Malware Investigation

Incident Response Scenario

Beginner Friendly15-20 min

🚨 INCIDENT ALERT: User reports slow computer and unusual network activity. Use Sysinternals tools to identify, analyze, and contain the threat in this hands-on investigation scenario.

Incident Overview

Initial Symptoms

  • High CPU usage from unknown process
  • Suspicious network connections to external IPs
  • New files appearing in temp directories
  • System performance degradation
  • Antivirus disabled mysteriously

Investigation Objectives

  • Identify malicious processes
  • Analyze network communications
  • Detect persistence mechanisms
  • Document evidence for removal
  • Contain and neutralize threat
1

Process Analysis

Using Process Explorer

Investigation Steps

  1. 1. Launch Process Explorer as Administrator
  2. 2. Enable VirusTotal checking: Options → VirusTotal.com
  3. 3. Sort by CPU usage to identify high-consumption processes
  4. 4. Look for processes highlighted in red (unsigned/suspicious)
  5. 5. Examine suspicious process properties and strings

Expected Findings

🎯 TARGET IDENTIFIED
Process: svchost.exe
Location: C:\Temp\
VirusTotal: 15/67 engines flagged
Behavior: High CPU usage, suspicious location

Key Commands

# Launch Process Explorer
procexp.exe
# Enable VirusTotal integration
Options → VirusTotal.com → Check VirusTotal.com
# Right-click suspicious process → Properties
# Check Image tab, Strings tab, and TCP/IP tab
2

Network Analysis

Using TCPView

Investigation Steps

  1. 1. Launch TCPView as Administrator
  2. 2. Enable "Resolve Addresses" for domain names
  3. 3. Monitor active connections in real-time
  4. 4. Identify suspicious external IPs and ports
  5. 5. Document C2 communication patterns

Expected Findings

🌐 NETWORK ACTIVITY
Process: svchost.exe (fake)
Destination: 185.159.157.13:443
Pattern: Regular beaconing every 60 seconds
Location: Eastern Europe (suspicious)

Analysis Commands

# Launch TCPView
tcpview.exe
# Command line version for scripting
tcpvcon.exe -a | findstr svchost
# Look for unusual external connections
# Focus on non-standard ports and foreign IPs
3

Persistence Analysis

Using Autoruns

Investigation Steps

  1. 1. Launch Autoruns as Administrator
  2. 2. Enable VirusTotal integration
  3. 3. Hide Microsoft entries for clarity
  4. 4. Focus on unsigned entries (highlighted in red)
  5. 5. Check VirusTotal scores for high detection rates

Expected Findings

🔧 PERSISTENCE MECHANISM
Location: HKCU\Run registry key
Entry: "WindowsUpdate" = C:\Temp\svchost.exe
VirusTotal: 23/67 engines flagged
Status: Unsigned, suspicious location

Analysis Commands

# Launch Autoruns GUI
autoruns.exe
# Command line export for documentation
autorunsc.exe -a * -s -h -c -vr > malware_persistence.csv
# Focus on unsigned entries only
autorunsc.exe -u -s -h -c
4

Behavior Documentation

Using Process Monitor

Investigation Steps

  1. 1. Launch Process Monitor as Administrator
  2. 2. Filter by suspicious process name
  3. 3. Monitor file system and registry operations
  4. 4. Document malicious behavior patterns
  5. 5. Collect evidence for incident response

Expected Findings

📋 MALICIOUS BEHAVIOR
File Operations: Creating files in %TEMP%
Registry: Modifying security settings
Process: Disabling Windows Defender
Network: Downloading additional payloads

Filter Examples

# Filter for specific process name
Process Name is svchost.exe (malicious instance)
# Monitor registry modifications
Path contains "Software\Microsoft\Windows Defender"
# Track file creation in temp directories
Path begins with "C:\Users\" AND Operation is WriteFile

Investigation Results & Remediation

Threat Assessment

✅ MALWARE IDENTIFIED & CONTAINED
  • Threat Type: Cryptocurrency Miner
  • Persistence: Registry Run key
  • C2 Server: 185.159.157.13:443
  • Impact: High CPU usage, system slowdown
  • Stealth: Masquerading as legitimate svchost.exe

Remediation Steps

  1. 1. Terminate malicious svchost.exe process
  2. 2. Delete autorun registry entry
  3. 3. Remove malicious executable from C:\Temp\
  4. 4. Re-enable Windows Defender
  5. 5. Run full system scan
  6. 6. Block C2 IP at firewall level
  7. 7. Document incident for future reference

Lessons Learned

Tool Synergy

Using multiple Sysinternals tools together provides comprehensive threat visibility and correlation capabilities.

Behavioral Analysis

Monitoring process behavior and network activity reveals malware operations even when signatures fail.

Documentation

Proper evidence collection enables effective remediation and future threat prevention.

Continue Your Learning

Advanced Scenarios

🔍 APT Detection & Analysis (Coming Soon)
🌐 Network Threat Hunting (Coming Soon)
🧠 Memory Forensics Investigation (Coming Soon)

Related Tools

📊 Master Process Explorer
🔍 Learn Sigcheck Analysis (Coming Soon)
📝 Static Analysis with Strings (Coming Soon)