemory + CreateRemoteThread | New thread appears in target process, memory region with RWX permissions |
| Process hollowing | Imports NtUnmapViewOfSection + WriteProcessMemory | Legitimate process starts suspended, image is replaced, then resumed |
| DLL injection | Imports CreateRemoteThread + LoadLibrary reference | Unexpected DLL loaded in target process from unusual path |
| APC injection | Imports QueueUserAPC + NtTestAlert | Code executes within an existing thread without new thread creation |
Building a Behavioral Profile
The goal of dynamic analysis is not just to list observations — it is to build a structured behavioral profile that describes what the malware does, step by step. This profile becomes the foundation for detection rules, incident response playbooks, and threat intelligence reports.
Behavioral Profile Template
SAMPLE: [filename] | SHA256: [hash]
EXECUTION ENVIRONMENT: [OS, tools, network config]
1. INITIAL EXECUTION
- Parent process: [what launched it]
- Immediate actions: [first 30 seconds]
- Anti-analysis checks: [debugger detection, VM detection, sleep calls]
2. FILE SYSTEM ACTIVITY
- Files created: [path, purpose]
- Files modified: [path, what changed]
- Files deleted: [self-deletion, log wiping]
3. REGISTRY MODIFICATIONS
- Persistence: [Run keys, services, scheduled tasks]
- Configuration: [stored C2 addresses, encryption keys]
4. PROCESS ACTIVITY
- Child processes spawned: [cmd, powershell, other tools]
- Process injection targets: [explorer.exe, svchost.exe, etc.]
- Living-off-the-land binaries (LOLBins): [certutil, bitsadmin, mshta]
5. NETWORK ACTIVITY
- DNS queries: [domains resolved]
- HTTP/HTTPS connections: [C2 servers, download URLs]
- Beaconing pattern: [interval, jitter]
6. PERSISTENCE MECHANISMS
- Method: [registry, service, scheduled task, startup folder]
- Location: [specific key/path]
- Survives reboot: [yes/no, tested]
7. DEFENSE EVASION
- Anti-analysis: [techniques detected]
- Timestomping: [file timestamp manipulation]
- Log clearing: [event log deletion]
Your behavioral profile feeds directly into detection engineering. Every observation becomes a candidate Sigma rule: "Alert when a process creates a file in ProgramData and immediately writes to a Run key" or "Alert when cmd.exe spawns from a Microsoft Office process." The more detailed your behavioral profile, the more precise your detections. In Lab 11.3, you will build a complete profile and write at least two detection rules from your findings.
Safe Analysis Practices
| Practice | Why It Matters |
|---|---|
| Always start from a clean snapshot | Residual artifacts from previous analyses contaminate results |
| Disconnect host networking during analysis | Prevents accidental C2 communication through misconfigured VM network |
| Use a dedicated analysis machine | Not your daily workstation — even with VMs, defense in depth matters |
| Time-limit your sessions | Some malware has time-delayed destructive payloads |
| Never copy files between VM and host via shared folders | Shared folders are a trivial escape vector |
| Document everything in real time | Memory fades — record observations as they happen, not after |
| Revert to snapshot after every session | The VM is compromised after execution — always revert |
Key Takeaways
- Dynamic analysis executes malware in a controlled environment to observe runtime behavior — it answers questions static analysis cannot
- Isolation is non-negotiable: VM-based, snapshot-capable, network-simulated, no shared folders or clipboard
- Process Monitor (Procmon) captures every file, registry, network, and process operation with microsecond precision — filter before executing to manage volume
- Process Explorer provides real-time inspection of process trees, DLLs, handles, and memory — essential for detecting injection and anomalous parent-child relationships
- Autoruns enumerates all persistence locations — compare before/after snapshots to identify exactly what the malware installed
- Process injection manifests as unusual parent-child relationships, RWX memory regions, threads from non-image addresses, and hollow processes
- Build a structured behavioral profile covering execution, file system, registry, process, network, persistence, and evasion — this profile drives detection rules and incident response
- Safe practices include clean snapshots, isolated networking, dedicated hardware, session time limits, and real-time documentation
What's Next
You have now observed what malware does to the local system — processes spawned, files dropped, registry modified, persistence installed. But malware does not operate in isolation. In Lesson 11.4, you will turn to the network side of dynamic analysis: capturing and analyzing C2 traffic, DNS beaconing patterns, data exfiltration channels, and registry manipulation in depth — completing the full behavioral picture that drives your detection engineering and incident response.
Knowledge Check: Dynamic Process & File Analysis
10 questions · 70% to pass
What is the fundamental difference between static and dynamic malware analysis?
Why is network simulation (INetSim or FakeNet-NG) important during dynamic analysis?
In Lab 11.3, you use Procmon to capture malware behavior. Which filter combination best focuses on persistence-related registry activity?
You observe in Process Explorer that explorer.exe has a thread with a start address that does not map to any loaded DLL. What does this indicate?
What is the purpose of taking a snapshot of your analysis VM before executing malware?
Which Autoruns tab would reveal malware that persists by installing itself as a Windows service?
During Lab 11.3, you observe winword.exe spawning powershell.exe in the Process Explorer tree. Why is this parent-child relationship suspicious?
What Linux command traces all system calls made by a suspicious binary, including file, network, and process operations?
In the behavioral profile template, what does the 'Living-off-the-land binaries (LOLBins)' observation track?
Why should you NOT use shared folders between your host and analysis VM during malware analysis?
0/10 answered