Installing a Windows 10 Virtual Machine

Installing Oracle VirtualBox

Installing Windows 10 to host FlareVM

We can use this video as a guide: https://www.youtube.com/watch?v=CMGa6DsGIpc

Installing a Windows 10 machine will require you to get download the Media Creation Tool which will then be used to create an ISO image.

https://www.microsoft.com/en-us/software-download/windows10

After accepting T&Cs and signing away your first born to MSFT's 5G vax program, choose to create the installation media -> use the default 64-bit architecture -> ISO file (no you don't need a DVD) -> make some coffee it'll take awhile.

Once it's done it'll be in wherever you chose to set it earlier. Now switching gears back to VMware.

In the Oracle VirtualBox Manager, click "New" and do the following steps:

  • Name our VM

  • Select the ISO image from the drop down menu

  • Keep the Type as "Microsoft Windows" and Version as "Windows 10 (64-bit)"

  • Under the Hardware tab, get the base memory (RAM) up to at least 2GB preferably 4GB, and the processors to 2 CPU

  • Under the Hard Disk tab, get the virtual hard disk up to 80GB and keep the File Type as VDI

  • Hit Finish and it will pop up on the left tab in our Oracle VirtualBox Manager

You may encounter an issue with the ProductKey.

If so, shutdown the Windows 10 VM and go to its settings -> storage -> look under Controller: Floppy -> right click and delete the "unattend..." file there. Restart our VM and it should work.

Reddit post which discusses the issue: https://www.reddit.com/r/virtualbox/comments/1c1o605/error_installing_windows_windows_cannot_read_the/

Just go ahead and click "I don't have a product key", and select Windows 10 Home.

Then choose your country and keyboard layout. At this point, we will want to return to our host machine as Microsoft will force us to sign in with a Microsoft account. To bypass this, we'll follow the method(s) laid out in the following steps: - open this page: https://techcommunity.microsoft.com/discussions/windowsinsiderprogram/how-to-install-windows-10-without-microsoft-account/4405641 - check out Nskdo's post with 3 methods to bypass, but method 1 is what I used. - turn off the wifi on our host machine

Now we return to the VM and hit Shift+F10 which will bring up the Command Prompt. We type in "taskmgr" and hit enter to bring up Task Manager. We then end the Windows Setup process. Restarting it will now bypass the account login and allow us to create an account.

Put in our username, create a password, and setup our safety questions. Now our Windows10 VM is almost ready.

The last step is an aesthetic, but a pretty useful one. We're going to allow it to run in full screen. Under "Devices", click "Insert Guest Additions CD Image...".

This will create the VirtualBox Guest Additions under "This PC".

Now double click "VBoxWindowsAdditions-amd64" and follow the installation steps and shut down the VM.

Then head to our Virtualbox and click on the "Settings" of our VM, then ensure Video Memory is maxed out, Graphics Controller is "VBoxSVGA", and check "Enable 3D Accelerator". Our VM should be full screen upon restarting.

Precaution on enabling internet connection

Our VM can currently connect to the internet, which is helpful for downloading malware samples. However, we want to turn this ability off when analyzing samples to prevent the malware from spreading through our network, especially if it's a worm.

We can do so by going to Virtualbox and changing the setting under Network from NAT to Host-only Adapter.

Create a shared folder between the Windows10 VM and the host machine

Generally there are 2 methods of getting a malware sample onto our VM.

Method 1:

  1. Download the sample directly on the sandbox within the VM via a browser.

  2. Verify the sample using the SHA256 hash found on MalwareBazaar: Get-Filehash .\sample.zip -Algorithm SHA256

  3. Disable the internet (and network) connection to ensure full isolation of the VM. We can do this by changing the Adapter on the VM's setting from NAT to Host-only Adapter.

The advantage of this method is your host machine is not exposed to the sample. The drawback is the VM is slightly altered and is not "pristine" as it has browser history, cached files, and network logs from the download.

At more advanced stages when we're looking to bulk download, we can use the command line on FlareVM which is installed on our Windows10 VM to download the malware sample using curl/wget : wget --post-data 'query=get_file&sha256=<inserthashhere>' \

Method 2:

  1. Download the sample onto the host machine and verify the sample's SHA256 hash.

  2. Transfer the sample onto a shared folder with the VM, then move the sample onto the VM.

  3. Disable the shared folder to ensure full isolation of the VM.

The advantage of this method is that we prevent the sample from calling back to its C2 server if it accidentally gets executed, as our VM does not need an internet connection. The drawback is that we're exposing our host machine to a sample, even though the host machine will have active antivirus and other security measures.

We'll just go through the steps of setting up a shared folder so we know how to do so.

  1. On our host machine, open file Explorer and head into the C drive. We then create a new folder and call it "FlareVM Shared Folder".

  2. In our VirtualBox Manager, click on the Settings for our Windows10 VM. Then head to Shared Folders in the left column and click on the small blue box with a green plus sign on the right.

  3. Choose "Other..." in the Folder Path.

  4. In the pop up box, navigate to the C drive and choose the "FlareVM Shared Folder" which we created earlier. Then uncheck Read-only, but check Auto-mount and Make-permanent.

  5. On our Windows10 VM, we can now see the shared folder.

Disabling antivirus and malware detection

As much as we poo on Microsoft's security capabilities, they're actually decent in this day and age. We need to do this as these features will interfere with our malware analysis and not let us intentionally infect our machine. Let's do this before we take a clean snapshot of our machine. Reminds me of this meme for some reason.

(i) Disable Windows Update

  1. In our VM, type "run" into the search bar at the bottom. Then type "services.msc" into the box.

  2. In the box that pops up, search for "Windows Update" and double click that. Click "Stop" in the box that pops up, and change the Startup type from "Manual" to "Disabled". Apply changes.

(ii) Disable Windows Defender

  1. In our VM, search for "Windows Security" in the search bar. In the box that pops up, click on "Virus & threat protection" in the left column, then click on "Manage settings".

  2. Turn everything off or Windows will delete our dear malware samples.

Another way is by changing the Group Policy.

  1. Search for "Run" in the search box, then type in "gpedit.msc".

  2. In the pop up box, click on Computer Configuration --> Administrative Templates --> Windows Components.

  3. Then scroll down and look for Microsoft Defender Antivirus, and click on real-time protection. Now enable Turn off real-time protection. Reboot the system.

Enabling visibility of file extensions

This part is helpful as malware authors like to mask their filetypes as harmless extensions. For instance, they may mask an .exe file as a pdf. To do this, we'll disable Hide extensions and enable visibility of hidden files and folders.

  1. Open a File Explorer and click on View at the top, then click on Options and "Change folder and search options".

  2. In the pop up box, uncheck "Hide extensions for known file types" and choose "Show hidden files, folders, and drives".

Take my picture

Our VM is now finally ready to install FlareVM, so let's take a snapshot of our Windows10 VM. In our VM window, click on Machine at the top then click "Take snapshot" and name it "Windows10 VM AV disabled".

PreviousFlareVMNextInstalling FlareVM

Last updated

Was this helpful?