Q: 10
The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an
automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and
proceeds with behavioral analysis. What is the next step in the malware analysis process?
Options
Discussion
B tbh makes sense, since after behavioral analysis you'd typically want to unpack the specimen and dig into memory forensics to see any code or artifacts loaded in RAM. You get more insight before moving on to code-level static or dynamic analysis (A). That's the standard progression from what I've seen in Cisco-style guides. Pretty sure B is right, but open to comments if I missed something.
I think B since unpacking and memory forensics usually come right after initial behavioral analysis. You want to get a clean look at the sample and see what's in memory before diving into static analysis or cleanup. Seen this order in some Cisco practice sets, but open to corrections.
Option B fits Cisco's expected steps. Unpacking and memory forensics come right after behavioral analysis so you can get at artifacts that static/dynamic don’t catch up front. I think that's what they're aiming for here.
Its B here. After behavioral analysis in a sandbox, unpacking and memory forensics is next to dig deeper into what the malware is doing in memory. Pretty sure that's the Cisco workflow for this stuff, agree?
I see what you mean, but it's still B. Unpacking and memory forensics usually follow lab behavioral analysis in malware workflows.
Its B since unpacking and memory forensics follow up right after sandboxing in most analysis flows. Static or dynamic code review (A) usually comes after unpacking. Could be tripped up if you forget the order, but B fits Cisco's style.
Why wouldn’t unpacking and memory forensics (B) come before code analysis here? Analyzing packed or obfuscated malware statically (A) seems premature unless the specimen’s already been fully extracted. Seen Cisco stress this order in exam reports. Anyone see it asked another way?
Not another step-order trap, Cisco. B, since you need to unpack and grab memory artifacts before going deep with static or dynamic analysis. Seen similar on other Cisco practice tests, but happy to hear if anyone's seen it go differently.
B (A seems tempting but static analysis usually comes after unpacking and memory forensics).
B, not A. Unpack and memory forensics fits after behavioral stuff from what I remember.
Be respectful. No spam.
