do I need to run the malware and run the query around the developed IOC

Just create an IOC around what the query is searching for, yes. no need to run actual malware