Hunting Malware with Windows Sysinternals — Process Explorer
In the last decade we’ve seen a surge in malware activity from targeted attacks like stuxnet to ransomware like WannaCry and many more in the recent years. To face threats like these, malware analyst must be able to identify malware as quickly as possible when analyzing infected machines or doing dynamic analysis.
Initial assessment must be done to determine if something is malicious or not and tools like pestudio or VirusTotal can be used to make a quick assessment of malware samples statically.
But in cases where we’re analyzing machines that were already infected with malware or we’re doing some dynamic analysis, tools like Process Explorer or Autoruns from Windows Sysinternals are the go to solution to get started.
Windows Sysinternals
The Sysinternals tools were created by Mark Russinovich and Bryce Cogswell. They were initially conceived and developed to help administrators and developers in their activity, but over the years’ multiple capabilities have been added and tools have been created to aid malware analysts in finding malicious behavior.
The Sysinternals suite contains more than 70 tools, in this malware series we’ll be taking a look at three in particular: Process Explorer, Procmon and Autoruns.
In this first part will be focusing on Process Explorer and how to leverage it functionalities to hunt for suspicious processes and malware.
Process Explorer
Process explorer is a tool that let us access a lot of information about processes running on a machine, and offer some nice functionalities out of the box which we can leverage to analyze and determine if something is malicious.
Let us take a look at some of the functionalities provided by process explorer that can help in our quest of hunting malware.
Colors
The first thing we’ll see when we open process explorer is the list of the processes that are running on the system.
Each process will get assigned a certain color based on its type and state. We can use these colors to determine for example: “services” or “packed images”.
The default configuration has the following color scheme.
For example, if we see a process with the “Services” or “Packed Images” color and its doesn’t contain any description or company name, then this could very well be indicative of something suspicious.
Path, Description and Company Name
Almost all legitimate processes (except for system processes) have a description and a company name. So the absence of one or both of these should indicate suspicious behavior.
Also by default we can see the path from which the process was launched. Always correlate the path and location with the name and the process itself. For example, a process named “DNS.EXE” running from the temp directory is most likely not a legitimate process.
Image Signature
Additionally, process explorer provide a feature called “Verify Image Signatures” which will verify if an executable files or DLL of a process have trusted digital signatures automatically. This can be of great help as some malware don’t bother to sign their code. So always be on the lookup for unverified processes or DLL’s.
This option isn’t enable by default. We can enable it on a process by process basis or globally via the “Options” menu.
Note that this feature only checks the signatures of executables or DLL’s on disk. This means that techniques like process hollowing on legitimate processes will not get detected by this feature.
Virus Total
Process explorer also integrates by default with Virus Total so it can send the hashes of the executables and DLL’s to check if they’re already flagged by AV engines.
If the machine we’re analyzing has access to the internet I highly suggest to turn on this feature, as it can be of great help during analysis.
We can also submit unknown executables to VT for analysis if the result of the scan shows a status of unknown.
This feature can also be enabled via the “Options” menu.
Command Line
By default, process explorer doesn’t show the command lines that launches a process. This can be enabled by selecting the “Select Columns” option from the “View” menu or by right clicking on any column on the processes pane and selecting the “Select Columns” option.
Seeing the command that launched a process can be very powerful, especially if that malicious process contains some arguments that we can use to determine the nature of the process.
I suggest that you enable this when you start your analysis and go through each process and look for anything suspicious.
Strings
Analyzing the strings of an executable has always been a powerful technique during static analysis, as they contain most of the times interesting indicators.
Process explorer let us explore the strings of any process by double clicking on its name and navigating to the strings tab. We can inspect both on disk and in memory strings (The in memory strings only shows the part where the executable is mapped in memory) which in the case of packed or encrypted / encoded samples can sometimes be a gold mine of IOC’s.
So once we’ve determined that a process is malicious we can take a look at the its corresponding strings for further analysis.
TCP/IP
As the name suggest, this feature can let us quickly identify processes that have any active TCP connections, (i.e communicating via the network).
For example, if our initial indicator was a log showing a communication between a machine and a C2 server and If the process is still communicating during out analysis, we can use this feature to locate it immediately.
DLLs
Process explorer let us access any loaded DLL by a process by pressing the “Ctrl+D” shortcut or by selecting it from the .
This can be combined with the Virus Total feature to submit the hashes to check if the process is using anything malicious or to get an overview of the malware possible capabilities.
Handles
When an application wants to access resources such as files or the registry, it needs to request them via the appropriate windows API responsible for handling the requested resource. Once this request is completed successfully, windows will allocate a handle and return its index in the handle table of the process.
Process explorer let us access all the open handles of a process by just selecting a process and pressing “Ctrl+H”.
This can be very helpful when analyzing malware dynamically, as knowing which files or registry keys are accessed by the malware can help locate and identify IOC’s and give us insight into its functionalities.
Conclusion
Process explorer is a powerful tool that can be leveraged to perform some advance malware hunting and analysis.
You can download the latest version of the tool from the Microsoft website.
Thanks for reading and I hope you learned something along the way.
This blog post and series was inspired by Mark Russinovich talks and the book “Troubleshooting with the Windows Sysinternals Tools, 2nd Edition” which you should definitely check out if you want an in depth look and a deeper understanding on how the Sysinternals tools work.
Got any feedback or suggestions, send them my way on twitter @nas_bench
