beginnerFree

Malware Triage Fundamentals

Basic procedures for initial malware analysis and containment when malware is detected on a system.

1-2 hours6 steps10 checklist items

Summary

Step-by-step guide for initial malware response, including isolation, basic analysis, and evidence collection.

Step-by-Step Procedure

Initial Detection Confirmation

Confirm the malware alert is a true positive.

Actions

Review the alert details from your security tool

Identify the file path, hash, and detection name

Check if the file is known malware or potentially unwanted program

Determine if the malware was blocked or executed

Tools

EDR consoleVirusTotalMalware databases

System Isolation

Isolate the affected system to prevent spread.

Actions

Use EDR to network-isolate the endpoint (preferred)

If no EDR, disconnect from network (disable NIC, not power off)

Do NOT power off the system (preserves volatile data)

Notify the user about the isolation

Tips

Document the exact time of isolation
If user is remote, coordinate isolation carefully

Basic Analysis

Gather initial information about the malware.

Actions

Collect file hash (MD5, SHA1, SHA256)

Submit to VirusTotal for detection names

Check file signature and publisher

Identify how the malware arrived (email, download, USB)

Check for persistence mechanisms

Tools

VirusTotalFile hash utilitiesAutorunsProcess Explorer

Scope Assessment

Determine if other systems are affected.

Actions

Search EDR for same file hash across environment

Check network logs for communication with known C2

Search for related IOCs (IPs, domains, file names)

Identify lateral movement indicators

Evidence Collection

Preserve evidence for deeper analysis.

Actions

Capture memory dump if possible

Collect the malware sample securely

Export relevant logs (event logs, security logs)

Screenshot running processes and network connections

Tools

FTK ImagerWinPmemEvent log export

Tips

Store evidence on write-protected media
Maintain chain of custody documentation

Remediation

Remove the malware and restore normal operations.

Actions

Use EDR/AV to remove or quarantine the malware

Remove persistence mechanisms

Check for and remove any dropped files

Verify system integrity

Restore from backup if necessary

Gradually restore network access

Completion Checklist

Alert verified as true positive

System isolated from network

File hash and basic details collected

VirusTotal/malware analysis completed

Scope assessed across environment

Evidence preserved

Malware removed/quarantined

Persistence mechanisms removed

System returned to service

Incident documented

Evidence to Collect

Malware sample (password-protected ZIP)
File hashes (MD5, SHA1, SHA256)
Memory dump
System event logs
Network connection logs
Process listing at time of detection

Related Playbooks

Phishing Response BasicsEndpoint Forensics

Join our community to discuss playbooks and share incident response experiences.

Step-by-Step Procedure

Initial Detection Confirmation

Confirm the malware alert is a true positive.

Actions

Review the alert details from your security tool

Identify the file path, hash, and detection name

Check if the file is known malware or potentially unwanted program

Determine if the malware was blocked or executed

Tools

EDR consoleVirusTotalMalware databases

System Isolation

Isolate the affected system to prevent spread.

Actions

Use EDR to network-isolate the endpoint (preferred)

If no EDR, disconnect from network (disable NIC, not power off)

Do NOT power off the system (preserves volatile data)

Notify the user about the isolation

Tips

Document the exact time of isolation
If user is remote, coordinate isolation carefully

Basic Analysis

Gather initial information about the malware.

Actions

Collect file hash (MD5, SHA1, SHA256)

Submit to VirusTotal for detection names

Check file signature and publisher

Identify how the malware arrived (email, download, USB)

Check for persistence mechanisms

Tools

VirusTotalFile hash utilitiesAutorunsProcess Explorer

Scope Assessment

Determine if other systems are affected.

Actions

Search EDR for same file hash across environment

Check network logs for communication with known C2

Search for related IOCs (IPs, domains, file names)

Identify lateral movement indicators

Evidence Collection

Preserve evidence for deeper analysis.

Actions

Capture memory dump if possible

Collect the malware sample securely

Export relevant logs (event logs, security logs)

Screenshot running processes and network connections

Tools

FTK ImagerWinPmemEvent log export

Tips

Store evidence on write-protected media
Maintain chain of custody documentation

Remediation

Remove the malware and restore normal operations.

Actions

Use EDR/AV to remove or quarantine the malware

Remove persistence mechanisms

Check for and remove any dropped files

Verify system integrity

Restore from backup if necessary

Gradually restore network access