How to do behavioural analysis of malware

Setup the victim host so that it’s ready to have the sample detonated. Configure it’s default gateway and DNS server to be that of your REMnux host, or another host with fakedns and inetsim installed.

Start Process Hacker and Process Monitor, and clear the log of process monitor.

Use Regshot to snapshot the system, start sniffing with Wireshark on the victim host and start monitoring with Process Monitor.

Detonate the malware and let it run for a few minutes, then kill it in Process Hacker.

Stop monitoring and save the log as a CSV file. Stop Wireshark as well.

Take the second snapshot with Regshot and compare it to see what changed on the system. Did it add any files? Any autostart registry keys?

Load the CSV file into ProcDOT to see the trail of events.

Review the Wireshark dump to see if it attempted any outbound communications.

Reset the system and redo the experiment, but this time run fakedns on the gateway machine along with Wireshark, to see if it attempts to resolve any domains.

Reset and repeat, this time with inetsim to see if tries to pull anything. Step by step, add more functionality to it until you feel satisfied that the sample has executed all of its actions, then draw your conclusions before moving on the debugging and reversing.