This is a personal research lab I built to practice and document malware analysis from start to finish. It covers everything from initial static triage to behavioral detonation, memory forensics, and writing detection content based on what I find. The repo is meant to serve as both a working reference for myself and a portfolio that shows how I approach analyzing and detecting threats.
I built this lab to sharpen the skills that matter most in SOC and detection engineering roles. Every sample I work through follows the same structured process: triage it statically, detonate it in an isolated environment, pull the memory, and then turn those findings into actual detection rules. The point is not just to document what the malware does, but to understand the behavior well enough to catch it in a real environment.
| Component | Details |
|---|---|
| Host OS | Windows 11 |
| Hypervisor | VirtualBox |
| Analysis VM (Win) | FLARE-VM (Windows 11, isolated Host-Only) |
| Analysis VM (Lin) | REMnux (Ubuntu-based, isolated Host-Only) |
| SIEM | Wazuh |
| Network Monitor | Suricata, Wireshark |
| Memory Forensics | Volatility 3 |
| Log Analysis | Elastic Stack / Kibana |
All VMs run on an isolated Host-Only adapter with no external internet access during detonation. I take a clean snapshot before every session and revert immediately after.
malware-analysis-lab/
│
├── docs/ # Lab architecture, tool rationale, safety practices
├── setup/ # VM configuration and environment setup guides
├── static-analysis/ # PE analysis, YARA rules, pre-execution findings
│ ├── yara-rules/ # Custom and tuned YARA detection rules
│ └── reports/ # Per-sample static analysis reports
├── dynamic-analysis/ # Behavioral analysis, IOC extraction, network findings
│ └── reports/ # Per-sample dynamic analysis reports
├── memory-forensics/ # Volatility 3 workflows and memory artifact reports
│ └── reports/ # Per-sample memory forensics reports
├── detection-engineering/ # Sigma rules, Wazuh alerts, MITRE ATT&CK mapping
│ ├── sigma-rules/ # Detection rules in Sigma format
│ └── wazuh-rules/ # Custom Wazuh XML alert rules
├── tools-reference/ # Personal notes and cheat sheets for core tools
└── samples-index.md # Index of all analyzed samples with report links
Every sample I work through goes through four phases in the same order.
1. Static Analysis I start with pre-execution inspection before anything runs. This includes reviewing the PE header, checking section entropy, examining the import table, extracting strings, and running YARA and CAPA against the binary to surface capabilities and any known signatures.
2. Dynamic Analysis Once static is done I detonate the sample in an isolated VM and monitor everything. File system changes, registry writes, process creation, and network activity all get captured using ProcMon, Noriben, and Wireshark. I pull IOCs at the end of each session and document them in a structured format.
3. Memory Forensics After detonation I acquire a memory image and run it through Volatility 3. I look for injected code, suspicious process relationships, hidden network connections, and anything else the malware tried to hide from on-disk inspection.
4. Detection Engineering This is where the analysis pays off. I take what I found across all three phases and build detection content around it. That means writing Sigma rules I can deploy across different SIEMs, creating custom Wazuh alert rules tied to specific behaviors, and mapping every relevant technique to MITRE ATT&CK.
| Category | Tools |
|---|---|
| Static Analysis | PEStudio, CAPA, Detect-It-Easy, strings, floss |
| Dynamic Analysis | ProcMon, Noriben, Wireshark, FakeNet-NG, x64dbg |
| Memory Forensics | Volatility 3, WinPmem |
| Detection | Sigma, Wazuh, Elastic SIEM, Suricata |
| Threat Intelligence | MalwareBazaar, VirusTotal, Any.run, MITRE ATT&CK |
See samples-index.md for a full table of every sample I have analyzed, including malware family, type, source, and links to the individual reports.
No malware binaries, memory dumps, or packet captures are stored in this repository. All findings are written up in report format only.
Every detection rule and analysis report in this lab is mapped to techniques in the MITRE ATT&CK Enterprise framework. I track coverage in detection-engineering/mitre-mapping.md.
Throughout this lab I work across malware triage and behavioral analysis, IOC extraction and threat intelligence enrichment, memory forensics and artifact recovery, detection rule authoring in Sigma and Wazuh, MITRE ATT&CK technique mapping, and SIEM integration and alert tuning.
MalwareBazaar is my primary source for samples, maintained by the abuse.ch community. I also reference Any.run for behavioral sandbox comparison, MITRE ATT&CK for technique mapping, and use FLARE-VM and REMnux as my analysis distributions. Memory analysis runs on Volatility 3.
This lab is built strictly for educational and research purposes. All samples come from public threat intelligence repositories and are handled exclusively inside an isolated lab environment. No malicious code is stored or distributed through this repository.