Does it beacon to a Command & Control (C2) server? Look for DNS queries to unusual domains.
Start by establishing the "fingerprint" of the file to ensure others can identify it regardless of the filename. 25863.rar File Size: [Insert Size, e.g., 450 KB] Hashes: MD5: [Insert MD5] SHA-256: [Insert SHA-256] Archive Type: RAR (Check for version, e.g., RAR5) 25863.rar
.pdf or .docx files that may contain exploits (e.g., Follina) or serve as a distraction while a payload runs in the background. 3. Static & Dynamic Analysis Does it beacon to a Command & Control (C2) server
Note if it spawns powershell.exe , cmd.exe , or regsvr32.exe . 4. Indicators of Compromise (IoCs) Summarize the "smoking guns" found during your analysis: Network: [IP Addresses / Domains] an Infostealer (e.g.
Block the identified C2 IPs at the firewall and delete the persistence mechanisms identified in Step 3.
Is it a Downloader (e.g., GuLoader), an Infostealer (e.g., RedLine), or Ransomware?
Does it create a registry key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run or a Scheduled Task?