Noriben

Introduction

Noriben is a powerfull tool that acts as a python wrapper for Sysinternals ProcMon. It adds an additional layer of malware-specific intelligence to the process.

Noriben's integration with YARA rules is another notable feature. We can leverage YARA rules to enhance our data filtering capabilities, allowing us to identify patterns of interest more efficiently.

Using Noriben

Start Noriben

python .\Noriben.py

--===[ Noriben v1.8.8
[*] Using filter file: ProcmonConfiguration.PMC
[*] Using procmon EXE: C:\ProgramData\chocolatey\bin\procmon.exe
[*] Procmon session saved to: Noriben_26_Feb_24__07_10_409702.pml
[*] Launching Procmon ...
[*] Procmon is running. Run your executable now.
[*] When runtime is complete, press CTRL+C to stop logging.

ProcMon will open:

Execute Malware

After opening Noriben we can proceed to execute the malware.

Reviewing Log Output

When we close Noriben it will return a .txt file of the log output.

We can see the malware pings 127.0.0.1
PreviousDynamic AnalysisNextReverse Engineering / Code Analysis

Last updated