Lab 3-4 | Practical Malware Analysis

1. What happens when you run this file?

When I ran this file, I saw nothing in process explorer.

I was a bit confused and why I didn’t see anything, but after a while I decided to read the author’s analysis on this piece of malware, and as he said, the process deletes itself.

It’s sending itself to NULL.

I saw a lot of data generated from this executable, and if the author didn’t mention he searched for this ( Process Create ) I wouldn’t have stumbled across this event.

I did see the CreateProcessA in the strings file, and also inside the Imports in PEview, so it just seems like a smart move to look for interesting functions inside all those generated events.

Mentioning that, there were also hints that it looked forward to connecting to an external domain, but I don’t think we’ll be looking at it right now. Probably in future chapters.

2. What is causing the roadblock in dynamic analysis?

It’s deleting itself, as in the first image.

3. Are there other ways to run this program?

No AFAIK.

For now.