Intezer uses dynamic execution and static unpacking techniques in order to analyze packed files, installers and more. This document covers all unpacking options and how to use them.
Table of Contents
Dynamic Execution
Intezer executes files in an isolated environment in order to extract newly executed or unpacked code from memory, map the file's TTPs and IoCs, and Behavior.
Intezer automatically performs a Dynamic Execution process as follows:
- Analyzes the uploaded file, identifying whether it is a non-binary, or a packed binary file.
- Executes the file in an isolated server (sandbox)
- Analyzes the code loaded into memory
- Collects behavioral context in order to map TTPs, IoCs and the general file activity.
In cases where the file was not recognized as packed, you can send the file to Dynamic Execution by using “Dynamic Execution” button or by using the API.
All extracted files and memory modules are shown in the “Dynamic Execution” or "Static Extraction" sections on the left-hand side of the analysis.
Extended Dynamic Execution
In some cases, evasive malware should be executed over an extended period of time in order to properly detonate and reveal the actual payload. Use this option to execute the file for an extended period of time.
Static Extraction
Intezer performs an automatic Static Unpacking process on UPX files, installers and embedded PE files, in order to disclose the actual code or malware. The static extraction is done recursively.
You also have the option to manually send a file to static unpacking by clicking “Extract” button on the left-hand pane in the GUI or by using the API.
This will also refresh the analysis and re-evaluate the verdict ("Reanalyze"), taking into account any extracted files as part of the new analysis.
Additional Resources