Investigation: Malware Family Behavior Mapping
Draft
Level: Complex Platform Workflows
Goal: Build an ATT&CK and IOC profile for a malware family.
Real-Life Scenario
A new malware family appears in sandbox results and public reporting, and the analyst needs a behavior profile with ATT&CK mapping, IOCs, and rule context.
When To Use This
Use this workflow when you need an end-to-end platform workflow across multiple AdversaryGraph modules and want the output to remain traceable to evidence.
Steps
- Collect report excerpts, hashes, sandbox behavior, YARA/Sigma hits, and existing IOCs.
- Import or sync sandbox behavior feeds.
- Enrich hashes in VT and review related files/domains.
- Pull Malpedia/ThreatFox/OTX context.
- Map observed behaviors to ATT&CK techniques.
- Separate static indicators from behavior evidence.
- Search actor profiles for malware aliases or related tooling.
- Create a malware-focused Navigator layer.
- Export IOC CSV/STIX and detection notes.
- Document gaps where behavior is inferred but not directly evidenced.
Expected Result
Malware behavior profile with TTP mapping, IOCs, rules, and evidence caveats.
Review Notes
- Keep source labels and evidence attached to every accepted result.
- Treat actor matches, enrichment hits, and matrix overlap as analytical signals until corroborated.
- Export only reviewed findings for customer, SOC, detection engineering, or executive use.
Platform Areas Used
- Operations / Pipeline
- AI Analysis
- ATT&CK Group Library
- IOC Library
- VirusTotal / OTX / ThreatFox / Malpedia enrichment where configured
- Reference Sync
- Navigator matrix
- PDF, JSON, CSV, STIX, and Navigator exports as needed