Intezer Analyze uses static and dynamic unpacking techniques in order to analyze packed files, installers and more. This document covers all unpacking options and how to use them.
Table of Contents
- Types of Unpacking
- Additional Resources
Types of Unpacking
Intezer Analyze performs an automatic Static Extraction process on UPX files, installers and embedded PE files, in order to disclose the actual code or malware. The static extraction is done recursively.
You also have the option to manually send a file to static unpacking by clicking “Force Static Unpacking” in the GUI or using the API.
Archive files (such as Zip, RAR, TAR, and 7-Zip) will be extracted only if they contain up to one file.
All extracted files will be shown in the “Static Extraction” on the left-hand side of the analysis.
Intezer Analyze investigates packed files in an isolated environment by extracting newly executed code from memory, providing deeper insights into packed files and multi-stage malware.
For all kinds of packers besides UPX, Intezer Analyze automatically performs a Dynamic Execution process as follows:
- Analyzes the uploaded file, identifying it as a packed file
- Executes the file in an isolated server (sandbox)
- Analyzes the code loaded into memory
In cases where the file was not recognized as packed, you can also use “Force Dynamic Unpacking” through the GUI or API.
All extracted files and memory modules are shown in the “Dynamic Execution” or "Static Extraction" sections on the left-hand side of the analysis.
Force Extended Dynamic Unpacking
In some cases, packers should be executed over an extended period of time in order to reveal the actual payload. Use this option to execute the file for an extended period of time.
- Intezer Analyze Feature - Dynamic Unpacking
- Unpacking Reveals a File’s True DNA
- Fantastic Payloads and Where We Find Them