One technique that can be leveraged in examining malware is to create a virtual machine with the appropriate Windows OS. It is best to start with a bare-bones OS, with the Microsoft Office suite installed. Other third-party programs can be installed later if it appears that the malicious code leverages a vulnerability in those applications. A tool that is useful in this type of examination is Process Spawn Control. This PowerShell script, available at https://github.com/felixweyne/ProcessSpawnControl, allows responders to control the execution of malware and observe what actions are taken in Process Explorer. To conduct this type of analysis, take the following steps:
- Start Process Explorer and let it run for a few seconds.
- In the PowerShell terminal, execute the ProcessSpawnControl.ps1 script. Select Run Once, if prompted.
- Process Spawn Control will pause all executables, not just potential malware. Once it is running, open the Windows executable notepad.exe. The following window should appear:
- In the Process Explorer window, the notepad.exe process will appear to be suspended, as shown in the following screenshot:
- Click on Allow run in the PowerShell dialog box, and the notepad.exe process will then execute, as follows:
Using these tools in combination allows the responder to understand how a potential malware executable functions, and what execution path it may take. This data, combined with other artifacts obtained through memory or log file analysis, can provide additional context to how malware has compromised a system.