Malware Detection on Windows

Checking Established Network

This process refers to this article. Please see it for more details.

1. List Network Processes

What first we need to check is to see the network status on Command Prompt.

# -a: Show all connections
# -n: Show ip addresses and ports as number
# -o: Show process ID
netstat -ano

Copied!

Especially, "ESTABLISHED" status might be suspicious to be connected attackers server. So we need to investigate the IP address which is connected with our machine.

Let's OSINT.

2. Check Suspicious IP Address with OSINT

Copy the ip address and paste it into IP lookup site like iplocation.net. Then check who owns that ip address. If the famous (reliable) organization owns it, we may be relax. However, unknown organization or individual owns it, we have to doubt this ip. So paste the ip address into VirusTotal to check if it is an evil or not.

If the ip address is still suspicious, we need to do additional investigation.

3. Check Suspicious Process

1. Copy the PID at the right of "ESTABLISHED" in suspicious line in Command Prompt.
2. Open Task Manager and click Details section in the left side menu.
3. On Task Manger, put the PID into the search field, then find target process.
4. Right-click on the process and go to Properties. Then check the program details in Details tab.

4. Remove Suspicious File which is Doing the Process

1. On Task Manager, right-click on the suspicious process then click Open File Location.
2. In Windows Explorer, delete the file after checking this file is really not innecent file associated with our Windows machine.