Define Malware Analysis

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read

    • Define malware analysis that captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.

    Before you begin

    Role required: sn_sec_tisc.analyst

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click on Threat Intel Library icon on the workspace.
    3. Go to Malware Analysis object.
    4. Click New.
      Note:
      Whenever you create new object records for observables, indicators, entities or objects a source record is created and a prompt message is displayed that the new object record is created and then the user is redirected to the aggregated record.
    5. On the form, fill in the fields.
      Table 1. Malware Analysis Details view
      Field Description
      ID Unique ID to identify the malware analysis.
      Product The name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-".

      For cases where the name of a product cannot be specified, a value of anonymized must be used.
      Version The version of the analysis product that was used to perform the analysis.
      Host VM A description of the virtual machine environment used to host the guest operating system, if applicable that was used for the dynamic analysis of the malware instance or family.

      If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted.

      The value of this property MUST be the identifier for a SCO software object.
      Operating System The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal.

      The value of this property MUST be the identifier for a SCO software object.
      Configuration Version The alternative names used to identify this malware or malware family.
      Modules The specific analysis modules that were used and configured in the product during this analysis run.
      Analysis Engine Version The version of the analysis engine or product (including AV engines) that was used to perform the analysis.
      Analysis Definition Version The version of the analysis definitions used by the analysis tool including AV tools.
      Analysis Started The date and time that the malware analysis was initiated.
      Analysis Ended The date and time that the malware analysis was ended.
      Result The classification result as determined by the scanner or tool analysis process.
      Result Name The classification result or name assigned to the malware instance by the scanner tool.
      Submitted The date and time that the malware was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. For example, when Malware was submitted to a virus analysis tool.
      Analysed Observable Select the observable that was analysed.
      TLP TLP is used to ensure that sensitive information is shared with the appropriate audience. It employs four colors (White, Green, Amber, and Red) to indicate different degrees of sensitivity.
      Confidence Enter the confidence for this malware analysis.
      Source Specifies the threat source from which this object record is created.
      Revoked Indicates that the revoked objects are no longer considered valid by the object creator.
      Table 2. Insights
      Field Description
      Notes Add any additional notes for the malware family record.
      Table 3. Additional Information
      Field Description
      Additional Context Add any additional context for this malware record.
      Spec Version The version of the STIX specification used to represent this object.

      The value of this property must be 2.1 for STIX Objects defined according to this specification.
      Lang This property identifies the language of the text content in this object.
      Created Time In Source Specifies the time the object is created in the source.
      Extensions Indicates the extensions of attack pattern.
      Modified Time in Source Specifies the time the object is modified in the source.
      Processing Status Represents the processing status of this object, malware.
      Created Specifies the date and time when the object is created in the source.
      Updated Specifies the date and time when the object was updated in the source.
      Created By Ref This property specifies that the identity object that describes the entity had created this object.
    6. Click Save.
      After you save, a prompt message is displayed indicating that A new observable record is created. Click Continue to edit the record and create new relationships.
    7. Click Continue.
      Important:
      After you create a new observable record, Prevent System Updates check box is displayed.

      Select this check box to prevent any updates from the system after the observable or indicator or STIX objects records are created.

      Table 4. Tags&Taxonomies
      Field Description
      Tags
      Select Tags Select the tags that are associated with the malware.
      Add Tags Add new tags.
      Taxonomies
      Select Taxonomy Select a Taxonomy that is associated with the malware.
      Add Taxonomy Values Add Taxonomy values that are associated with the malware.
    8. If you want to delete any record then, select Delete to delete the aggregated record.

      When you select this action, then it will remove all the related records, except the original source data, and trigger re aggregation.

      Note:
      A confirmation message will appear to verify that you want to delete the aggregated record. If you also want to delete the source records and prevent re aggregation, select the Delete Source Records check box. This action will remove all the associated source records.

    What to do next

    Click any of the following related lists to view additional information about objects associated with the malware.
    Table 5. Relatd Records
    Field Description
    External References Lists the external references which refer to non-STIX information. This property is used to provide one or more external object identifiers.
    Malware Lists malware records associated with this object.
    Marketing Definitions Lists the marketing definitions associated with this object.
    Observables Lists the observables associated with this object.
    Sightings Lists the sightings associated with this object.
    Note:
    1. You can link and unlink the related records associated with this object. For more information, see Link Threat Intel Related Records.
    2. The various SDOs within the TI library also contains the potential relationships. To establish a relationships between any two objects, you use the Potential Relationships link from the Threat Intel Library to confirm the relationships between the objects. For more information, see Confirm object-object potential relationships.
    3. Also, use the Related Records section from the objects form view to confirm the relationships between two Objects using the Potential Relationships section available on the form view. For more information on see, Confirm Potential Relationships from Related Records.
    4. You can add objects to cases. For more information, see Add to Case.