{"id":10467,"date":"2024-12-17T12:03:13","date_gmt":"2024-12-17T12:03:13","guid":{"rendered":"\/cybersecurity-blog\/?p=10467"},"modified":"2024-12-17T14:07:37","modified_gmt":"2024-12-17T14:07:37","slug":"windows-11-malware-sandbox","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/","title":{"rendered":"How to Set up a Windows 11 Malware Sandbox"},"content":{"rendered":"\n<p>As <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows-10-sandbox\/\">Windows 10<\/a> approaches its end-of-life (October 2025), organizations are facing the need to adjust their security infrastructure to be better aligned with Windows 11. A malware sandbox, an isolated environment for analyzing malicious files and URLs, is a key tool for this transition.<\/p>\n\n\n\n<p>Here are the benefits of deploying a Windows 11 sandbox and how you can do it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is a malware sandbox?<\/strong><\/h2>\n\n\n\n<p>A malware sandbox is an isolated virtual environment designed to safely analyze cyber threats by detonating, observing, and interacting with them.<\/p>\n\n\n\n<p>This controlled setting allows cybersecurity professionals to understand the behavior of malware post-infection, including file modifications, <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/\">network calls<\/a>, and registry changes.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>A malware sandbox helps organizations and individual researchers to:<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Safely explore malicious files and URLs to validate threat alerts or proactively identify cyber threats.<\/li>\n\n\n\n<li>Observe detonation of malware and phishing attacks in real time to see how they are carried out in a live system.<\/li>\n\n\n\n<li>Replicate specific network and system environments to assess the potential impact on the existing infrastructure.<\/li>\n\n\n\n<li>Extract indicators of compromise from malware samples to enhance threat detection capabilities.<\/li>\n\n\n\n<li>Intercept and analyze command and control communications to gather crucial IOCs.<\/li>\n\n\n\n<li>Study malware behavior in depth to uncover tactics, techniques, and procedures (TTPs) to respond to security incidents or prepare for future attacks more effectively.<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware and phishing <br>in ANY.RUN&#8217;s <span class=\"highlight\">Windows 11 sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=windows_11&#038;utm_term=171224&#038;utm_content=linktodemo\" rel=\"noopener\" target=\"_blank\">\nGet a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Which sandbox to choose? Built-in, on-premises, cloud-based<\/h2>\n\n\n\n<p>When it comes to choosing your sandbox, there are several options you can consider. Let\u2019s focus on the three main ones.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Built-In Sandbox Feature Included with Windows 11<\/strong><\/h3>\n\n\n\n<p>Windows 11 provides built-in sandbox functionality completely for free. This tool works well for quick checks, such as opening malicious links received via phishing emails or downloading and running suspicious files.<\/p>\n\n\n\n<p>A limitation of this type of sandbox is its inability to provide verdicts on detonated malicious content or log system and network activities. This can make it difficult to accurately assess the threat level of evasive and complex malware. There are also no reports generated after the analysis.<\/p>\n\n\n\n<p>These aspects make the built-in Windows sandbox an unsuitable option for professional use.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">On-premises Windows 11 Sandbox<\/h3>\n\n\n\n<p>For more advanced analysis, organizations can opt for building their own sandbox environment, configured to their specific needs. Virtualization software like VirtualBox can be used here. Yet, this approach is generally recommended only if you need to reverse-engineer malware source code or analyze it with custom tools.<\/p>\n\n\n\n<p>There are also a several things to take into consideration:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Complex Setup<\/strong>: Requires technical expertise to set up and configure.<\/li>\n\n\n\n<li><strong>Potential Risks<\/strong>: Misconfiguration can lead to malware escaping the sandbox and infecting the host system.<\/li>\n\n\n\n<li><strong>Resource-Intensive<\/strong>: Can be demanding on system resources.<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/\">Check out this guide on how to set up your own sandbox environment<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cloud Malware Sandbox with Windows 11 Support<\/h3>\n\n\n\n<p>For professional malware analysis, a cloud sandbox is the best choice. These services offer all the benefits of virtualization software but with much less tinkering and setup, making it easier to gather deep insights. There\u2019s also no chance to misconfigure something and let the malware escape the sandbox\u2019s confines and infect the host.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows_11&amp;utm_term=171224&amp;utm_content=linktolanding\">The ANY.RUN sandbox<\/a> is a tool that lets you configure and deploy a <a href=\"https:\/\/any.run\/cybersecurity-blog\/interactive-malware-sandbox\/\">fully-interactive Windows 11 environment<\/a> in seconds. It also provides you with the ability to engage with the system just like on a standard computer: launch programs, download attachments, browse web pages, and type.<\/p>\n\n\n\n<p>Some malware families may rely on specific tools and mechanisms present in certain OS versions; running them on the wrong version may not trigger their malicious actions. That is why, apart from Windows 11, ANY.RUN provides other operating systems, including Windows 7, 10, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-in-anyrun\/\">Ubuntu<\/a>, letting you switch between them with ease.<\/p>\n\n\n\n<p><strong>Benefits of ANY.RUN&#8217;s Interactive Sandbox<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Quick and Easy Setup:<\/strong> Simply upload your file or link and start the analysis process in seconds.<\/li>\n\n\n\n<li><strong>Real-time Insights:<\/strong> Get an in-depth view of malicious activities, including network events, registry changes, dropped files, script execution, as they occur.<\/li>\n\n\n\n<li><strong>Interactivity:<\/strong> Perform user actions and see how threats respond in a live system.<\/li>\n\n\n\n<li><strong>Comprehensive Reporting<\/strong>: Collect detailed reports on analysis results, such as <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\">indicators of compromise<\/a> (IOCs), malware families config info, and other actionable info.<\/li>\n\n\n\n<li><strong>VM Customization<\/strong>: Configure VM settings, enabling custom VPN, <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitm-proxy-fake-net\/\">MITM Proxy, FakeNet<\/a>, and other features for targeted investigations.<\/li>\n\n\n\n<li><strong>Privacy Control<\/strong>: Choose between public and private analysis based on data sensitivity.<\/li>\n\n\n\n<li><strong>Team Management<\/strong>: Invite, manage, and remove team members, with options for temporary access and productivity tracking.<\/li>\n<\/ul>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">How to Set up a Windows 11 Sandbox<\/h2>\n\n\n\n<p>Let\u2019s demonstrate how you can quickly get started with ANY.RUN\u2019s Interactive Sandbox.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Upload a Sample<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-1024x576.png\" alt=\"\" class=\"wp-image-10470\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-4.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN home screen lets you quickly upload your sample<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>First, <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows_11&amp;utm_term=171224&amp;utm_content=linktoregistration#register\/\">create an account or log in<\/a> and choose your upload option: a file or URL.<\/p>\n\n\n\n<p>As an example, let\u2019s upload a .bin file to the service.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Configure the VM<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"794\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-1024x794.png\" alt=\"\" class=\"wp-image-10471\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-1024x794.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-300x233.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-768x595.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-370x287.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-270x209.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-385x300.png 385w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3-740x574.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-3.png 1259w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN allows you configure your analysis system<\/em> <em>for each session<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once we submit the sample, we\u2019ll be able to customize the analysis environment to fit our needs. Check out the <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\">ultimate guide to the ANY.RUN sandbox<\/a> to learn more about the features available in the setup window.<\/p>\n\n\n\n<p>For now, let\u2019s select Windows 11 from the list of operating systems, set the <a href=\"https:\/\/any.run\/cybersecurity-blog\/privacy-features\/\" target=\"_blank\" rel=\"noreferrer noopener\">privacy mode<\/a> of the session, and run the analysis.<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Analyze the Threat<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-1024x578.png\" alt=\"\" class=\"wp-image-10473\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-1536x867.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-5.png 1856w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis of a malicious file in the ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once the session starts, the sandbox detonates the sample, allowing us to see how the system gets infected with the <a href=\"https:\/\/any.run\/malware-trends\/amadey\" target=\"_blank\" rel=\"noreferrer noopener\">Amadey<\/a> malware.<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/beb56f90-e57d-4a44-9698-d0c520ec25ff\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows_11&amp;utm_term=171224&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check out the session in detail<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"888\" height=\"670\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6.png\" alt=\"\" class=\"wp-image-10475\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6.png 888w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6-300x226.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6-768x579.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6-370x279.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6-270x204.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6-740x558.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-6-80x60.png 80w\" sizes=\"(max-width: 888px) 100vw, 888px\" \/><figcaption class=\"wp-element-caption\">ANY.RUN identifies any malicious activities related to the spawned processes<\/figcaption><\/figure><\/div>\n\n\n<p>Thanks to the <a href=\"https:\/\/any.run\/cybersecurity-blog\/advanced-process-details\/\" target=\"_blank\" rel=\"noreferrer noopener\">Process Tree<\/a>, we can discover that after the initial infection, Amadey continues to deploy additional malware, <a href=\"https:\/\/any.run\/malware-trends\/lumma\" target=\"_blank\" rel=\"noreferrer noopener\">Lumma<\/a> and <a href=\"https:\/\/any.run\/malware-trends\/stealc\" target=\"_blank\" rel=\"noreferrer noopener\">Stealc<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-1024x581.png\" alt=\"\" class=\"wp-image-10478\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-1024x581.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-1536x871.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7-740x420.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-7.png 1827w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata IDS rule<\/em> <em>used for detecting C2 connections of the Lumma Stealer<\/em> <\/figcaption><\/figure><\/div>\n\n\n<p>Once these threats gain foothold on the system, they connect to their command and control (C2) servers, receive commands from threat actors, and begin to exfiltrate stolen data.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"742\" height=\"266\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-8.png\" alt=\"\" class=\"wp-image-10502\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-8.png 742w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-8-300x108.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-8-370x133.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-8-270x97.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-8-740x265.png 740w\" sizes=\"(max-width: 742px) 100vw, 742px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN provides verdict on the sample and adds tags specifying the identified threat<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox provides a conclusive verdict on the file, notifying us about its malicious nature. It also allows you to download and share a <a href=\"https:\/\/any.run\/report\/04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d\/beb56f90-e57d-4a44-9698-d0c520ec25ff\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows_11&amp;utm_term=171224&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">comprehensive threat report<\/a> along with indicators of compromise.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p>By providing a safe and isolated environment for analyzing malicious files and URLs, a malware sandbox helps enhance threat investigations and improve security. Organizations transitioning to Windows 11 need to utilize a reliable sandbox solution to effectively examine emerging malware and phishing attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p>ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows_11&amp;utm_term=171224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds<\/li>\n\n\n\n<li>Interact with samples in real time<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=windows_11&amp;utm_term=171224&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Get a 14-day free trial to test all features of ANY.RUN&#8217;s Interactive Sandbox \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As Windows 10 approaches its end-of-life (October 2025), organizations are facing the need to adjust their security infrastructure to be better aligned with Windows 11. A malware sandbox, an isolated environment for analyzing malicious files and URLs, is a key tool for this transition. Here are the benefits of deploying a Windows 11 sandbox and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":10490,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,54,34],"class_list":["post-10467","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-features","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Set up a Windows 11 Malware Sandbox - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover how a Windows 11 malware sandbox can help organizations safely analyze malicious files and URLs to ensure effective security.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How to Set up a Windows 11 Malware Sandbox\",\"datePublished\":\"2024-12-17T12:03:13+00:00\",\"dateModified\":\"2024-12-17T14:07:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\"},\"wordCount\":1251,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"features\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\",\"name\":\"How to Set up a Windows 11 Malware Sandbox - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-12-17T12:03:13+00:00\",\"dateModified\":\"2024-12-17T14:07:37+00:00\",\"description\":\"Discover how a Windows 11 malware sandbox can help organizations safely analyze malicious files and URLs to ensure effective security.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Set up a Windows 11 Malware Sandbox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Set up a Windows 11 Malware Sandbox - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover how a Windows 11 malware sandbox can help organizations safely analyze malicious files and URLs to ensure effective security.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How to Set up a Windows 11 Malware Sandbox","datePublished":"2024-12-17T12:03:13+00:00","dateModified":"2024-12-17T14:07:37+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/"},"wordCount":1251,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","features","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/","url":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/","name":"How to Set up a Windows 11 Malware Sandbox - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-12-17T12:03:13+00:00","dateModified":"2024-12-17T14:07:37+00:00","description":"Discover how a Windows 11 malware sandbox can help organizations safely analyze malicious files and URLs to ensure effective security.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How to Set up a Windows 11 Malware Sandbox"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10467"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=10467"}],"version-history":[{"count":26,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10467\/revisions"}],"predecessor-version":[{"id":10529,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10467\/revisions\/10529"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/10490"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=10467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=10467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=10467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}