Scenario

During routine monitoring at MalaCrypt company, a suspicious binary named malware.exe was found on a device. Initial checks of its hash values against threat intelligence platforms yielded no results, suggesting the attacker may have altered the malware to evade detection. As a security analyst, the next action is to investigate further, using alternative methods beyond hash-based detection, considering that attackers often modify hashes to bypass initial security checks.

Investigation Scope

In this scenario, a suspicious binary was found on a corporate machine, but there are no traces indicating how it arrived there. As an analyst, your task is to determine what the binary does, how it operates, and why it is present.

Malware Analysis

Malware analysis plays a crucial role in such scenarios. It is the science and art of determining what a binary actually does, not what it pretends to do. While it can address nearly any question about a specific binary, the process is often time-intensive. Therefore, initial steps, referred to as basic analysis, are typically carried out to determine whether the binary is malicious. If the preliminary analysis suggests potential malicious behavior, a comprehensive analysis, referred to as advanced analysis, is then conducted to reveal the binary's full capabilities.

A typical malware analysis process can be divided into 4 stages as shown in the below image