Refer to the exhibit.

An engineer is performing a static analysis on a malware and knows that it is capturing keys and webcam events on a company server. What is the indicator of compromise?

1. A. The malware is performing comprehensive fingerprinting of the host, including a processor, motherboard manufacturer, and connected removable storage.
2. B. The malware is a ransomware querying for installed anti-virus products and operating systems to encrypt and render unreadable until payment is made for file decryption.
3. C. The malware has moved to harvesting cookies and stored account information from major browsers and configuring a reverse proxy for intercepting network activity.
4. D. The malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval.

Correct Answer: B

An engineer is utilizing interactive behavior analysis to test malware in a sandbox environment to see how the malware performs when it is successfully executed. A location is secured to perform reverse engineering on a piece of malware. What is the next step the engineer should take to analyze this malware?

1. A. Run the program through a debugger to see the sequential actions
2. B. Unpack the file in a sandbox to see how it reacts
3. C. Research the malware online to see if there are noted findings
4. D. Disassemble the malware to understand how it was constructed

Correct Answer: C

Refer to the exhibit.

A security analyst needs to investigate a security incident involving several suspicious connections with a possible attacker. Which tool should the analyst use to identify the source IP of the offender?

1. A. packet sniffer
2. B. malware analysis
3. C. SIEM
4. D. firewall manager

Correct Answer: A

A threat actor attacked an organization’s Active Directory server from a remote location, and in a
thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator’s account was disabled. Which activity triggered the behavior analytics tool?

1. A. accessing the Active Directory server
2. B. accessing the server with financial data
3. C. accessing multiple servers
4. D. downloading more than 10 files

Correct Answer: C

A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?

1. A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
2. B. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
3. C. Review the server backup and identify server content and data criticality to assess the intrusion risk
4. D. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

Correct Answer: C