• Investigate a possible malware using Windows tools
• Consider the network traffic of a malware
• Analyze the files and registers used by a malware
• Modify a malware and see the behavior of an anti-virus solution

For this exercise you will need a Windows 10 virtual machine.

Open the Windows 10 virtual machine and make sure that it is not connected to the local network and it does have Internet access via NAT interface (not bridged). Turn off your Windows defender protection (Windows Settings→Update & Security→Windows Security→Virus & threat protection→Virus & threat protection Settings→Turn off Real-time protection).

Download the lab setup files from the assistant. Install the programs and extract the sample files.

Your network administrator has provided you with 10 files that look suspicious and where caught by the network security equipment. Your job is to determine if there is any suspicious file and find out as much information about it as possible. Fill in the following data for each file. Try to do this using a (PowerShell) script.

Is the previous information enough? Does it really help? Use the WinMergePortable.exe program and compare “test1.exe” against “test2.exe”. What about their hashes, how close are them? Consider the file properties and spot the differences.

Find out which of the files are executables and start them. Observe their behavior.

• Write down the commands that the program is trying to execute (we will investigate those later).
• What happened to your test folder (from which the ransomware was started)?
• Wait for the computer to get fully infected, consider your “Documents” or “Desktop” folder and see if you can see the decryptor shortcut. Try to create a new text file and wait for it to be encrypted.