How to do runtime debugging of malware

Drag the sample into x64dbg, as well as into PEStudio. Look at PEStudio’s imports, and identify interesting APIs that you would be interested in, such as ReadFile, EncryptDecrypt etc.

In the command window in the botton of x64dbg, type “SetBPX ReadFile” to set a breakpoint on whenever this API is called.

Make sure that all other pre-requisites for running the sample, identified through behavioural analysis ( such as DNS and routing are met.

Run the sample by hitting F9, and it’ll pause whenever it hits a breakpoint. You can then view the parameters passed to the API call, by reading the assembly code.

The breakpoint will make execution stop right before it starts executing from the Windows DLL that the API call refers to, so to get back to the custom code (you don’t want to step through Windows’ code) you click “Debug -> Run to user code”.

Another way to see what happens when making API calls, is to use API Monitor. Simply pick the API call you want to monitor, click “Monitor new process” from the file menu and pick you sample. It will run, and you can see each time the monitored API was called along with it’s parameters and return values.

The step after this is to do full-on reversing and code analysis.