Hands-on malware analysis using real samples in an isolated Proxmox environment — detection, behavioral analysis, and removal using Sysinternals tools.
| # | Lab | Description |
|---|---|---|
| 01 | Environment Setup | Built an isolated Windows 10 analysis workstation with Sysinternals Suite (Process Explorer, Autoruns, TCPView, Process Monitor), 7-zip, empty samples folder, and created a clean baseline snapshot for repeatable analysis. |
| 02 | Trojan/RAT Analysis | Detonated a real AsyncRAT sample, identified process disguise (Edge.exe), registry persistence, file self-replication to AppData, and C2 configuration. Performed manual removal in correct operational order and verified through reboot. |
| 03 | Adware/PUP Analysis | Analyzed a scareware PUP (PC Privacy Shield) that uses valid code signing, MSI installer framework, scheduled task nag popups, and affiliate tracking to monetize through fake scan results. Contrasted PUP techniques with trojan behavior from Lab 02. |
| 04 | Ransomware Analysis | Detonated a ClearWater ransomware sample that destroys recovery options, encrypts files with .clear extension, and deploys ransom notes with wallpaper change. Contrasted ransomware behavior with trojan and PUP techniques from Labs 02–03. |
- Static analysis with PE header inspection and string extraction
- Memory forensics with Volatility
- Network-connected malware analysis with traffic capture