Playbooks
T1204Malware Analysis Triage
A step-by-step SOC playbook for performing safe, time-boxed malware triage — from file hash to behavioral analysis to a go/no-go escalation decision in 30 minutes, with specific detection queries and Event IDs.
View on Graph
What Malware Analysis Triage Covers and Safety First
- Malware analysis triage is the initial, time-constrained examination of a suspicious file to determine whether it is malicious and how it behaves, without performing a full deep-dive reverse engineering analysis.
- MITRE ATT&CK maps user execution of malicious files to
T1204(User Execution). - Triage answers three questions in 30 minutes or less: (1) Is this file malicious? (2) What does it do (beacon out, drop files, steal credentials, encrypt)? (3) Do I escalate this to full analysis or can I close the ticket?
Safety first — always use a sandbox environment:
- Never execute malware on a production host, analyst workstation, or any system connected to the corporate network
- Use a purpose-built analysis sandbox (Any.Run, Joe Sandbox, Cuckoo, FLARE VM)
- Disable network connectivity or route through controlled infrastructure when executing samples
- Follow your organization’s malware handling policy for storage, transfer, and disposal
Step 1: Static Analysis — File Hash and Metadata (5 minutes)
1a — Generate Hashes
# Generate all three hashes
sha256sum suspicious.exe
sha1sum suspicious.exe
md5sum suspicious.exe
# Capture file metadata with ExifTool
exiftool suspicious.exe1b — Hash Lookup on VirusTotal
Paste the SHA256 hash into VirusTotal. This is the fastest way to determine if the file is known malware:
| VirusTotal Result | Meaning | Action |
|---|---|---|
| 0 detections | Unknown file. Could be custom malware or legitimate software. | Continue to dynamic analysis. Do not assume it is safe. |
| 1-5 detections | Likely new or heavily obfuscated malware. Triggering engines include behavioral/heuristic (not signature-based). | HIGH priority. Continue to dynamic analysis. |
| 6-20 detections | Confirmed malware. Several reputable vendors detect it. | Flag as malicious. Continue for behavioral understanding. |
| 21+ detections | Widely known malware. AV signatures exist. | Likely commodity malware. Determine family and check if it needs incident response. |
What to look for beyond detection count:
| Metadata Field | Why It Matters | Suspicious Indicator |
|---|---|---|
| Compile timestamp | Real malware is compiled shortly before deployment | Future date (timestamp in the future), or date 10+ years old with a new sample |
| Original filename | An attacker may rename but compile metadata stays | Mismatch between the filename on disk and the PE metadata |
| Digital signature | Legitimate software has signed binaries | Missing signature, revoked certificate, self-signed, or certificate issued to a company that doesn’t exist |
| Packer detected | Packed executables hide the actual code | UPX, ConfuserEx, VMProtect, Themida, or custom packer |
| Section names | PE section names can reveal packing or injection | .UPX, .packed, .abc (non-standard), or executable sections where only .text is expected |
| Imported functions | What API calls does the binary make? | VirtualAlloc, WriteProcessMemory, CreateRemoteThread (process injection), URLDownloadToFile, WinExec, RegSetValue |
SPL query — correlate file hash across your environment:
index=windows sourcetype=WinEventLog:Sysmon EventCode=1
| search Hashes="*SHA256_HASH*"
| stats count, values(Computer) as Systems, values(User) as Users, count by Image, CommandLine
| eval alert = "File hash found on " . mvjoin(Systems, ", ") . " — investigate for breach scope"
| table _time, Systems, Users, Image, CommandLine, count, alert1c — Check Strings
# Extract printable strings
strings suspicious.exe | head -200
# Filter for interesting strings
strings suspicious.exe | grep -iE "(http|https|www\.|\.com|\.exe|\.dll|powershell|cmd|encrypt|decrypt|ransom|pay|bitcoin|C:\\|AppData)"| String Pattern | What It Suggests |
|---|---|
http:// or https:// | C2 communication, downloader, or phone home |
C:\Users\*\AppData\* | Installation path — uses user space (no admin needed) |
SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Persistence via registry Run key |
mimikatz, Invoke-Mimikatz, sekurlsa | Credential theft tool — see Mimikatz |
| Base64-like strings (A-Za-z0-9+/=, 40+ chars) | Encoded payloads, C2 configuration |
| IP addresses | Hardcoded C2 endpoints (rare in modern malware but common in older families) |
powershell -enc | Encoded PowerShell execution |
bitcoin:, BTC, wallet | Ransomware-related |
Mutex names (e.g., Global\MSCTF.Asm.) | Marks already-infected systems |
Step 2: Dynamic Analysis — Behavioral Observation (20 minutes)
2a — Execute in Sandbox
Run the file in a controlled sandbox with monitoring tools active:
What to watch for:
| Behavior | Detection Method | Indicator |
|---|---|---|
| File system changes | Process Monitor (ProcMon), Regshot | Files created in %TEMP%, %APPDATA%, %PROGRAMDATA% or system directories |
| Registry changes | Regshot, ProcMon | New Run keys, service entries, extension handlers, COM hijacking |
| Network connections | Wireshark, Fakenet, InetSim | Outbound TCP connections, DNS queries, HTTP requests |
| Process creation | Process Hacker, Task Manager, ProcMon | Spawned child processes (cmd.exe, powershell.exe, rundll32.exe) |
| Memory injection | Process Hacker, API Monitor | VirtualAllocEx, CreateRemoteThread, WriteProcessMemory calls |
2b — Inbound Alert Triage — EDR Detection
If the file was already caught by EDR, start with the EDR alert data:
Sysmon Event IDs most useful during triage:
| Event ID | Event Name | What It Tells You |
|---|---|---|
| 1 | Process Creation | What process was created, by which parent, with what command line |
| 3 | Network Connection | Outbound connections from the process — C2 indicators |
| 7 | Image Loaded | DLLs loaded by the process — injected or unusual DLLs |
| 8 | CreateRemoteThread | Process injection — a process creates a thread in another process |
| 10 | Process Access | Cross-process access — LSASS read attempt, token theft |
| 11 | File Creation | Files created by the malware — payload drops |
| 12 | Registry Event | Registry modifications — persistence mechanisms |
| 13 | Registry Value Change | Value-level registry changes |
| 15 | File Stream Create | Alternate Data Stream — hidden data in files |
| 22 | DNS Query | DNS queries made by any process — C2 domain lookups |
SPL query — investigate Sysmon Telemetry around a malicious file:
index=windows sourcetype=WinEventLog:Sysmon
| search Computer="COMPROMISED_HOST" Image="*suspicious.exe*" OR ParentImage="*suspicious.exe*"
| eval event_type = case(EventCode=1, "Process Creation", EventCode=3, "Network Connection", EventCode=7, "Image Loaded", EventCode=8, "CreateRemoteThread", EventCode=10, "Process Access", EventCode=11, "File Creation", EventCode=22, "DNS Query", 1=1, "Other")
| table _time, EventCode, event_type, Image, CommandLine, DestinationIp, DestinationPort, TargetObject
| sort _time2c — Network Behavior Triage
| Traffic Pattern | Likely Meaning |
|---|---|
HTTP GET to evil.com/config.ini | Malware downloads configuration or C2 address |
| HTTP POST with encrypted payload | C2 beacon — heartbeat or data exfiltration |
DNS TXT query to a subdomain of evil.com | DNS tunneling — data exfiltration via DNS |
| No network activity | Destructive malware (e.g., ransomware during encryption), dropper without network component, or sandbox detection |
| Connection to multiple IPs sequentially | C2 rotation, load balancing, or proxy chain |
Triage query — check DNS queries (Sysmon Event ID 22):
index=windows sourcetype=WinEventLog:Sysmon EventCode=22
| search Computer="COMPROMISED_HOST"
| stats count, values(QueryName) as Queries by Image
| where mvcount(Queries) > 5
| eval alert = "High-volume DNS queries from " . Image . " — possible C2 or DNS tunneling"
| table _time, Computer, Image, count, Queries, alertStep 3: Decision — Escalate or Close (5 minutes)
Triage Decision Matrix
| Finding | Classification | Action |
|---|---|---|
| VirusTotal: 0 detections. No network. No persistence. No file changes. | Benign | Likely false positive. Document and close. |
| VirusTotal: 5+ detections. Network beacon to known-bad IP. Creates Run key. | Malicious — commodity | Notify SOC. Block C2 IP. Scan for lateral movement. |
| VirusTotal: 10+ detections. Drops executable in AppData. Deletes itself. | Malicious — dropper | Escalate. The drop payload needs triage too. |
| VirusTotal: 20+ detections. Encrypts files. Displays ransom note. | Ransomware | IR team pages. Full incident response. |
| No VirusTotal hits. Creates admin accounts. Connects to unknown IPs. | Unknown — likely targeted malware | Escalate to reverse engineer. This could be a zero-day or custom APT malware. |
When to Escalate
Escalate to full reverse engineering when the file:
- Cannot be classified by static and dynamic analysis alone
- Exhibits anti-analysis techniques (VM detection, debugger detection, obfuscation)
- Appears to be custom, targeted malware targeted at your organization
- Is part of a larger attack campaign (same hashes found on multiple systems)
- Contains unique strings referencing your company, internal systems, or employee names
When to Close
Close the ticket when the file:
- Is clearly benign (known good software, false positive from AV)
- Is a low-impact adware or PUP that does not warrant further action
- Was contained to a single system with no evidence of lateral movement
- Has been removed via EDR and the system is isolated
Common Triage Mistakes
| Mistake | Why It’s Dangerous | Correct Approach |
|---|---|---|
| Trusting VirusTotal alone | Custom malware has 0 detections. A 0-detection file is not safe. | Always run dynamic analysis on unknown samples. |
| Running malware on an enterprise-connected host | Can spread the infection or alert the attacker. | Use an air-gapped sandbox or isolated VM. |
| Skipping strings analysis | Many malware families have distinctive strings that tell you everything (payment URLs, mutex names, debug paths). | Always run strings as part of static analysis. |
| Ignoring the parent process | The way the file was launched tells you about the infection vector. | Always check: was it launched by the browser? Email client? Office macros? System process? |
| Tearing down the sandbox before capturing network traffic | Network behavior is often the most actionable intelligence (C2 IPs/domains). | Keep the sandbox running for at least 5 minutes after execution completes. |
| Not checking for fileless execution | Modern malware may not drop a file at all — it runs in memory via PowerShell or WMI. | Check Sysmon Event ID 1 for powershell.exe with encoded commands, WMI event subscriptions (Event ID 5861). |
Related
- Malware Analysis Fundamentals — detection and response for T1204 techniques
- MITRE ATT&CK for Triage — covers the mitre att&ck for triage concepts
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Kill Chain — covers the kill chain concepts
- Ghidra — detection and response for T1204 techniques