Analyzing Files with Regshot, Process Monitor, and Wireshark

1. Using Regshot

  • Purpose: Regshot takes snapshots of the system registry and file system before and after running a sample to identify changes.

  • Steps:

    • Initial Snapshot: Configure Regshot to include both registry and file system (e.g., drive C).

    • Take First Shot: Click on First Shot to capture the initial state.

    • Run Sample: Execute the sample file.

    • Take Second Shot: Click on Second Shot to capture the state after execution.

    • Compare Snapshots: Click on Compare to view changes.

  • Results: Analyze the output for changes like new files (e.g., badfile.exe) and registry modifications.

2. Using Process Monitor

  • Purpose: Process Monitor logs real-time file system, registry, and process activities.

  • Steps:

    • Setup: Clear existing logs before running the sample (click the Clear button).

    • Run Sample: Execute the sample file.

    • Stop Logging: Once execution is complete, stop capturing events.

    • Filter Logs:

      • Use the Process Tree tool to view child processes of re_whatami.exe.

      • Add re_whatami.exe and its children to the filter to isolate relevant events.

  • Analysis:

    • Process Injection: Look for unexpected child processes (e.g., badfile.exe created by calc.exe).

    • Operations: Focus on Process Create and Create File operations to trace behavior.

3. Using Wireshark

  • Purpose: Wireshark captures and analyzes network traffic.

  • Setup:

    • Run FakeNet: Simulates network services to intercept and log network activity.

    • Capture Traffic: Start capturing network packets during sample execution.

  • Analysis:

    • Inspect Traffic: Look for suspicious connections or data transfers initiated by the sample.

Summary

  • Regshot: Effective for detecting changes in file system and registry. Useful for identifying new files and registry entries.

  • Process Monitor: Essential for tracking real-time process activities and detecting process injection or unexpected file operations.

  • Wireshark: Crucial for monitoring and analyzing network traffic related to the sample.

These tools combined offer a comprehensive approach to analyzing the behavior of executable files, identifying both system and network changes.

PreviousDynamic Analysis Tools/MethodsNextAnalyzing calc.exe and Network Activity

Last updated