Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Content

In this tutorial we will setup a free, safe, Windows 10 virtual machine (VM) that can be used for dynamic malware analysis using FLARE VM.

At OALABS we get a lot of questions from analysts who have run into an error while debugging a malware sample. We also get a lot of questions about how to stay safe while analyzing malware. The first step to addressing these questions is to make sure everyone is starting from the same base platform.

‼️ Note - This tutorial will not work for the new M1 Macs. Please refer to our M1 specific tutorial Apple M1 Mac Malware Analysis Lab (Windows 11)  


Virtual Machine Hypervisor

Before getting started we need to choose a hypervisor to run our malware analysis VM. We strongly suggest using VMWare Fusion Pro for MacOS or VMWare Workstation Pro for Windows. However, VirtualBox will work as a free alternative but it is buggy! Install your hypervisor of choice and proceed to the applicable instructions below.

Option A - VMWare Windows 10 VM Installation

A free Windows 10 VM can be downloaded directly from Microsoft here. This VM is free but will expire 90 days after install.

Navigate to the download site and select the Windows 10 Virtual Machine and your hypervisor then download the VM .zip file.

Once the download completes unzip the file locally on your host. This will unzip a .ovf file which will be used to import your new VM.

Open VMWare and click File->Import and choose the unzipped .ovf file. Click Continue to import the VM.

Once the VM has finished importing click Customize Settings. If you missed this step you can open the VM settings by right clicking on the VM in the VMWare menu and choosing Settings.

In the Settings menu change the Hard Disk size to 80GB.

Close settings and start the VM. While the VM is booting you may be prompted to upgrade the VM. Select OK and allow the VM to upgrade.

Once the VM has booted log into Windows with the password: Passw0rd!

When you have logged in VMWare may update some settings in the VM that require a reboot. Allow the VM to reboot as this will baseline any new settings.

MacOS Display Troubleshooting

If your host is MacOS and you are experiencing issues with the VM display, slow windows, screen flickering, etc. you may need to disable Accelerated 3D Graphics, and Retina display mode. You can use the following steps to troubleshoot the issue.

Shut down the VM so that you can edit the settings.

Navigate to Virtual Machine -> Settings … and select the Display settings.

  • Disable Accelerate 3D Graphics
  • Disable Use full resolution Retina display

Close settings and start the VM.

Option B - VirtualBox Windows 10 VM Installation

‼️ Warning - VirtualBox is not recommended use only if you require a free hypervisor.

A free Windows 10 VM can be downloaded directly from Microsoft here. This VM is free but will expire 90 days after install.

Navigate to the download site and select the Windows 10 Virtual Machine and your hypervisor then download the VM .zip file.

Unzip the downloaded file and use the Import button in VirtualBox to import the unzipped .ovf file.

Keep the default appliance settings and click Import to import the VM.

Once the VM has been imported the display setting may need to be updated depending on your host. Navigate to the VM Settings menu and click the Display tab. If an Invalid settings detected message is displayed, click the message and follow the recommendations.

You must also install the VirtualBox Guest Additions to your VM if you want the VM display to auto-scale and operate at a nice resolution. To do this navigate to the Storage tab in the Settings and click the Add Optical Drive icon (it looks like a CD with a plus sign).

Then click the Leave Empty button. Now click OK to close the settings, and double click the VM to power it on.

Start the VM by doublecOnce the VM has booted log into Windows with the password: Passw0rd!

Once logged into windows select Devices -> Insert Guest Additions CD image. This will pop up a dialogue box in the VM, select Run VBoxWindowsAdditions.exe. Follow the prompts and install the Additions. The VM will need to be rebooted once the install is complete. Multiple reboots may be required.

Disable Windows Defender

Since we are running malware on this VM we don't want Windows Defender interfering. We can use GPO to disable windows defender.

Click Start menu and type Group Policy to open the Group Policy editor.

In the Group Policy editor select Local Computer Policy -> Administrative Templates -> Windows Components

Select Windows Defender and in the right panel and double click the setting “Turn off Windows Defender”

To disable Windows Defender the setting “Turn off Windows Defender” should be set to Enable

Disable Defender Notifications

Once we have disabled Windows Defender Windows will send us annoying popups notifying us that Defender is disabled. We can also stop these via GPO. 

Click Start menu and type Group Policy to open the Group Policy editor.

In the left pane of Local Group Policy Editor, navigate to Computer Configuration _> Administrative Templates -> Windows Components -> Windows Security -> Notifications

To disable the alerts "Hide all notifications" should be set to Enable.

FLARE VM Install

Open the Edge web browser (pinned to the task bar) and open the following link:

https://raw.githubusercontent.com/mandiant/flare-vm/master/install.ps1

Right-click on the text choose Select all and right-click again and choose copy to copy all of the text.

Open Notepad by clicking the Start menu and typing notepad.

Paste the copied text into notepad and select File-> Save As…

Change Save as type setting to All files and save the file as install.ps1

Open PowerShell as an Administrator by clicking on the Start menu and typing PowerShell then right-click on the PowerShell application and choose Run as Administrator.

Once the PowerShell command is open change into the Desktop directory:
cd C:\Users\IEUser\Desktop\

Unblock the install file by running:

Unblock-File .\install.ps1

Enable script execution by running:

Set-ExecutionPolicy Unrestricted

Finally, execute the installer script as follow:

.\install.ps1

The script will then ask for the VM password which is: Passw0rd!

During the install the VM will reboot multiple times. 

Safe VM Use

Once the FARE-VM install has completed disable network adapter for the VM by choosing Settings -> Network Adapter and either disable on VirtualBox, or uncheck Connect Network Adapter on VMWare. It is important that you remove network connectivity from the VM before you begin any malware analysis.

Take a snapshot of the VM. This snapshot will now be your baseline which you can rest after each malware analysis session to clean the VM.

❓Questions / Help

If you get stuck, or you have any questions feel free to hop on our Discord and ask: https://discord.gg/6h5Bh5AMDU

Comments

Wil Taylor

Was able to get this working in qemu on linux too. You can use quickemu to build a windows vm pretty easily then install the flare-vm script inside it. Then just copy the launch script and add -net none to the end to disable the network card.