Dynamic-based analysis detection entails the live monitoring of processes, in
order to determine if any are behaving with any malicious intent. Any
maliciously behaving process will be flagged as dangerous and terminated. Basic
behavioral traits are:
persistence – To ensure an attack is carried out to completion, it needs to
persist across reboots and be able to resume upon starting. Common techniques
used by ransomware includes placing a copy of its executable into the Windows
startup directory, adding a registry run key entry or setting up a scheduled
task, to name a few.
restore – To ensure that any malicious actions cannot be undone, malware may
try to disable system restore functionality. Ransomware for example, has been
known to delete Windows shadow copies, which prevents encrypted data from being
restored to an older unencrypted version.
techniques – Malware will try to execute in a stealthy manner to avoid being
noticed by the user or detected by virus scanners. Common techniques include: injection
into legitimate processes, executing from the %AppData% directory and using
executables named the same as common Windows executables, to name a few.
mapping – When malware is executed, it may map its system environment before
initiating its setup procedure. This is typically done to determine if it’s
running on a real computer or on a sandbox environment that could be attempting
to analyse it.
traffic – Ransomware that requires an internet connection, does so for two
possible tasks: downloading of payload related files, and/or for the
communication of the encryption key.
elevation – Executing malicious system-related activities may require access
rights that are beyond those given to the victim’s user account. For example,
ransomware may want to overwrite the Master Boot Record, which can only be done
as an Administrator. Simply asking for administrator access may work or other
privilege escalation techniques may be used.