Malware Analysis Tool Output

Interpreting Results from Security Analysis Tools

1Analysis Types

2Tool Output

3Indicators

4Quiz

Types of Malware Analysis

SOC analysts use different analysis approaches depending on time constraints and required depth of understanding.

Static Analysis

Examining malware without executing it. File hashes, strings, imports, PE headers.

Dynamic Analysis

Running malware in a sandbox to observe behavior: network, files, registry, processes.

Memory Analysis

Examining RAM for injected code, unpacked payloads, encryption keys.

Reverse Engineering

Disassembly and decompilation to understand exact functionality.

When to Use Each Type

Static (Minutes): Initial triage, hash lookup, quick IOC extraction
Dynamic (30min-2hrs): Behavior analysis, C2 identification, sandbox reports
Memory (1-4hrs): Fileless malware, packed samples, runtime decryption
Reverse (Days-Weeks): Attribution, custom decryptors, detailed reports

Explore Full Malware Reference →

16+ malware types with infection simulator and defense strategies.

Understanding Tool Output

Learn to interpret output from common malware analysis tools used by SOC analysts.

VirusTotal Results

Static Analysis

SHA256: a1b2c3d4e5f6789...
File name: invoice_2024.exe
File type: Win32 EXE
File size: 247.5 KB

Detection: 54/72 security vendors flagged this file as malicious

Popular threat labels:
- Trojan.GenericKD.46892341
- Win32/Emotet.AV
- Trojan.Downloader

// High detection rate + Emotet label = known banking trojan family

Strings Analysis

Static Analysis

$ strings -n 8 suspicious.exe | grep -i http

http://185.234.72.84/gate.php // C2 callback URL
http://update-service.xyz/config // Suspicious domain

$ strings suspicious.exe | grep -i password
GetPasswordFromBrowser // Credential stealing function
ChromePasswordDecrypt

$ strings suspicious.exe | grep -i registry
SOFTWARE\Microsoft\Windows\CurrentVersion\Run // Persistence!

Sandbox Report (Dynamic)

Behavioral Analysis

[PROCESS] invoice_2024.exe spawned cmd.exe
[PROCESS] cmd.exe spawned powershell.exe

[FILE] Created: C:\Users\Public\svchost.exe // Masquerading!
[FILE] Modified: C:\Windows\System32\drivers\etc\hosts

[REGISTRY] Set value: HKCU\...\Run\WindowsUpdate = C:\Users\Public\svchost.exe

[NETWORK] DNS query: update-service.xyz
[NETWORK] HTTP POST to 185.234.72.84:443 (encrypted)
[NETWORK] Exfiltrated 2.3 MB to external IP

// Verdict: Trojan with persistence, C2 communication, and data exfiltration

Volatility Memory Analysis

Memory Forensics

$ vol.py -f memdump.raw --profile=Win10x64 malfind

Process: explorer.exe PID: 4892
VAD Tag: VadS Protection: PAGE_EXECUTE_READWRITE // Suspicious!
Flags: CommitCharge: 3

0x7ff600000000 4d 5a 90 00 03 00 00 00 MZ...... // Injected PE!
0x7ff600000008 04 00 00 00 ff ff 00 00 ........

// MZ header in memory of explorer.exe = code injection detected

$ vol.py -f memdump.raw netscan
TCP 10.0.0.50:49234 -> 185.234.72.84:443 ESTABLISHED explorer.exe
// Suspicious outbound connection from injected process

Extracting IOCs from Analysis

After analysis, document all indicators for blocking, detection rules, and threat intel sharing.

IOC Type	Value	Source	Severity
SHA256	`a1b2c3d4e5f6789...`	VT / Hash	HIGH
IP Address	`185.234.72.84`	Sandbox / Memory	HIGH
Domain	`update-service.xyz`	Strings / DNS	HIGH
URL	`/gate.php`	Strings	MEDIUM
File Path	`C:\Users\Public\svchost.exe`	Sandbox	HIGH
Registry Key	`HKCU\...\Run\WindowsUpdate`	Sandbox	MEDIUM

What to Do with IOCs

Block: Add IPs/domains to firewall and proxy blocklists
Detect: Create SIEM rules and EDR signatures
Hunt: Search historical logs for prior compromise
Share: Submit to threat intel platforms (MISP, ThreatConnect)
Document: Add to incident report and knowledge base

Red Flags in Analysis Output

High VT detection: >30/70 detections = confirmed malicious
PAGE_EXECUTE_READWRITE: Memory regions that are writable AND executable
MZ header in memory: PE file injected into process
svchost.exe wrong path: Real svchost lives in System32 only
Outbound POST: Data exfiltration pattern
Registry Run keys: Classic persistence mechanism

Malware Analysis Output Quiz

Test your understanding. You need 80% (4/5) to pass.

Q1. A VirusTotal scan shows 54/72 detections with "Emotet" labels. What does this indicate?

Confirmed malicious - known banking trojan family

Probably a false positive

Needs more analysis to determine

Safe to run in production

Q2. In Volatility output, you see "MZ header" inside explorer.exe memory. What does this indicate?

Normal Windows behavior

Corrupted memory

Code injection - a PE file was injected into the process

Memory leak

Q3. Strings analysis reveals "SOFTWARE\Microsoft\Windows\CurrentVersion\Run". This indicates:

Network communication

Persistence mechanism

Data encryption

Privilege escalation

Q4. A sandbox shows svchost.exe created in C:\Users\Public\. Why is this suspicious?

svchost.exe is always malicious

Public folder is read-only

The file is too small

Real svchost.exe only exists in System32

Q5. Which analysis type would you use FIRST when receiving a suspicious file?

Static analysis (hash lookup, strings)

Full reverse engineering

Run it on a production system

Memory analysis

Quiz Complete!

0/5