When you recover a suspicious file, you need to know what it does — without infecting yourself. Triage safely with static and dynamic analysis in an isolated lab.
Why: analyzing malware carelessly can infect your own systems or tip off the attacker, so it is done only in an isolated, disposable lab with no path to production or the internet. When: build the safe environment before touching a live sample. Where: an isolated VM you can snapshot and revert is the standard; never run unknown samples on your workstation.
SAFE malware lab (build it BEFORE handling a sample):
- isolated VM, host-only network (no bridge to real networks)
- snapshot before detonation -> revert after
- no shared folders / clipboard with the host
- handle samples in a password-protected zip; never double-click blindly
- a fake-services box (INetSim) to satisfy network calls without real egress
Careless analysis = self-infection or alerting the adversary.Why: static analysis examines a file without running it — hashes, strings, embedded indicators, and structure — which is safe and often reveals a lot (URLs, capabilities, whether it is already known-bad). When: start here; check the hash against threat-intel before anything else. Where: static analysis gives leads and indicators of compromise (IOCs) with zero risk of detonation.
# Static triage (does NOT run the sample):
sha256sum sample.bin # hash -> look up on VirusTotal
strings -n 8 sample.bin | less # URLs, IPs, commands, error msgs
file sample.bin # type/format
# PE structure + imports (Windows): pefile / PEiD / capa (capabilities)
# A known hash on VirusTotal may end the triage right there.Why: some behavior only appears at runtime, so dynamic analysis detonates the sample in the isolated lab and observes what it does — files created, registry/persistence set, network callbacks — extracting indicators to hunt for elsewhere. When: detonate only in the safe lab, capturing behavior; automated sandboxes (Cuckoo, any.run) do this at scale. Where: the IOCs you extract (hashes, domains, IPs, file paths) become detections and sweep queries across the environment.
DYNAMIC analysis (detonate in the ISOLATED lab, snapshot first):
watch: processes spawned, files written, registry/persistence changes,
network connections (C2 domains/IPs)
tools: Procmon + Wireshark, or a sandbox (Cuckoo, any.run, Joe Sandbox)
Extract IOCs -> hunt them everywhere:
file hashes, domains, IPs, mutexes, file paths, persistence keys
-> turn into detections + sweep the estate for other infected hosts.