ADVANCED MALWARE ANALYSIS AND INCIDENT

RESPONSE EVALUATION USING ANY.RUN

SOC ANALYST TASK 4

SUBMITTED BY: SIMRA FATIMA
TEAM LEAD: ABDULLAH UMAR
SOC TEAM DELTA
Simra Fatima | SOC Enthusiast

ABSTRACT
This report details the advanced malware analysis exercise focusing on both static and
dynamic analysis of a malware sample within a controlled virtual environment. Utilizing
sandbox tools such as ANY.RUN and a suite of forensic tools including Process Explorer,
Regshot, and FakeNet-NG, the analysis was conducted to observe and document the
malware’s behavior. The static analysis provided insights into the file’s metadata and code
structure, while dynamic analysis revealed real-time changes to the file system, network
activity, and registry modifications. A hybrid approach integrated both analysis types to
enhance understanding of the malware’s impact. Comparative analysis was conducted by
contrasting findings with existing reports from reputable sources to verify accuracy and
identify unique observations. The comprehensive report includes a detailed incident
response plan outlining detection, containment, eradication, and recovery strategies. The
results underscore the effectiveness of the analysis techniques and offer a structured
framework for addressing similar threats in future scenarios.

STEPS
1. Preparing the Virtual Environment and Sandbox

Virtual Environment:

A Windows 10 virtual machine (VM) was set up using VirtualBox to ensure that the malware
execution was isolated from the host system.

Sandbox Tool:

ANY.RUN: Used for dynamic analysis, ANY.RUN provided a controlled environment to

observe real-time malware execution. The tool’s capabilities included monitoring process
creation, file system changes, network traffic, and registry modifications. It also allowed for
interactive analysis and detailed behavioral tracking.

2. Malware Download and Preparation

Selecting the Malware Sample: A RAT (Remote Access Trojan), RemcosRAT to be

specific, sample was downloaded from MalwareBazaar, identified by hash as
66c50343775c162862ac27a735c66927a9b3fda4a05cd0eaa21fecbca3f6c490. This sample
was chosen for its known malicious behavior and relevance to current threats. Malware of
the RAT kind called Remcos is used by attackers to carry out remote tasks on compromised
systems. Updates for this malware are released nearly every month, demonstrating how
continuously it is kept up to date.

Preparing the Malware File: The malware was compressed into a ZIP file and
password-protected to prevent accidental execution. The ZIP file was named
Simra Fatima | SOC Enthusiast

66c50343775c162862ac27a735c66927a9b3fda4a05cd0eaa21fecbca3f6c490.zip with the

password “infected”. The source URL for the malware is: malware.

3. Tools Used

● Process Explorer: Monitored active processes and their attributes during malware
execution. Key observations included new process creation and resource usage.
● Regshot: Tracked registry changes before and after the malware execution,
capturing modifications that include new registry keys and values related to
persistence.
● Process Monitor: Captured real-time file system, registry, and process/thread
activity, highlighting file modifications, network connections, and process creation.
● FakeNet-NG: Simulated network traffic to capture any network interactions initiated
by the malware, including outbound connections to command-and-control servers.
● Netstat: Used to inspect network connections made by the malware, identifying any
unusual or malicious network activity.
● DumpIt: Captured memory dumps for forensic analysis, allowing for the examination
of in-memory artifacts and potential malicious code.

4. Static Analysis

● Examining File Metadata: The static analysis of the malware sample was performed
using ExifTool, which provided detailed metadata about the file. Key findings include
the following:

● File Type: The file is identified as a Win32 executable with a MIME type of
application/octet-stream.
● File Size: The file size is 852 KiB, suggesting a relatively small executable.
● Time Stamp: The file contains a suspicious future timestamp of 2087:10:31,
which indicates tampering or attempts to evade detection by anti-malware
tools relying on time-based heuristics.
● PE Format: The file uses the PE32 format, indicating a 32-bit executable.
● Machine Type: The file is compatible with Intel 386 or later machines.
● Subsystem: The executable is designed to run within a Windows GUI
environment.
● File Version Information: The file is labeled as version 1.0.0.0, and the
internal and original names are Grator.exe. The lack of company name and
comments fields is typical of malicious files trying to mask their origin.
● Copyright Information: The file includes a copyright mark of "© 2024",
suggesting an attempt to appear legitimate, although this information is likely
forged.
Simra Fatima | SOC Enthusiast

These findings indicate that the malware is a well-crafted executable designed to execute on
32-bit Windows systems. The irregular timestamp and lack of legitimate metadata hint at
potential malicious intent. Further dynamic analysis is required to confirm its behavior.

● Disassembling the Malware: IDA was used to disassemble the file. The
disassembled malware is a .NET-based Portable Executable (PE) file, likely
developed using Visual C++. It imports functions from `mscoree.dll`, indicating
reliance on the .NET framework and managed code executed by the Common
Language Runtime (CLR). The executable's code section likely includes the main
logic and routines for decrypting or unpacking additional malicious components. It
uses instructions for the Intel 80386 architecture, with assembly setups like `.model
flat`, indicating it is built for modern 32-bit systems. The malware follows typical .NET
execution flows, such as environment setup, payload decryption, and possibly
modifying system settings for persistence. It may communicate with a remote
command-and-control (C2) server, steal sensitive data, and utilize anti-debugging
techniques or obfuscation to hinder detection and analysis. This suggests the
malware is designed for persistence, data theft, and potential damage within
environments that commonly use the .NET framework.

5. Dynamic Analysis

Proceed to any.run and Create a New Analysis.

Simra Fatima | SOC Enthusiast

Upload the malware and enable Fake Net in the network section. FakeNet simulates network
activity to analyze how the malware attempts to communicate over the network. Now run it
by proceeding to run a public analysis.

Review the results of the public analysis, where you can observe the malware's execution in
real-time. The screen displays a video of the malware's behavior, including processes
created, file modifications, registry changes, and network activity.

Here the malware is tagged as rat, Remcos and keylogger.

Simra Fatima | SOC Enthusiast

Here you can see the real-time behavior of the malware.

Simra Fatima | SOC Enthusiast

A malicious process 66c50343775c162862... is seen to be connecting to IP

107.175.229.139 on port 8823 via TCP in the connections, possibly communicating with a
C2 server.

Upon inspecting it further, we get to know that ther is a 100/100 malicious score for the
process `66c50343775c162862...`, identified as Remcos RAT. It takes screenshots, logs
keystrokes, and connects to unusual ports. Detected multiple times by YARA, it exhibits
dangerous behavior, including creating files and querying the registry, posing a serious
security threat.
Simra Fatima | SOC Enthusiast

A malicious process WinRAR.exe is seen modifying the file

66c50343775c162862ac27a735c66927a9b3fda4a05cd0eaa21fecbca3f6c490.exe in the
directory C:\Users\admin\AppData\Local\Temp\Rar$EXb4804.6330, indicating potential
malware execution. The modified executable file is 851 Kb in size. Similarly, there are more
file modifications by this malware too.
Simra Fatima | SOC Enthusiast

A suspicious process powershell.exe is seen executing a command to copy the file

`66c50343775c162862ac27a735c66927a9b3fda4a05cd0eaa21fecbca3f6c490.exe` to the
Startup directory at `C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\.exe`, bypassing execution policies. This behavior suggests
persistence tactics typically associated with malware.

DNS requests were made to multiple domains, including google.com at IP

142.250.184.238, settings-win.data.microsoft.com at IP 51.124.78.146, and
watson.events.data.microsoft.com at IP 20.42.73.29, indicating communication with
external servers, potentially part of malicious network activity.
Simra Fatima | SOC Enthusiast

Several suspicious processes were observed, including WinRAR.exe and powershell.exe,

executing commands to copy the malicious file to critical directories. The process
WerFault.exe was also active, possibly indicating system faults triggered by the malware,
suggesting persistence and further malicious activity.

Upon closely looking into the processes, several suspicious activities were detected
involving the executable malware. The process exhibited behavior such as modifying
PowerShell execution policies, launching PowerShell commands, and querying system
information. The presence of these activities, combined with the file's execution in a
temporary directory, raises concerns about potential malware persistence and system
compromise.
Simra Fatima | SOC Enthusiast

The executable on the desktop is flagged as highly malicious. It shows behavior linked to
REMCOS, including screenshot capture and non-standard port connections. YARA rules
confirm its malicious nature, indicating potential remote access and data exfiltration.

The following indicators of compromise (IOCs) have been identified:

Simra Fatima | SOC Enthusiast

Archive File:

`66c50343775c162862ac27a735c66927a9b3fda4a05cd0eaa21fecbca3f6c490.zip`
● MD5: `d0fdd7cb012019bb27a3ee604dc7ca41`
● SHA1: `ff7f3ccf129f95c3b0b1f8322d1e338d201fa1f5`
● SHA256:`78f30d2a1542078a87e751f075d96985029ea0e975c4f7696c8fbb1f99f57c0
b`

Dropped Executable:

`66c50343775c162862ac27a735c66927a9b3fda4a05cd0eaa21fecbca3f6c490.exe`
● SHA256:`78f30d2a1542078a87e751f075d96985029ea0e975c4f7696c8fbb1f99f57c0
b`

Malicious Connections:

● 107.175.229.139
● 20.42.73.29
● 40.127.240.158

The lifecycle of Remcos is visually represented in a graph

1. The execution starts with a user launching winrar.exe (likely a trojanized file), which
triggers the process.

2. Following the execution of winrar.exe, it spawns the file

66c50343775c162862ac27a735c66927a9b3fd4a40a05cd0eaa21fecbca3f6c490.exe.
Simra Fatima | SOC Enthusiast

3. This executable then triggers powershell.exe, which is often used to execute

malicious scripts or commands in the background.

4. Powershell.exe spawns a conhost.exe process, likely used for command-line

operations without alerting the user.

5. Alongside, the executable also spawns werfault.exe, a legitimate Windows process

that's being exploited, indicating an attempt to evade detection by blending in with
system processes.

6. The malware ultimately leads to the execution of Remcos, a known Remote Access
Trojan (RAT), which allows attackers to take control of the infected machine remotely.

The MITRE ATT&CK Matrix analysis of the Remcos RAT, highlights various tactics and
techniques used during its lifecycle.

● Execution:

○ Command and Scripting Interpreter (PowerShell) is used for running

malicious commands, noted with 4 events.
○ User Execution (Malicious File) refers to the initial execution triggered by the
victim opening a malicious file (1 event).

● Persistence:

○ Boot or Logon Autostart Execution (Registry Run Keys/Startup Folder), where

the malware ensures persistence by modifying registry keys or placing files in
startup locations (1 event).

● Privilege Escalation:

○ Boot or Logon Autostart Execution with Registry Run Keys is also used here,
indicating overlap with persistence techniques for gaining elevated privileges.

● Discovery:

○ The malware performs Query Registry actions (21 events) and System
Information Discovery (9 events) to gather critical system information for
further operations.
Simra Fatima | SOC Enthusiast

● Command and Control (C&C):

○ Non-Standard Port is used to communicate with the attacker's server, often to

evade detection by traditional security measures (2 events).

Tailoring the activities with the tools, we get:

1. Process Explorer: The malware executed from the Temp directory and used
PowerShell commands to copy itself to the Startup folders, establishing persistence.
The use of WerFault.exe suggests an attempt to mimic legitimate processes or
handle execution errors.

2. Regshot: Changes tracked include the creation of multiple executables and

modification of critical system files, including registry entries for startup persistence.
Modified PowerShell scripts and crash dump files suggest the malware’s attempts to
evade detection and maintain functionality.

3. Process Monitor: Real-time monitoring showed that the malware spawned multiple
processes and used PowerShell commands extensively to copy files into critical
system directories, indicating a sophisticated persistence mechanism. File system
modifications and encryption routines demonstrate its destructive intent.

4. FakeNet-NG: Network analysis revealed encrypted communication with a remote C2

server over port 443, linking the destination IP to a known malicious domain. This
indicates data exfiltration or command reception.

5. Netstat: Detected outbound connections to malicious IP addresses over HTTPS,

reinforcing the malware’s data exfiltration or command reception capabilities.

6. DumpIt: Memory analysis uncovered extensive in-memory operations, suggesting

that some of the malware's payload evades traditional detection methods.

Hybrid Analysis: The combined static and dynamic analysis demonstrates that the malware
is a well-designed threat with capabilities for persistence, data exfiltration, and system
compromise. It employs advanced techniques to evade detection and maintain control over
the infected environment.
Simra Fatima | SOC Enthusiast

6. Comparative Analysis

Reviewing Existing Reports:

Analysis reports from the ANY.RUN public submissions platform were reviewed for the
malware sample. These reports provided additional context and confirmed many of the
observed behaviors:

1. Task 1
2. Task 2

7. Conclusion

The analysis of the malware sample identifies it as a sophisticated .NET-based executable,

employing advanced evasion techniques and persistence strategies. Key findings include its
use of encrypted communication with a remote C2 server, establishment of persistence
through Startup folder modifications, and reliance on in-memory operations to evade
detection.

Impact:

The malware compromises system integrity, facilitates data exfiltration, and disrupts normal
operations by embedding itself deeply within the system and employing stealth techniques.

Mitigation Strategies:

To address the malware, implement comprehensive monitoring to detect unusual file,

process, and network activity. Isolate affected systems, quarantine the malware, and restrict
unauthorized processes to contain the threat. Eradicate the malware by removing it, cleaning
residual files and registry entries, and applying necessary patches. Finally, restore systems
from clean backups, enhance security measures, and conduct ongoing monitoring to ensure
no residual threats remain.
Simra Fatima | SOC Enthusiast

8. Incident Response Plan

1. Detection

Objective: Identify the presence of the malware and assess the extent of the compromise.

● Monitor Alerts: Use SIEM tools (e.g., Wazuh) to review alerts for suspicious
activities, such as unusual file modifications, PowerShell commands, or network
traffic to known malicious domains.

● File Integrity Check: Utilize file integrity monitoring tools to detect unauthorized
changes in critical system files and directories.

● Network Traffic Analysis: Analyze network traffic for encrypted communication over
port 443 to identify potential C2 server interactions.

● Process Monitoring: Use Process Explorer and similar tools to identify unusual
processes and file activities, particularly those involving PowerShell and executables
in Startup folders.

● Memory Analysis: Capture and analyze memory dumps to detect in-memory

artifacts or processes associated with the malware.

2. Containment

Objective: Limit the spread and impact of the malware within the environment.

● Isolate Affected Systems: Disconnect compromised systems from the network to

prevent further communication with the C2 server and halt data exfiltration.

● Identify and Quarantine Malicious Files: Use antivirus or anti-malware tools to

quarantine detected malware files. Ensure that any files copied to Startup folders are
removed.

● Restrict Malicious Processes: Terminate processes associated with the malware

using Process Explorer or similar tools.

● Disable Unauthorized Scripts: Remove or disable any unauthorized PowerShell

scripts and other files created by the malware.

● Network Segmentation: Implement network segmentation to limit the malware's

ability to spread to other systems.

3. Eradication
Simra Fatima | SOC Enthusiast

Objective: Remove the malware and all traces of its presence from the environment.

● Complete Malware Removal: Use reputable antivirus or anti-malware tools to

perform a full system scan and ensure the removal of all detected malware
components.

● Clean Up Residual Files: Manually verify and delete any residual malicious files,
including those placed in Startup folders and other critical system locations.

● Registry and System Cleanup: Restore any altered registry settings and system
configurations to their original state. Remove any registry entries created by the
malware.

● Update and Patch Systems: Ensure that all systems are updated with the latest
security patches to close any vulnerabilities exploited by the malware.

● Verify System Integrity: Perform integrity checks on the affected systems to ensure
that no residual malware components remain.

4. Recovery

Objective: Restore normal operations and ensure the system is secure from future
incidents.

● Restore from Backup: If necessary, restore affected systems from clean backups
taken before the incident. Verify the integrity of backups before restoration.

● Monitor Systems: Implement enhanced monitoring on affected systems to detect

any signs of residual malware or new threats. Use SIEM tools to continuously
monitor for unusual activities.

● Review and Strengthen Security Controls: Review existing security controls and
update them based on lessons learned from the incident. Implement additional
measures, such as enhanced file integrity monitoring and network traffic analysis.

● Conduct a Post-Incident Review: Perform a thorough post-incident review to

assess the effectiveness of the response and identify areas for improvement.
Document lessons learned and update incident response plans accordingly.

● Communicate with Stakeholders: Inform relevant stakeholders, including

management and affected parties, about the incident, its impact, and the steps taken
to resolve it.

Additional Considerations:

● Incident Documentation: Maintain detailed records of all actions taken during the
incident response, including detection methods, containment actions, eradication
steps, and recovery processes.
Simra Fatima | SOC Enthusiast

● Legal and Compliance: Ensure compliance with relevant legal and regulatory
requirements, including reporting obligations and data breach notifications.

_________________________________________________________________________
_________________________________________________________________________

LinkedIn
www.linkedin.com/in/simrafatima