SANDBOX ANALYSIS OF WANNACRY WINDOWS 7

STEPS FOR SANDBOX ANALYSIS WINDOWS 7
Download wireshark , winpcap ( for older windows versions ) and regshot from the below links.

LINKS : -

https://www.wireshark.org/download.html

https://www.winpcap.org/install/

https://sourceforge.net/projects/regshot/

Now Restore the previous state before malware affected state on all the windows machines and boot it up.
Now install few tools in windows 7 machine like wireshark , winpcap , procmon and regshot.
Also make sure again the internet connection is changed to dynamic with no internet access.
Now run the wireshark as admin and open the configuration control → go to output tab → select a folder in transfer drive and create a file with some name and “.xxx” extension so that wanncry can’t encrypt it. So this is where the captures will get stored once started.
Now open regshot and run it as admin , scan the whole C:\ drive , put the output folder in transfer drive inside a regshot folder.
Finally run the procmon as admin and clear the panel , pause the process so that we can monitor new processes.
Now start the wireshark first , then save the registry snapshot by clicking 1st shot in regshot application and save the file in transfer drive.
Once all the above steps are done , start the procmon and run the ransomware in windows 10 machine and let it pivot through SMB share and infect the windows 7 machine.
Once ransom note appears on both the windows machines, stop the procmon and wireshark in windows 7 and power off the windows10 machine in saved state.
Now save the procmon results in transfer drive ,select ALL EVENTS and save. Close the wireshark now as it is already saved in config path.
Finally take a 2nd shot in regshot , to get the infected registry files dump , so that we can compare it with the clean reg files which we have took before for further analysis.
Now click compare on the regshot to compare both the registry files. Save the output as “.xxx” extension file and move it to your host machine for late analysis by changing it back to text file.

Now for analyzing the results go back to your windows 10 machine , boot up the previous snapshot again before it got affected and analyze the captured evidence from windows 7 machine.
Install the wireshark and procmon tools in windows 10 , so that we can load the file and analyze the results.