A fully automated malware analysis pipeline that executes samples in an isolated VM sandbox, monitors runtime behavior via Sysmon, correlates static vs dynamic findings, maps to MITRE ATT&CK techniques, and validates against VirusTotal — all without manual intervention.
- Overview
- Features
- Architecture
- Requirements
- Installation
- Configuration
- Usage
- Sample Results
- Project Structure
- Key Findings
- Limitations
- Disclaimer
This framework analyzes Windows PE executable files using two complementary techniques:
- Static Analysis — Examines the binary without executing it. Extracts PE imports, detects suspicious APIs, and performs .NET assembly analysis via
dnfileto handle managed malware that evades conventional PE scanning. - Dynamic Analysis — Executes each sample inside an isolated Windows 10 VM, monitors system behavior via Sysmon for 60 seconds, exports event logs, and parses them for persistence, process, and registry activity.
Results from both stages are correlated, scored (0–100), classified, and validated against VirusTotal. Per-sample and summary reports are generated automatically.
| Feature | Description |
|---|---|
| PE Static Analysis | Extracts 30+ suspicious API categories: persistence, injection, network, evasion |
| .NET Assembly Analysis | Scans MemberRef, TypeRef, User Strings via dnfile — detects obfuscated .NET malware |
| VM Sandbox Automation | Full VMware lifecycle: revert snapshot → execute → monitor → export logs → stop |
| Sysmon Monitoring | Captures Event ID 1 (process), 12/13 (registry) during live execution |
| Persistence Detection | Detects Registry Run/RunOnce key writes with legitimate entry whitelisting |
| Persistence Hammering | Detects repeated key writes (aggressive persistence pattern) |
| Static vs Dynamic Correlation | Compares predictions against runtime findings — identifies false positives |
| Threat Scoring | Weighted 0–100 score across persistence, injection, network, registry activity |
| MITRE ATT&CK Mapping | Maps findings to T1547.001, T1055, T1059, T1071, T1041, T1112 |
| VirusTotal Integration | Validates SHA256 hashes against 70+ AV engines via VT API v3 |
| Automated Reports | Per-sample 7-section reports + global summary with VT detection rates |
| Batch Processing | Processes all samples in samples/ directory automatically |
Host Machine (Controller)
├── static_analysis.py ← PE + .NET static analysis
├── dynamic_runner.py ← VM automation and execution
├── dynamic_parser.py ← Sysmon log parsing
├── correlation_engine.py ← Static vs dynamic correlation + scoring
├── virustotal_lookup.py ← VirusTotal API validation
└── report_generator.py ← Report generation
└── visual_report_generator.py ← Visual Report generation
↓ vmrun + shared folder
Windows 10 VM Sandbox
├── Sysmon (Event ID 1, 12, 13)
├── run_sample.bat
└── Snapshot: CLEAN_BASE_DEFENDER_DISABLED
Pipeline Flow:
samples/*.exe
→ static_analysis.py → logs/parsed/static_*.json
→ dynamic_runner.py → logs/raw/*/sysmon.evtx
→ dynamic_parser.py → logs/parsed/*_analysis.json
→ correlation_engine.py → logs/parsed/*_correlation.json
→ virustotal_lookup.py → logs/parsed/vt_*.json
→ report_generator.py → reports/per_sample/*_report.txt
→ reports/summary/analysis_summary.txt
→ visual_report_generator.py → reports/visual_report.html
- Windows 10/11 64-bit
- Python 3.10+
- VMware Workstation Pro/Player
pefile
dnfile
requests
pyyaml
Install all:
pip install pefile dnfile requests pyyaml - Sysmon64 installed with registry monitoring config
- VMware Tools installed
- Windows Defender disabled
- Shared folder mapped to
C:\Shared C:\Tools\run_sample.batpresent- Clean snapshot taken
vmrun.exe— included with VMware Workstationwevtutil.exe— built into Windows- VirusTotal API key (free at virustotal.com)
1. Clone the repository
git clone https://github.com/yourusername/malware-analysis-framework.git
cd malware-analysis-framework2. Install Python dependencies
pip install pefile dnfile requests pyyaml3. Set up the VM sandbox
- Install Windows 10 in VMware Workstation
- Install Sysmon inside VM:
Sysmon64.exe -i C:\Tools\sysmon.xml- Disable Windows Defender real-time protection
- Configure VMware shared folder: Host
vm_shared/→ GuestC:\Shared - Create
C:\Tools\run_sample.batin the VM:
@echo off
set SAMPLE=%~1
start "" "%SAMPLE%"
exit /b 0- Take a clean snapshot named
CLEAN_BASE_DEFENDER_DISABLED
4. Configure the framework
Edit controller/config.yaml:
vmx_path: "D:/Windows 10/Windows 10 x64.vmx"
snapshot: "CLEAN_BASE_DEFENDER_DISABLED"
execution_timeout: 60
shared_folder: "C:/malware_framework/vm_shared"
guest_user: "your_vm_username"
guest_pass: "your_vm_password"5. Add your VirusTotal API key
Edit controller/virustotal_lookup.py:
VT_API_KEY = "YOUR_VIRUSTOTAL_API_KEY_HERE"Get a free key at: https://www.virustotal.com
6. Add malware samples
Place .exe files in the samples/ directory. See Getting Samples Safely below.
All settings are controlled via controller/config.yaml:
| Setting | Description | Default |
|---|---|---|
vmx_path |
Full path to your .vmx file |
Required |
snapshot |
Snapshot name to revert before each sample | CLEAN_BASE_DEFENDER_DISABLED |
execution_timeout |
Seconds to monitor each sample | 60 |
shared_folder |
Host-side path to vm_shared folder | Required |
guest_user |
VM username for vmrun commands | Required |
guest_pass |
VM password for vmrun commands | Required |
cd C:\malware_framework
# Step 1 - Static analysis (no VM needed)
python controller\static_analysis.py
# Step 2 - Dynamic execution (VM required, ~75s per sample)
python controller\dynamic_runner.py
# Step 3 - Parse Sysmon logs
python controller\dynamic_parser.py
# Step 4 - Correlate and score
python controller\correlation_engine.py
# Step 5 - VirusTotal validation
python controller\virustotal_lookup.py
# Step 6 - Generate reports
python controller\report_generator.py
# Step 7 - Generate Visual reports
python controller\visual_report_generator.py
python controller\static_analysis.py; python controller\dynamic_runner.py; python controller\dynamic_parser.py; python controller\correlation_engine.py; python controller\virustotal_lookup.py; python controller\report_generator.py; python controller\visual_report_generator.pyGet-Content reports\summary\analysis_summary.txt -Encoding UTF8
Get-Content reports\per_sample\Blackkomet_report.txt -Encoding UTF8
start reports\visual_report.htmlResults from analyzing 3 samples:
| Sample | Classification | Threat Score | VT Detection |
|---|---|---|---|
| Blackkomet.exe | Confirmed Persistent Malware | 100/100 CRITICAL | 65/70 (92.9%) |
| njRAT.exe | Confirmed Persistent Malware | 60/100 HIGH | 50/62 (80.6%) |
| notepad.exe | Benign / Clean Application | 20/100 LOW | 0/72 (0.0%) |
MITRE ATT&CK techniques detected for Blackkomet:
- T1547.001 — Boot/Logon Autostart: Registry Run Keys
- T1055 — Process Injection
- T1059 — Command and Scripting Interpreter
- T1071 — Application Layer Protocol (C2 Communication)
- T1041 — Exfiltration Over C2 Channel
- T1112 — Modify Registry
malware_framework/
├── controller/
│ ├── static_analysis.py # PE + .NET static analyzer
│ ├── dynamic_runner.py # VM automation engine
│ ├── dynamic_parser.py # Sysmon EVTX log parser
│ ├── correlation_engine.py # Correlation + threat scoring
│ ├── virustotal_lookup.py # VirusTotal API integration
│ ├── report_generator.py # Report generation
│ └── config.yaml # Pipeline configuration
│ └── visual_report_generator.py # Visual Report generation
│
├── samples/
│ └── README.md # Instructions for obtaining samples
│
├── logs/
│ ├── raw/ # Raw EVTX logs per sample
│ └── parsed/ # JSON analysis outputs
│
├── reports/
│ ├── per_sample/ # Individual sample reports
│ └── summary/ # Aggregate summary report
│ └── visual_report.html # Visual Report
│
└── vm_shared/ # Host-VM file transfer directory
1. Static analysis produces false positives
Both Blackkomet and notepad import RegCreateKey/RegSetValue. Static analysis flags both as suspicious. Dynamic analysis confirms only Blackkomet actually writes persistence keys at runtime.
2. .NET malware evades native PE static analysis
njRAT showed only 1 PE import under conventional scanning. dnfile-based .NET assembly analysis revealed 14 suspicious method references including RegistryKey.SetValue, TcpClient, and WebClient — exposing its true capability.
3. Dynamic execution is required for confirmation
Blackkomet wrote to HKU\...\Run\winupdater 756 times during execution — a persistence hammering pattern only detectable through live monitoring.
Never download malware from unknown sources.
Safe, legitimate repositories for security research:
- MalwareBazaar — abuse.ch, academic/research use
- VirusTotal — upload and analyze
- Any.run — interactive sandbox with sample library
Zip password for MalwareBazaar downloads: infected
- Execution window is 60 seconds — delayed payloads may not trigger
- Network activity is predicted from static APIs, not dynamically captured
- Heavily obfuscated .NET assemblies may hide method names from dnfile
- No scheduled task or service-based persistence monitoring
- Tested on Windows 10 x64 only
This framework is built strictly for educational and research purposes. All malware samples were analyzed in an isolated, network-restricted virtual machine environment with no internet access. Never execute malware on a production machine or any system connected to a network. The author takes no responsibility for misuse of this framework or any tools described herein.
Nandish Talapada Enrollment No: 250103003013
| Tool | Purpose | Link |
|---|---|---|
| pefile | PE import extraction | pypi |
| dnfile | .NET assembly analysis | pypi |
| Sysmon | Runtime behavior monitoring | Microsoft |
| VMware Workstation | VM sandbox | VMware |
| VirusTotal API | Threat intelligence validation | VirusTotal |
| MITRE ATT&CK | Technique classification framework | MITRE |