Lab 2: Monitoring Resources

Overview

The purpose of this lab is to become familiar with using Process Monitor and Process Explorer to identify how malware uses various resources.

Usage

For a quick summary of Process Monitor and Process Explorer functionality, see the Process Monitor Guide and the Process Explorer Guide.

Part 1: avzhan

Use Process Monitor and Process Explorer to analyze the avzhan specimen (found at c:\malware\avzhan\avzhan.exe).

Run as Administrator

Make sure to run the malware as admin by right clicking and selecting Run as Administrator.

Question 1.1

Verify the name and directory the malware copies itself into. Did it change from the RegShot exercise?

Answer

Yes, it is randomly generated each time

Question 1.2

What is the name of the mutex (mutant) the malware opens? (The one related to the service)

Answer

\BaseNamedObjects\gtey

Question 1.3

What is the command line that avzhan passes to cmd.exe?

Answer

/c del C:\malware\avzhan\avzhan.exe

Question 1.4

Find the file system activity events where cmd.exe actually deletes the file. Open the event properties and list the following properties:

• What is the desired access for the event?
• What are the options for the event?
• What is the sharemode for the event?

Answer

• Delete
• Non-Directory File, Delete On Close
• Delete

Part 2: Wannacry

Use Process Monitor and Process Explorer to analyze the Wannacry specimen (found at c:\malware\wannacry\wannacry.exe).

Question 2.1

List (at least four) unique child processes Wannacry spawns

Answer

Any four of:

• attrib.exe
• icacls.exe
• taskdl.exe
• cmd.exe
• @[email protected]
• taskse.exe

Question 2.2

What does Wannacry use the attrib command to do?

Answer

It sets the "hidden" flag on the C:\malware\wannacry folder.

Question 2.3

What is the command line Wannacry uses to run icacls? What is it doing with it?

Answer

The command line is icacls . /grant Everyone:F /T /C /Q. It uses this to recursively give everyone full access to everything in the C:\malware\wannacry folder. It does this even if it encounters errors, and doesn't display any success messages.

Question 2.4

What is the name of the batch file Wanncry creates?

Answer

It is a randomly generated very large number, for example: 225311717763281.bat

Question 2.5

What is the name of the vbscript file Wannacry runs?

Answer

m.vbs

Question 2.6

What is the Description for the additional command Wannacry runs out of c:\malware\wannacry?

Answer

Depending on process you choose (it runs a few) it could be:

• "SQL Client Configuration Utility EXE" (taskdl.exe)
• "Load PerfMon Counters" (@[email protected])
• "waitfor - wait/send a signal over the network" (taskse.exe)

Part 3: Stabuniq

Use Process Monitor and Process Explorer to analyze the stability malware (found at c:\malware\stabuniq\stabuniq.exe).

Run as Adminstrator

Make sure to right-click and select Run as Administrator.

Question 3.1

What are the subprocesses (and their subprocesses, and so on.) that stabuniq creates? List just a few

Answer

• stabuniq.exe
• iexplore.exe
• WerFault.exe

Multiple instances of one of

• jqs.exe
• issch.exe
• smagent.exe
• acroiehelper.exe
• groovemonitor.exe