This is a basic workflow I came up with.
The core concepts are:
- try to guess what the malware do
- note EVERYTHING EVERYTIME you use this workflow
- Screenshot “Pre-Detonation” ⇒ host-only network mode
- PEiD: see if malware it’s packed
- PEStudio
- check their signatures if it’s already recognized by some antivirus
- analyze if it’s packed, by looking at sections
- see imports
- see strings
- Make sure nothing is in execution in your VM
- Open Fakenet
- Open RegShot and make a first snapshot
- Open ProcMon, make a filter for the process and start to capture events
- Open ProcExp
- Run the malware and see what happens
- Stop capturing with ProcMon
- Take another snapshot with RegShot and analyze the log
- Copy-paste fakenet logs somewhere
- Start to dig ProcMon’s log
Then, you will need to setup IDA and a debugger and look all the ASM code.