Dynamic Malware Analysis: Observing Real-Time Malicious Behavior in a Controlled Lab
Hi, I’m Ridesh — a Computer Engineering student on the path to becoming a SOC Analyst. I’m here to share my journey of learning cybersecurity, building projects, and improving my mindset while growing publicly. I’m passionate about cyber defense, psychology, philosophy, ancient wisdom, anime mindset lessons, and everything that builds mental strength. My goal is simple: Build a strong cybersecurity foundation, grow consistently, and connect with people who think like me. If you’re on a similar journey, you’re in the right place — let’s learn and grow together.
Introduction
Static malware analysis helps us understand what a file contains, but dynamic malware analysis shows us what the malware actually does when executed.
In this blog, I document a dynamic malware analysis performed on the same malware sample previously analyzed statically. The objective was to safely observe the malware’s runtime behavior, identify persistence mechanisms, detect system modifications, and capture Indicators of Compromise (IOCs) inside a controlled environment.
This analysis was conducted strictly for educational and defensive cybersecurity research purposes.
⚠️ Disclaimer
All analysis was performed in a fully isolated virtual machine with no access to the host system or production networks.
This content is intended only for learning, malware research, and blue-team defensive understanding.
Lab Environment Setup
The malware was executed inside a dedicated malware analysis lab configured as follows:
Operating System: Windows 10 (x64)
Virtualization: Oracle VirtualBox
Analysis Tools Used:
Procmon (Process Monitoring)
Regshot (Registry Comparison)
TCPView / Wireshark (Network Observation)
Process Explorer
FakeNet-NG
Network Mode: Host-only / Isolated
Snapshots: Clean pre-execution snapshot created
A clean snapshot ensured the system could be fully reverted after execution, preserving forensic integrity.
Analysis Workflow
The dynamic analysis followed a structured workflow:
Start VM from a clean pre-execution snapshot
Launch monitoring tools
Execute the malware sample
Observe real-time behavior
Capture system changes
Identify IOCs
Revert VM to clean state
This approach mirrors SOC analyst investigation methodology.
Malware Execution & Behavioral Observations
Once executed, the malware demonstrated multiple suspicious behaviors:
🔹 Process Activity
Spawned unexpected child processes
Showed abnormal process execution flow
Attempted to interact with system-level components
🔹 Registry Modifications
Using Regshot, a comparison between pre- and post-execution states revealed:
A large number of registry keys added
Modifications within user and system hives
Registry artifacts consistent with persistence or configuration storage
These changes strongly indicate post-execution system manipulation.
Persistence Indicators
Several behaviors suggested persistence attempts:
Registry entries consistent with auto-execution mechanisms
Artifacts referencing temporary or obfuscated filenames
Modifications in Windows Explorer and session-related keys
Persistence is a critical indicator that the malware aims to survive reboots and maintain access.
Network Behavior
Although network access was restricted, the malware attempted:
Outbound connections to suspicious IP addresses
Communication patterns typical of command-and-control (C2) behavior
Repeated connection retries when responses were blocked
This confirms the malware is network-aware and likely designed to receive external instructions.
System Resource Usage
During execution, noticeable CPU usage spikes were observed:
Sudden increases immediately after execution
Short bursts indicating internal processing or unpacking routines
Such behavior often correlates with:
Payload unpacking
Environment checks
Anti-analysis techniques
After competing dynamic analysis
The PreExecution Snapshot was deleted after done with the analysis for making sure that the virtual environment stays the completely safe for future use.
Indicators of Compromise (IOCs)
The following categories of IOCs were identified during dynamic analysis:
Suspicious processes and execution paths
Registry keys added or modified
Temporary and dropped files
Network connection attempts
Behavioral anomalies in system activity
These IOCs are critical for detection engineering and SOC alerting.
Static Analysis Reference
A detailed static malware analysis of the same sample was performed prior to execution, covering:
File hashes
PE structure analysis
Strings extraction
Entropy checks
Embedded artifacts
➡️ View the complete Static Malware Analysis blog of the same malware sample : [Static Malware Analysis Using FlareVM (Beginner Lab)]
Static analysis helped guide expectations before execution, while dynamic analysis confirmed real-world behavior.
Key Takeaways
Dynamic analysis reveals actual malware intent, not just potential
Registry and process monitoring are essential for detecting persistence
Network isolation prevents real damage while still exposing behavior
Combining static and dynamic analysis provides a complete malware profile
This exercise reinforced how SOC analysts investigate suspicious files in real environments.
Final Thoughts
Performing dynamic malware analysis requires discipline, isolation, and careful observation. Even beginner-level labs can provide deep insights when done methodically.
This analysis helped me:
Strengthen malware investigation skills
Understand runtime indicators
Practice SOC-style reporting
Build a practical cybersecurity portfolio
🔗 Full Report & Resources (GitHub)
📄 Dynamic Malware Analysis Report: [Malware_analysis_lab-setup/reports/Dynamic-analysis/dynamic-malware-analysis-report.md at main · DevR224/Malware_analysis_lab-setup]
📄 Static Malware Analysis Report: [Malware_analysis_lab-setup/reports/static-analysis/static-malware-analysis-report.md at main · DevR224/Malware_analysis_lab-setup]
🧪 Analysis Workflow Documentation: [Malware_analysis_lab-setup/analysis-workflow/ANALYSIS_WORKFLOW.md at main · DevR224/Malware_analysis_lab-setup]