"pid": 1234, "timestamp": "2026-04-16T12:34:56.789Z", "event": "CreateFile", "path": "C:\\Users\\Public\\tmp\\payload2.exe", "result": "SUCCESS"
Export the disassembly (e.g., ida -A -Sexport_func_names.idc payload.exe ) and parse it for the above patterns, or use automated scripts like , PE-bear , Rico , or Detect It Easy batch mode. 5. Dynamic Feature Extraction ⚠️ Only run the payload inside a fully‑isolated, snapshot‑enabled VM . If the sample exhibits network activity, point it to a fake DNS/IP (e.g., 10.0.0.2 ) and capture the traffic. 5.1 Runtime Monitoring | Tool | What to Capture | |------|-----------------| | Process Monitor (Procmon) | File, Registry, Network, Process, Thread, and DLL events. Filter on the sample’s PID. | | Process Explorer | Process tree, loaded modules, CPU/MEM usage, integrity level. | | Wireshark | All outbound/inbound packets; apply a capture filter on the VM’s NIC. | | Regshot (pre/post) | Registry modifications. | | Autoruns (post‑run) | New auto‑run entries. | | Cuckoo Sandbox | Full JSON report (behavior, API calls, dropped files, network). | | PE-sieve / Scylla (post‑run) | Dump the in‑memory PE after unpacking. | | Volatility (if you take a memory dump) | Detect hidden processes, injected code, hooks. | 5.2 Typical Dynamic Features to Log | Category | Specific Items | |----------|----------------| | Process behavior | New processes spawned (name, command line, parent), CreateProcess , ShellExecute . | | File system | Files created, modified, deleted (paths, timestamps). | | Registry | Keys/values written under HKLM\Software\Microsoft\Windows\CurrentVersion\Run* , HKCU\Software\Classes\CLSID , HKLM\SYSTEM\CurrentControlSet\Services . | | Network | Outbound IPs/ports, DNS queries, HTTP/HTTPS URLs, SMB connections, TOR usage. | | Persistence | Scheduled Tasks ( schtasks ), Services ( CreateService ), WMI Event Consumers. | | Privilege escalation | Token manipulation ( ImpersonateLoggedOnUser , AdjustTokenPrivileges ). | | Anti‑analysis | Checks for sandbox files ( C:\Program Files\VMware ), timing checks ( GetTickCount ), debugger detection. | | Payload drop | Any secondary binaries written to disk (hash them). | | Encryption / C2 | Observed data sent to remote hosts (hex dump, base64). |
Create a single JSON object (or CSV row) that aggregates every data point you collected. Below is a template you can paste into a file and fill in programmatically:
{ "file_name": "signallab-31nulled.rar", "file_hashes": "md5": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "sha1": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "sha256": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" , "file_size": 123456, "entropy": 7.92, "extracted_payload": { "file_name": "payload.exe", "file_type": "PE32+ executable (GUI) Intel 80386", "pe_header": "machine": "0x8664", "timestamp": "2025-11-02 08:15:33", "subsystem": "Windows GUI", "dll_characteristics": ["ASLR", "DEP"] , "sections": [ "name": ".text", "size_raw": 204800, "entropy": 6.7, "name": ".rdata", "size_raw": 51200, "entropy": 5.4, {"name": ".
The workflow covers both (no code execution) and dynamic (controlled execution) analyses, and it lists the exact data points you’ll want to capture to build a “full feature” profile that can be used for malware research, detection rule creation, or machine‑learning feature extraction. 1. Prepare a Safe Analysis Environment | Requirement | Recommended Tool / Setting | |-------------|-----------------------------| | Isolated VM | Windows 10/11 (64‑bit) in VirtualBox/VMware with a snapshot before each run. | | Network isolation | Disable bridge/NAT; use a host‑only adapter or a virtual firewall (e.g., INetSim) to simulate services. | | Anti‑forensics protection | Disable Windows Defender, Real‑Time Protection, and any AV that might delete/alter the sample. | | Forensic logging | Enable Windows Process Monitor (Procmon) , Process Explorer , Autoruns , Regshot , and Wireshark on the host. | | Reversing tools | IDA Pro, Ghidra, Binary Ninja, x64dbg, OllyDbg, radare2, etc. | | Static analysis suites | PEiD, PEview, Exeinfo PE, Detect It Easy (DIE), CFF Explorer, PE-bear. | | Dynamic analysis sandbox | Cuckoo Sandbox, REMnux (Linux), or a custom sandbox script using PowerShell and APIs (e.g., NtQuerySystemInformation ). | | Hashing | certutil -hashfile , sha256sum , md5sum . | | YARA | Write or use existing rules to flag known packers, crypto miners, etc. | 2. Collect Basic File Metadata | Feature | How to Extract | |---------|----------------| | File name | Already known ( signallab-31nulled.rar ). | | File size | dir signallab-31nulled.rar or Get-Item . | | Hashes | certutil -hashfile signallab-31nulled.rar MD5 SHA1 SHA256 . | | Timestamp | Get-Item signallab-31nulled.rar | Select-Object CreationTime, LastWriteTime, LastAccessTime . | | Entropy | Use PEiD → Entropy view, or binwalk -E / python -c "import math,sys; data=open('signallab-31nulled.rar','rb').read(); print(-sum((b/255.0)*math.log2(b/255.0) for b in data if b!=0))" | | File type | file signallab-31nulled.rar (should report “RAR archive data”). | | Compression / Encryption flag | RAR headers show whether the archive is encrypted ( rar v signallab-31nulled.rar ). |
Export the Procmon log to CSV/TSV and then into a table like: