malware-reverse-windows7-VM

Often I have trouble getting a fresh Windows 7 install working with malware analysis tools.

If you too, follow the steps :

iso windows 7 family

Install a windows 7 family premium SP1

Install system

1. Install valid Root Certificate : http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt
2. Install KB update embedding SHA2 (KB3033929) : https://www.microsoft.com/fr-fr/download/details.aspx?id=46148
3. Install .Net 4.8 : https://dotnet.microsoft.com/en-us/download/dotnet-framework/net48
4. Activate script execution in PowerShell : Set-ExecutionPolicy Unrestricted (in admin powershell)
5. download the upadte of Powershell (KB3191566) : https://docs.microsoft.com/fr-fr/powershell/scripting/windows-powershell/wmf/setup/install-configure?view=powershell-7.2
6. Decompress the archive and execute the script Install-WMF5.1.ps1
7. Install flare VM (https://github.com/mandiant/flare-vm) : execute install.ps1
8. The sysinternals suite installed by flare VM won't work. You have to install an old version of sysinternals (https://www.afterdawn.com/software/system_tools/system_information/sysint_suite.cfm/july_18,_2012#all_versions)

Single tools

If you don't want the flare-vm tools, I recommand at least the following ones :

IDA

https://hex-rays.com/ida-free/

CAPA

https://github.com/mandiant/capa

Regshot

https://sourceforge.net/projects/regshot/

Sysinternals suite

For windows7 use old version : https://www.afterdawn.com/software/system_tools/system_information/sysint_suite.cfm/july_18,_2012#all_versions

x64dbg

https://x64dbg.com/

PE-Bear

https://github.com/hasherezade/pe-bear-releases

Process Hacker

https://github.com/processhacker/processhacker

Pestudio

https://www.winitor.com/features

PEiD

https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml