# Dynamic Analysis

Dynamic analysis involves observing the behavior of the malware while it is running. Here are the key steps and important parameters to consider:

* **Environment Setup**: Before executing the malware, it's crucial to set up a controlled environment. This is often a virtual machine configured to prevent the malware from causing harm to the analyst's system or network. Tools like Cuckoo Sandbox can be used to automate this process.
* **Execution and Monitoring**: The malware is then executed within the controlled environment and its behavior is monitored. This can involve observing changes made to the system, such as file creation, registry changes, and network communication. Tools like Process Monitor, Regshot, and Wireshark can be used to track these changes.
* **Network Traffic Analysis**: By monitoring network traffic, analysts can identify any remote servers the malware communicates with, as well as the nature of this communication. This information can be crucial in understanding the purpose of the malware and potentially identifying its controller.
* **Persistence Mechanism Identification**: Many types of malware attempt to ensure they remain on the system after reboot, known as persistence. Identifying these mechanisms can be crucial in fully removing the malware from an infected system.
* **Behavior Documentation**: The malware's behavior is documented for future reference and for sharing with other researchers. This documentation can include the malware's actions, any changes made to the system, and any network communication.
* **Results Analysis**: The results of the dynamic analysis are then analyzed to understand the malware's purpose and behavior. This can involve comparing the observed behavior with the findings from the static analysis.

Dynamic analysis can provide valuable insights into a malware's behavior that might not be apparent from static analysis alone. However, it also carries more risk, as it involves executing the malware. Therefore, it should always be performed in a controlled environment.

Never judge a malware based on response of 1 Anti-Virus. Using VirusTotal is a nice option since it has a variety of antivirus.

<figure><img src="/files/5BeIQZIkt0xYzMKXQ82h" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nuclei-av.gitbook.io/malware-handbook/malware-analysis/malware-analysis-methodologies/dynamic-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.